Play interactive tour

Edit tour

Analysis Report sfk_setup.exe

Overview

General Information

Sample Name:	sfk_setup.exe
Analysis ID:	338143
MD5:	945d981860358a2da40321783865f6da
SHA1:	df551d918354421e60b458cbd7a9032080835bc9
SHA256:	407ae7a2edaae00d7e109b746153310fcfed60104687bde65b90b9a46c85f655
Most interesting Screenshot:

Detection

Score:	42
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Creates an undocumented autostart registry key

Uses regedit.exe to modify the Windows registry

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains strange resources

Queries keyboard layouts

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

sfk_setup.exe (PID: 6736 cmdline: 'C:\Users\user\Desktop\sfk_setup.exe' MD5: 945D981860358A2DA40321783865F6DA)

sfk_setup.tmp (PID: 6772 cmdline: 'C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp' /SL5='$2A0068,23551647,152064,C:\Users\user\Desktop\sfk_setup.exe' MD5: E40F7EB5C693C2D90A28CBA04D85D286)

regedit.exe (PID: 6364 cmdline: 'regedit.exe' /e 'C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid' 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1' MD5: 617538C965AC4DDC72F9CF647C4343D5)

iexplore.exe (PID: 1844 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' http://www.spyrix.com/spyrix-products.php?from=sfk_install MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4848 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1844 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

spkl.exe (PID: 6448 cmdline: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe MD5: B3660FFBFB44E9C85287E9BF41126C41)

spmm.exe (PID: 5340 cmdline: 'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe' 'Spyrix Free Keylogger 11.5.1' MD5: E0C9D91F9EBD2F3974B42B4DDFC1F6DC)

sime64.exe (PID: 6400 cmdline: 'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe' exitime64 MD5: 66D5C7CA9D59F4F6F51907CBC2C9A5E7)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-6T4M6.tmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]
C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-98PHS.tmp	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]
C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-N2S1S.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000015.00000003.353294835.0000000003670000.00000004.00000001.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000011.00000002.613741986.0000000000401000.00000040.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000011.00000003.316681311.0000000004810000.00000004.00000001.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
21.2.spmm.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
17.2.spkl.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: sfk_setup.exe	Virustotal: Detection: 28%			Perma Link
Source: sfk_setup.exe	ReversingLabs: Detection: 25%

Source: 21.2.spmm.exe.400000.0.unpack

Avira: Label: TR/ATRAPS.Gen

Source: sfk_setup.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: sfk_setup.exe

Static PE information: certificate valid

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: unknown

HTTPS traffic detected: 54.39.133.136:443 -> 192.168.2.3:49748 version: TLS 1.2

Source: sfk_setup.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Development\OpenSSL\Temp\openssl-1.0.1c-x32\out32dll\libeay32.pdb source: sfk_setup.tmp, 00000001.00000003.318099211.0000000005F17000.00000004.00000001.sdmp
Source:	Binary string: C:\Development\OpenSSL\Temp\openssl-1.0.1c-x32\out32dll\libeay32.pdbpS source: sfk_setup.tmp, 00000001.00000003.318099211.0000000005F17000.00000004.00000001.sdmp
Source:	Binary string: C:\Development\OpenSSL\Temp\openssl-1.0.1c-x32\out32dll\ssleay32.pdb source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00405BEC GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004AD294 FindFirstFileW,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00408174 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004FDF38 FindFirstFileW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_004099DC FindFirstFileW,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_0041491C FindFirstFileW,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_00409474 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00412380 FindFirstFileW,FindClose,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00CC18B0 FindFirstFileW,FindClose,

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic

HTTP traffic detected: GET /spyrix-products.php?from=sfk_install HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.spyrix.comConnection: Keep-Alive

Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: SearchID="http://www.myspace.com/search/" equals www.myspace.com (Myspace)
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: msgID="http://www.myspace.com/my/mail" equals www.myspace.com (Myspace)

Source: unknown

DNS traffic detected: queries for: www.spyrix.com

Source: sfk_setup.tmp, 00000001.00000002.344377806.0000000005600000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.344377806.0000000005600000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://css-tricks.com
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://jqueryfordesigners.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000003.338354456.00000000091E1000.00000004.00000001.sdmp	String found in binary or memory: http://lame.sf.net
Source: sfk_setup.tmp, 00000001.00000003.338354456.00000000091E1000.00000004.00000001.sdmp	String found in binary or memory: http://lame.sf.netD
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://opensource.org/licenses/afl-3.0.php
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://pixelgraphics.us/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://rc.qzone.qq.com/qzonesoso/?search
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.338285923.0000000009134000.00000004.00000001.sdmp	String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: sfk_setup.tmp, 00000001.00000003.338285923.0000000009134000.00000004.00000001.sdmp	String found in binary or memory: http://relaxng.org/ns/structure/1.0definenameincludegrammarcombinechoiceDefines
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.mi
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp, sfk_setup.tmp, 00000001.00000003.325756750.0000000006EFA000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.mic
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.micr
Source: sfk_setup.tmp, 00000001.00000003.325756750.0000000006EFA000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsof
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsoft.co
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: spkl.exe	String found in binary or memory: http://spyrix.com/manual.php
Source: spkl.exe	String found in binary or memory: http://spyrix.net/promo/dashboard/index.shtml?
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.344377806.0000000005600000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://user.qzone.qq.com
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://vk.com/search
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: sfk_setup.tmp, 00000001.00000002.344377806.0000000005600000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/buynow.html
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/help.html
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/help.html#registrate
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.338285923.0000000009134000.00000004.00000001.sdmp	String found in binary or memory: http://www.brynosaurus.com/cachedir/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: sfk_setup.exe, 00000000.00000003.209952617.0000000002480000.00000004.00000001.sdmp, sfk_setup.tmp, 00000001.00000003.212148023.0000000003170000.00000004.00000001.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp, spkl.exe, spmm.exe	String found in binary or memory: http://www.indyproject.org/
Source: sfk_setup.exe, 00000000.00000003.210213490.00000000025C0000.00000004.00000001.sdmp, sfk_setup.tmp, sfk_setup.tmp, 00000001.00000000.211570445.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: sfk_setup.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: sfk_setup.exe, 00000000.00000002.348991733.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.magentocommerce.com
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.magentocommerce.com)
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.myspace.com/my/mail
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.myspace.com/search/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.338285923.0000000009134000.00000004.00000001.sdmp	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: sfk_setup.tmp, 00000001.00000003.338285923.0000000009134000.00000004.00000001.sdmp	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.ok.ru/dk?st.cmd=searchResult
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.openssl.org/V
Source: sfk_setup.tmp, 00000001.00000003.318099211.0000000005F17000.00000004.00000001.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: sfk_setup.tmp, 00000001.00000003.318099211.0000000005F17000.00000004.00000001.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: sfk_setup.exe, 00000000.00000003.210213490.00000000025C0000.00000004.00000001.sdmp, sfk_setup.tmp	String found in binary or memory: http://www.remobjects.com/ps
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.339705822.000000000230A000.00000004.00000001.sdmp, spkl.exe	String found in binary or memory: http://www.spyrix.com
Source: sfk_setup.exe, 00000000.00000003.348789313.000000000231A000.00000004.00000001.sdmp, sfk_setup.tmp, 00000001.00000003.212148023.0000000003170000.00000004.00000001.sdmp	String found in binary or memory: http://www.spyrix.com/
Source: spkl.exe	String found in binary or memory: http://www.spyrix.com/manual.php#registrate
Source: spkl.exe	String found in binary or memory: http://www.spyrix.com/pro_upgrade.htm?lic=
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp, sfk_setup.tmp, 00000001.00000003.325756750.0000000006EFA000.00000004.00000001.sdmp, spkl.exe	String found in binary or memory: http://www.spyrix.com/purchase.php
Source: sfk_setup.tmp, 00000001.00000003.339821308.00000000008DE000.00000004.00000001.sdmp	String found in binary or memory: http://www.spyrix.com/spyrix-products.php?from=sfk_install
Source: sfk_setup.tmp, 00000001.00000003.339821308.00000000008DE000.00000004.00000001.sdmp	String found in binary or memory: http://www.spyrix.com/spyrix-products.php?from=sfk_install#
Source: sfk_setup.tmp, 00000001.00000003.339821308.00000000008DE000.00000004.00000001.sdmp	String found in binary or memory: http://www.spyrix.com/spyrix-products.php?from=sfk_installb
Source: sfk_setup.tmp, 00000001.00000003.339105902.0000000005130000.00000004.00000001.sdmp	String found in binary or memory: http://www.spyrix.com/spyrix-products.php?from=sfk_installh
Source: sfk_setup.tmp, 00000001.00000003.212148023.0000000003170000.00000004.00000001.sdmp	String found in binary or memory: http://www.spyrix.com/terms-of-use.php)
Source: spkl.exe	String found in binary or memory: http://www.spyrix.net/ibann
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.338354456.00000000091E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.twolame.org
Source: sfk_setup.tmp, 00000001.00000003.338354456.00000000091E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.twolame.orgMPEG-2
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp	String found in binary or memory: http://www.videolan.org/x264.html
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: sfk_setup.tmp, 00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp	String found in binary or memory: http://x265.org
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: spkl.exe	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: spkl.exe	String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: spkl.exe	String found in binary or memory: https://api-content.dropbox.com/1/chunked_upload
Source: spkl.exe	String found in binary or memory: https://api-content.dropbox.com/1/chunked_upload?
Source: spkl.exe	String found in binary or memory: https://api-content.dropbox.com/1/commit_chunked_upload
Source: spkl.exe	String found in binary or memory: https://api-content.dropbox.com/1/files/dropbox
Source: spkl.exe	String found in binary or memory: https://api-content.dropbox.com/1/files/sandbox
Source: spkl.exe	String found in binary or memory: https://api-content.dropbox.com/1/files_put
Source: spkl.exe	String found in binary or memory: https://api-content.dropbox.com/1/files_put?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/account/info
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/account/info?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/delta
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/delta?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/fileops/copy
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/fileops/copy?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/fileops/create_folder
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/fileops/create_folder?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/fileops/delete
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/fileops/delete?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/fileops/move
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/fileops/move?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/metadata/dropbox
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/metadata/sandbox
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/oauth/request_token
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/oauth/request_token?
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/shares/dropbox
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/shares/sandbox
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp, spkl.exe	String found in binary or memory: https://dashboard.spyrix.com
Source: spkl.exe	String found in binary or memory: https://dashboard.spyrix.com/account/login-from-program?email=
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: https://download.spyrix.com/spm.html
Source: sfk_setup.tmp, 00000001.00000003.338285923.0000000009134000.00000004.00000001.sdmp	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0C
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: https://spyrix.net
Source: spkl.exe	String found in binary or memory: https://spyrix.net/Uwas771wvshs7916gjqg62417/core.php
Source: spkl.exe	String found in binary or memory: https://spyrix.net/dashboard/api/subscription/status?
Source: spkl.exe	String found in binary or memory: https://spyrix.net/usr/monitor/
Source: sfk_setup.tmp, 00000001.00000003.212148023.0000000003170000.00000004.00000001.sdmp, spkl.exe	String found in binary or memory: https://spyrix.net/usr/monitor/access.txt
Source: spkl.exe	String found in binary or memory: https://spyrix.net/usr/monitor/iupload.php
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	String found in binary or memory: https://store.mspy.com/affiliate.php?ACCOUNT=BITEXGRO&AFFILIATE=40815&PATH=http%3A%2F%2Fwww.mspy.com
Source: spkl.exe	String found in binary or memory: https://www.dropbox.com/1/oauth/authorize?oauth_token=
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/auth/drive
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/auth/userinfo.prof
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/drive/v2/about
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/drive/v2/files
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/drive/v2/files/
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/drive/v2/files?maxResults=1000&q=
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files/
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files?uploadType=resumable

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443

Source: unknown

HTTPS traffic detected: 54.39.133.136:443 -> 192.168.2.3:49748 version: TLS 1.2

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe

Code function: 21_2_0040C946 OpenClipboard,

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe

Code function: 21_2_0040C6EE GetClipboardData,

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_00434448 GetObjectW,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_0045C584 GetKeyboardState,

Source: sfk_setup.tmp, 00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp

Binary or memory string: GetRawInputData

System Summary:

Uses regedit.exe to modify the Windows registry

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\regedit.exe 'regedit.exe' /e 'C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid' 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1'

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe

Code function: 21_2_0040C5D6 NtdllDefWindowProc_W,

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004808CC: CreateFileW,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0040E538 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004B00AC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

File created: C:\Windows\runkey.exe

Jump to behavior

Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0041201D
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00402260
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0040D33C
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0041259C
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00411F58
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004E2284
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004E2D99
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004736F8
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004AC17C
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0049E118
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004EA1FC
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00402474
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0044A72C
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004FCA0C
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00488C40
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004BB20C
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004EB2B0
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004535D0
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004077F8
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00481C84
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700A64
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700A05
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700AF4
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700ADF
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700AC2
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700ACF
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700AB6
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700A91
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700A9A
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700B62
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700B43
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700B4A
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700B31
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700B3E
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700B28
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700B0B
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700BEE
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700BD0
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700BC4
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700BCB
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700BA4
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700B95
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700C57
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700C39
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700C2E
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700CF3
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700CDA
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700C8B
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700D6C
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700D51
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700D42
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700D11
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700D00
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_027009FB
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_027009E7
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_027009EE
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_027009CA
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700DCF
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700DB6
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_3_02700D9A
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_004082DC
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_004036DC
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00411E10
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00430D90
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_0068A700
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00CC1340
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00CB40A8

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 004ADAE0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 00487C88 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 00409620 appears 151 times
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 0049EE30 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 004B2E4C appears 37 times
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 00406914 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 0049EB4C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 0040C24C appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: String function: 004B2BC8 appears 49 times
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: String function: 00404C88 appears 36 times

Source: sfk_setup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: sfk_setup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-I5RK2.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-I5RK2.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: sfk_setup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sfk_setup.tmp.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: sfk_setup.tmp.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-I5RK2.tmp.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-I5RK2.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: sfk_setup.exe, 00000000.00000003.210347510.00000000026DE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs sfk_setup.exe
Source: sfk_setup.exe, 00000000.00000002.349265602.0000000002390000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs sfk_setup.exe
Source: sfk_setup.exe, 00000000.00000002.349205642.0000000000A20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs sfk_setup.exe

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Section loaded: ime32.dll
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Section loaded: ime64.dll

Source: sfk_setup.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-6T4M6.tmp, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-98PHS.tmp, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

Source: classification engine

Classification label: mal42.evad.winEXE@15/478@2/1

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004328A4 GetLastError,FormatMessageW,

Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0040E538 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004B00AC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

Source: C:\Users\user\Desktop\sfk_setup.exe

Code function: 0_2_0040805C GetDiskFreeSpaceW,

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004CC238 GetVersion,CoCreateInstance,

Source: C:\Users\user\Desktop\sfk_setup.exe

Code function: 0_2_0040EE14 FindResourceW,SizeofResource,LoadResource,LockResource,

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\Desktop\sfk_setup.exe

File created: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp

Jump to behavior

Source: Yara match	File source: 00000015.00000003.353294835.0000000003670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.613741986.0000000000401000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.316681311.0000000004810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-N2S1S.tmp, type: DROPPED
Source: Yara match	File source: 21.2.spmm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.spkl.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\sfk_setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="spmm.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="ff.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="spm.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="skl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="spkl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="sem.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="clv.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="akl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Process Where Name="sps.exe"
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\sfk_setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: sfk_setup.exe	Virustotal: Detection: 28%
Source: sfk_setup.exe	ReversingLabs: Detection: 25%

Source: sfk_setup.exe	String found in binary or memory: rting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked the co
Source: spkl.exe	String found in binary or memory: NATS-SEFI-ADD
Source: spkl.exe	String found in binary or memory: NATS-DANO-ADD
Source: spkl.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: spkl.exe	String found in binary or memory: jp-ocr-b-add
Source: spkl.exe	String found in binary or memory: jp-ocr-hand-add
Source: spkl.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: spkl.exe	String found in binary or memory: ISO_6937-2-add
Source: spmm.exe	String found in binary or memory: NATS-SEFI-ADD
Source: spmm.exe	String found in binary or memory: NATS-DANO-ADD
Source: spmm.exe	String found in binary or memory: jp-ocr-b-add
Source: spmm.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: spmm.exe	String found in binary or memory: jp-ocr-hand-add
Source: spmm.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: spmm.exe	String found in binary or memory: ISO_6937-2-add

Source: C:\Users\user\Desktop\sfk_setup.exe

File read: C:\Users\user\Desktop\sfk_setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sfk_setup.exe 'C:\Users\user\Desktop\sfk_setup.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp 'C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp' /SL5='$2A0068,23551647,152064,C:\Users\user\Desktop\sfk_setup.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\regedit.exe 'regedit.exe' /e 'C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid' 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://www.spyrix.com/spyrix-products.php?from=sfk_install
Source: unknown	Process created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1844 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe 'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe' 'Spyrix Free Keylogger 11.5.1'
Source: unknown	Process created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe 'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe' exitime64
Source: C:\Users\user\Desktop\sfk_setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp 'C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp' /SL5='$2A0068,23551647,152064,C:\Users\user\Desktop\sfk_setup.exe'
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process created: C:\Windows\SysWOW64\regedit.exe 'regedit.exe' /e 'C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid' 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1'
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://www.spyrix.com/spyrix-products.php?from=sfk_install
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1844 CREDAT:17410 /prefetch:2
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe 'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe' 'Spyrix Free Keylogger 11.5.1'
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe 'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe' exitime64

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

File written: C:\ProgramData\Spyrix Free Keylogger\temp\logger.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Window found: window name: TSelectLanguageForm

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Automated click: I accept the agreement
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: sfk_setup.exe

Static PE information: certificate valid

Source: sfk_setup.exe

Static file information: File size 24086096 > 1048576

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: sfk_setup.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Development\OpenSSL\Temp\openssl-1.0.1c-x32\out32dll\libeay32.pdb source: sfk_setup.tmp, 00000001.00000003.318099211.0000000005F17000.00000004.00000001.sdmp
Source:	Binary string: C:\Development\OpenSSL\Temp\openssl-1.0.1c-x32\out32dll\libeay32.pdbpS source: sfk_setup.tmp, 00000001.00000003.318099211.0000000005F17000.00000004.00000001.sdmp
Source:	Binary string: C:\Development\OpenSSL\Temp\openssl-1.0.1c-x32\out32dll\ssleay32.pdb source: sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004A1A3C LoadLibraryExW,LoadLibraryW,GetProcAddress,

Source: sfk_setup.exe	Static PE information: real checksum: 0x1704537 should be:
Source: sfk_setup.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x12e541
Source: is-I5RK2.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x138953
Source: _iscrypt.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x89d2

Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0040D034 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0040E0D0 push 0040E118h; ret
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_004100D8 push 00410140h; ret
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00406944 push 00406986h; ret
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0040B104 push 0040B2B0h; ret
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00406A50 push 00406A88h; ret
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0040E250 push 0040E27Ch; ret
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00406A92 push 00406AC0h; ret
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00406A94 push 00406AC0h; ret
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_004064A6 push 0040650Dh; ret
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_004064A8 push 0040650Dh; ret
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_004034A8 push eax; ret
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0041157C push 004115FAh; ret
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_0040DD38 push 0040DD7Bh; ret
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00411618 push 00411645h; ret
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004FA044 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0046E0B0 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00482158 push 0048219Bh; ret
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004AC17C push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0044C1F4 push 0044C220h; ret
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0042E1B4 push 0042E1E0h; ret
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0047E234 push 0047E28Eh; ret
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0045C2C4 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0040A2C4 push 0040A306h; ret
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004542FC push 00454367h; ret
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0049C374 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0040A3D0 push 0040A408h; ret
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0046E404 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0040A414 push 0040A440h; ret
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004204B0 push 004204FDh; ret
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00438544 push 00438570h; ret

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NLKP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\Windows\runkey.exe
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EUIQT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-9A0F1.tmp\_isetup\_setup64.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NTTN.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-5A3UD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-K3O8Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-N2S1S.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-9A0F1.tmp\_isetup\_iscrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-I5RK2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-D44HS.tmp
Source: C:\Users\user\Desktop\sfk_setup.exe	File created: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-6ADBO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-CIA22.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-SKKKO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-AFJU2.tmp

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NLKP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EUIQT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NTTN.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-5A3UD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-K3O8Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-N2S1S.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-I5RK2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-D44HS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-6ADBO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-CIA22.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-SKKKO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-AFJU2.tmp

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

File created: C:\Windows\runkey.exe

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spyrix Free Keylogger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spyrix Free Keylogger\Spyrix Free Keylogger.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spyrix Free Keylogger\Uninstall Spyrix Free Keylogger.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00470AAC GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004736F8 IsIconic,SetFocus,GetParent,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004629EC IsIconic,GetCapture,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00470A2C IsIconic,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00481238 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0046335C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_0042DBCC MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00463DC8 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongW,GetWindowLongW,GetWindowLongW,ScreenToClient,ScreenToClient,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_0040C8A6 IsIconic,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00677000 IsIconic,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_006770F0 GetWindowLongPtrW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongPtrW,SetWindowLongPtrW,ShowWindow,ShowWindow,

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\sfk_setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Window / User API: foregroundWindowGot 499
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Window / User API: foregroundWindowGot 1164

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NLKP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\Windows\runkey.exe
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EUIQT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NTTN.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9A0F1.tmp\_isetup\_setup64.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-5A3UD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-K3O8Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-N2S1S.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-I5RK2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-D44HS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Dropped PE file which has not been started: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-CIA22.tmp

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe

Evasive API call chain: RegQueryValue,DecisionNodes,Sleep

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe

API coverage: 4.2 %

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: 0_2_00405BEC GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004AD294 FindFirstFileW,GetLastError,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_00408174 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: 1_2_004FDF38 FindFirstFileW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_004099DC FindFirstFileW,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_0041491C FindFirstFileW,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: 21_2_00409474 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00412380 FindFirstFileW,FindClose,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: 22_2_00CC18B0 FindFirstFileW,FindClose,

Source: C:\Users\user\Desktop\sfk_setup.exe

Code function: 0_2_00406458 GetSystemInfo,

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Source: sfk_setup.exe, 00000000.00000002.349265602.0000000002390000.00000002.00000001.sdmp, sfk_setup.tmp, 00000001.00000002.343818747.0000000002800000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: sfk_setup.exe, 00000000.00000002.349265602.0000000002390000.00000002.00000001.sdmp, sfk_setup.tmp, 00000001.00000002.343818747.0000000002800000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: sfk_setup.exe, 00000000.00000002.349265602.0000000002390000.00000002.00000001.sdmp, sfk_setup.tmp, 00000001.00000002.343818747.0000000002800000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: sfk_setup.tmp, 00000001.00000003.315724782.0000000005900000.00000004.00000001.sdmp	Binary or memory string: @@IdPORT_vmnet
Source: sfk_setup.exe, 00000000.00000002.349265602.0000000002390000.00000002.00000001.sdmp, sfk_setup.tmp, 00000001.00000002.343818747.0000000002800000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004A1A3C LoadLibraryExW,LoadLibraryW,GetProcAddress,

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004D8F68 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://www.spyrix.com/spyrix-products.php?from=sfk_install
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe 'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe' 'Spyrix Free Keylogger 11.5.1'
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe 'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe' exitime64

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_00480E38 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004B8A78 GetVersion,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,GetLastError,LocalFree,

Source: sfk_setup.tmp, 00000001.00000003.315724782.0000000005900000.00000004.00000001.sdmp

Binary or memory string: @@DOF_PROGMAN

Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\sfk_setup.exe	Code function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Code function: GetLocaleInfoW,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Code function: InterlockedCompareExchange,GetLocalTime,GetLocaleInfoW,GetModuleFileNameW,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004B3678 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,

Source: C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp

Code function: 1_2_004B2868 GetSystemTimeAsFileTime,FileTimeToSystemTime,

Source: C:\Users\user\Desktop\sfk_setup.exe

Code function: 0_2_004110C4 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

Source: C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation21	DLL Side-Loading1	Exploitation for Privilege Escalation1	Deobfuscate/Decode Files or Information1	Input Capture21	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Registry Run Keys / Startup Folder11	DLL Side-Loading1	Obfuscated Files or Information2	LSASS Memory	File and Directory Discovery4	Remote Desktop Protocol	Screen Capture1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter2	Logon Script (Windows)	Access Token Manipulation1	Software Packing1	Security Account Manager	System Information Discovery47	SMB/Windows Admin Shares	Input Capture21	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection13	DLL Side-Loading1	NTDS	Query Registry1	Distributed Component Object Model	Clipboard Data2	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder11	Masquerading21	LSA Secrets	Security Software Discovery41	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Modify Registry1	Cached Domain Credentials	Virtualization/Sandbox Evasion3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion3	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection13	/etc/passwd and /etc/shadow	System Owner/User Discovery2	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sfk_setup.exe	28%	Virustotal		Browse
sfk_setup.exe	25%	ReversingLabs	Win32.PUA.SpyrixKeylogger

Dropped Files

Source	Detection	Scanner	Link
C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NLKP.tmp	0%	Metadefender	Browse
C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NLKP.tmp	0%	ReversingLabs
C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NTTN.tmp	0%	Metadefender	Browse
C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3NTTN.tmp	2%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
17.2.spkl.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
21.2.spmm.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Virustotal		Browse
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Virustotal		Browse
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://pixelgraphics.us/	0%	Virustotal		Browse
http://pixelgraphics.us/	0%	Avira URL Cloud	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://www.twolame.orgMPEG-2	0%	Avira URL Cloud	safe
https://spyrix.net/usr/monitor/access.txt	0%	Avira URL Cloud	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.actualkeylogger.com/help.html#registrate	0%	Avira URL Cloud	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.kkbox.com.tw/	0%	URL Reputation	safe
http://www.kkbox.com.tw/	0%	URL Reputation	safe
http://www.kkbox.com.tw/	0%	URL Reputation	safe
http://search.goo.ne.jp/favicon.ico	0%	URL Reputation	safe
http://search.goo.ne.jp/favicon.ico	0%	URL Reputation	safe
http://search.goo.ne.jp/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/	0%	URL Reputation	safe
http://www.etmall.com.tw/	0%	URL Reputation	safe
http://www.etmall.com.tw/	0%	URL Reputation	safe
http://www.amazon.co.uk/	0%	URL Reputation	safe
http://www.amazon.co.uk/	0%	URL Reputation	safe
http://www.amazon.co.uk/	0%	URL Reputation	safe
http://lame.sf.netD	0%	Avira URL Cloud	safe
http://www.asharqalawsat.com/favicon.ico	0%	URL Reputation	safe
http://www.asharqalawsat.com/favicon.ico	0%	URL Reputation	safe
http://www.asharqalawsat.com/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/	0%	URL Reputation	safe
http://search.ipop.co.kr/	0%	URL Reputation	safe
http://search.ipop.co.kr/	0%	URL Reputation	safe
http://www.auction.co.kr/auction.ico	0%	URL Reputation	safe
http://www.auction.co.kr/auction.ico	0%	URL Reputation	safe
http://www.auction.co.kr/auction.ico	0%	URL Reputation	safe
http://www.dk-soft.org/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
spyrix.com	54.39.133.136	true	false		high
www.spyrix.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dashboard.spyrix.com/account/login-from-program?email=	spkl.exe	false		high
http://search.chol.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.dropbox.com/1/fileops/copy	spkl.exe	false		high
http://www.dailymail.co.uk/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.indyproject.org/	sfk_setup.tmp, 00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp, spkl.exe, spmm.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fr.search.yahoo.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://in.search.yahoo.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
https://api.dropbox.com/1/fileops/create_folder?	spkl.exe	false		high
http://msk.afisha.ru/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ya.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.hanafos.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.dropbox.com/1/shares/dropbox	spkl.exe	false		high
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	sfk_setup.exe	false		high
http://search.msn.co.jp/results.aspx?q=	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://buscar.ozu.es/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
https://api-content.dropbox.com/1/files_put	spkl.exe	false		high
http://www.ask.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://pixelgraphics.us/	sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.google.it/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://search.auction.co.kr/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.de/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.twolame.orgMPEG-2	sfk_setup.tmp, 00000001.00000003.338354456.00000000091E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://sads.myspace.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
https://spyrix.net/usr/monitor/access.txt	sfk_setup.tmp, 00000001.00000003.212148023.0000000003170000.00000004.00000001.sdmp, spkl.exe	false	Avira URL Cloud: safe	unknown
http://www.pchome.com.tw/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.actualkeylogger.com/help.html#registrate	spkl.exe	false	Avira URL Cloud: safe	unknown
http://www.rambler.ru/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://uk.search.yahoo.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.gmarket.co.kr/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.google.si/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.soso.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://busca.orange.es/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
https://api.dropbox.com/1/fileops/copy?	spkl.exe	false		high
http://auto.search.msn.com/response.asp?MT=	sfk_setup.tmp, 00000001.00000002.344377806.0000000005600000.00000002.00000001.sdmp	false		high
http://www.target.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.openssl.org/support/faq.html	sfk_setup.tmp, 00000001.00000003.318099211.0000000005F17000.00000004.00000001.sdmp	false		high
http://search.orange.co.uk/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.centrum.cz/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://service2.bfast.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ariadna.elmundo.es/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.news.com.au/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.cdiscount.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.tiscali.it/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://it.search.yahoo.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.ceneo.pl/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.servicios.clarin.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://opensource.org/licenses/afl-3.0.php	sfk_setup.tmp, 00000001.00000003.321606072.00000000064FA000.00000004.00000001.sdmp	false		high
https://api.dropbox.com/1/fileops/move	spkl.exe	false		high
http://search.daum.net/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.kkbox.com.tw/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.goo.ne.jp/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.msn.com/results.aspx?q=	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://x265.org	sfk_setup.tmp, 00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp	false		high
http://list.taobao.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.taobao.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ie.search.yahoo.com/os?command=	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.cnet.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.linternaute.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.amazon.co.uk/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.cdiscount.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://lame.sf.netD	sfk_setup.tmp, 00000001.00000003.338354456.00000000091E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.asharqalawsat.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.fr/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://search.gismeteo.ru/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.rtl.de/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
https://api-content.dropbox.com/1/chunked_upload	spkl.exe	false		high
http://www.soso.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.univision.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://search.ipop.co.kr/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.auction.co.kr/auction.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.dk-soft.org/	sfk_setup.exe, 00000000.00000003.209952617.0000000002480000.00000004.00000001.sdmp, sfk_setup.tmp, 00000001.00000003.212148023.0000000003170000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.orange.fr/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://video.globo.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.google.co.uk/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.dropbox.com/1/fileops/move?	spkl.exe	false		high
http://buscador.terra.com/favicon.ico	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search1.taobao.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://search.aol.co.uk/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.dreamwiz.com/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://www.recherche.aol.fr/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high
http://vachercher.lycos.fr/	sfk_setup.tmp, 00000001.00000002.346006634.00000000056F3000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.39.133.136	unknown	Canada		16276	OVHFR	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	338143
Start date:	11.01.2021
Start time:	17:58:01
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 50s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	sfk_setup.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal42.evad.winEXE@15/478@2/1
EGA Information:	Successful, ratio: 80%
HDC Information:	Successful, ratio: 53.9% (good quality ratio 49.8%) Quality average: 79.8% Quality standard deviation: 30.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe TCP Packets have been reduced to 100 Created / dropped Files have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.139.144, 52.255.188.83, 51.104.144.132, 104.79.90.110, 92.122.213.247, 92.122.213.194, 67.27.159.126, 8.248.139.254, 8.253.204.121, 8.248.135.254, 67.26.73.254, 51.103.5.186, 88.221.62.148, 172.217.23.40, 172.217.23.46, 20.54.26.129, 152.199.19.161, 51.104.139.180, 51.11.168.160, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, go.microsoft.com, emea1.notify.windows.com.akadns.net, www.googletagmanager.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.google-analytics.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, www-google-analytics.l.google.com, ie9comview.vo.msecnd.net, www-googletagmanager.l.google.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, cs9.wpc.v0cdn.net Execution Graph export aborted for target spkl.exe, PID 6448 because there are no executed function Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:59:48	API Interceptor	3x Sleep call for process: spkl.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	hiytvys.dll	Get hash	malicious	Browse	46.105.131.65
	l7rgi3xyd.dll	Get hash	malicious	Browse	46.105.131.65
	ymuyks.dll	Get hash	malicious	Browse	46.105.131.65
	Client.vbs	Get hash	malicious	Browse	92.222.182.237
	INV9698791470-20210111920647.xlsm	Get hash	malicious	Browse	46.105.131.65
	hy9x6wzip.dll	Get hash	malicious	Browse	46.105.131.65
	INV7693947099-20210111388211.xlsm	Get hash	malicious	Browse	46.105.131.65
	jufk0vrar.dll	Get hash	malicious	Browse	46.105.131.65
	Pioneercon Project Contract.exe	Get hash	malicious	Browse	51.195.53.221
	Outstanding Payments.exe	Get hash	malicious	Browse	51.195.53.221
	Quw3X5oAwe.exe	Get hash	malicious	Browse	51.83.208.157
	H56P7iDwnJ.doc	Get hash	malicious	Browse	142.44.230.78
	11998704458248.exe	Get hash	malicious	Browse	54.37.160.157
	Test.HTM	Get hash	malicious	Browse	145.239.131.60
	2143453.exe	Get hash	malicious	Browse	51.83.43.226
	Buran.exe	Get hash	malicious	Browse	158.69.65.151
	https://1drv.ms:443/o/s!BAXL7VqGJe6lg0eKk2MZcT_c29ga?e=Qdftz9F3oESsQIuV76Ppsw&at=9	Get hash	malicious	Browse	87.98.225.159
	http://icapturefilms.com/albino-guppies/paramour-deposition-questions.html	Get hash	malicious	Browse	51.81.73.219
	SKM_C258201001130020005057.exe	Get hash	malicious	Browse	188.165.228.217
	https://lakewooderie.umcchurches.org/verify#Sugar@saccounty.net	Get hash	malicious	Browse	145.239.131.60

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	e-card.htm .exe	Get hash	malicious	Browse	54.39.133.136
	e-card.jpg .exe	Get hash	malicious	Browse	54.39.133.136
	Payment.exe	Get hash	malicious	Browse	54.39.133.136
	Test.HTM	Get hash	malicious	Browse	54.39.133.136
	mailsearcher32.dll	Get hash	malicious	Browse	54.39.133.136
	mailsearcher64.dll	Get hash	malicious	Browse	54.39.133.136
	Curriculo Laura.xlsm	Get hash	malicious	Browse	54.39.133.136
	prints carlos bolsonaro.docm	Get hash	malicious	Browse	54.39.133.136
	https://friskyferals.info/cgjx	Get hash	malicious	Browse	54.39.133.136
	https://marseral.am/wp-includes/aw?i=i&0=leo.cai@mainfreightasia.com	Get hash	malicious	Browse	54.39.133.136
	https://bit.ly/35cYpiT	Get hash	malicious	Browse	54.39.133.136
	http://mckeepropainting.com/.adv3738diukjuctdyakbd/dhava93vdia11876dkb/ag38vdua3848dk/sajvd9484auad/ajd847vauadja/101kah474sbbadad/wose/Paint20200921_2219.pdf.html	Get hash	malicious	Browse	54.39.133.136
	https://new-fax-messages.mydopweb.com/	Get hash	malicious	Browse	54.39.133.136
	https://survey.alchemer.com/s3/6130663/Check-11-Payment	Get hash	malicious	Browse	54.39.133.136
	https://proudflex.org	Get hash	malicious	Browse	54.39.133.136
	https://www.food4rhino.com/app/human	Get hash	malicious	Browse	54.39.133.136
	https://www.food4rhino.com/app/elefront	Get hash	malicious	Browse	54.39.133.136
	https://smlfinance.com/wp-content/uploads/2021/DHL2021/MARKET/	Get hash	malicious	Browse	54.39.133.136
	https://app.box.com/s/cwvx197f4b14m7rxw8vlqc08jwv0c5og	Get hash	malicious	Browse	54.39.133.136
	https://atacadaodocompensado.com.br/office356.com-RD163	Get hash	malicious	Browse	54.39.133.136

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spyrix Free Keylogger\Spyrix Free Keylogger.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue Jan 12 00:59:16 2021, mtime=Tue Jan 12 00:59:16 2021, atime=Tue Jan 14 06:59:00 2020, length=5197960, window=hide
Category:	dropped
Size (bytes):	1887
Entropy (8bit):	3.411489499234797
Encrypted:	false
SSDEEP:	24:8BoLzWNBzIgQqAU6YQfX8sDVX8w4VX89kW0HYxeZ89ip1mC1mEm:8Ss0g8UPQfM4+w4+9kWz99i1l
MD5:	974D3B0B868CC7629116E8A6AF39F5BF
SHA1:	FA226F84A41E379F9C9F879EEECFF001619CEE90
SHA-256:	F1EC91BE2AE9BF9A42F6029A06E53EF274DBD0C3534A09CF2A622E03028F6F0A
SHA-512:	62535467EC61283587442D9D49722D5732617B1D72931469B024045ACF4DD7451D50CB286AB575B8E4F7214F722494B8D1149D46828713460D71CAFCDB0B3325
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. .....:......Qj........z.....PO..........................P.O. .:i.....+00.../C:\...................`.1.....,Rh...PROGRA~3..H......L.,Rh.....F......................n..P.r.o.g.r.a.m.D.a.t.a.......1.....,Rm...{827D2~1..~......,Rh.,Rm......g.....................w .{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.....Z.2..PO..P`? .spkl.exe..B......,Ri.,Ri...../i........................s.p.k.l...e.x.e.......m...............-.......l............4.......C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe..>.....\.....\.....\.....\.....\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.s.p.k.l...e.x.e.5.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.>.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.m.a.i.n...i.c.o.........%ALLUSERSPROFILE%\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\main.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spyrix Free Keylogger\Uninstall Spyrix Free Keylogger.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Jan 12 00:59:16 2021, mtime=Tue Jan 12 00:59:16 2021, atime=Tue Jan 12 00:58:53 2021, length=1233133, window=hide
Category:	dropped
Size (bytes):	997
Entropy (8bit):	4.5820731515790305
Encrypted:	false
SSDEEP:	12:8m2ma0cmCgCweOLnZPOSipr8AjAkcS62LlX1OSddEbVX1OS7p56656FGm:8m28BzIvfAkz6YlX8kQVX80pP1m
MD5:	E1CBE0E8DBB808217D729F662686E0C9
SHA1:	EC0B838AA4D79BE3FABA4E3F40D597DC45F0C660
SHA-256:	D26EA177A7972B3D753DE1F7A64BAF7CFEF4AFFD2C4B6719B835D36BF80ACF1E
SHA-512:	94376A3AD2A10C9223B1A1A63A68B18F5951C969864D3F7323C9A1B45529BB671417A05FA83E7096041CF643ACF2E07550B2DC11DF6B4ADA8793DBC6FBC15788
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...........P@8.......z.................................P.O. .:i.....+00.../C:\...................`.1.....,Rh...PROGRA~3..H......L.,Rh.....F......................n..P.r.o.g.r.a.m.D.a.t.a.......1.....,Rm...{827D2~1..~......,Rh.,Rm......g.....................w .{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.....f.2.....,R[. .unins000.exe..J......,Ri.,Ri.....>K....................7Ak.u.n.i.n.s.0.0.0...e.x.e.......q...............-.......p............4.......C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe..B.....\.....\.....\.....\.....\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.u.n.i.n.s.0.0.0...e.x.e.5.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.`.......X.......123716...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\ProgramData\Spyrix Free Keylogger\logs\44207.log Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	78
Entropy (8bit):	5.145737436944543
Encrypted:	false
SSDEEP:	3:SAg3o5MBRXRFKDF8cz+L3I:S2yx2ecz04
MD5:	5C0AA423BD063634A8A3A975186947EC
SHA1:	A2FE59C51005FAB923B25A0267BF7C2E96FCFF7C
SHA-256:	9030C61312FBCD272EB0409381CC0A99F3ABA47B740A983A0942F85266472861
SHA-512:	8834978F22048D2B73FF30FA3C06793D764C6522709205159E7409FC1E0339453DF8E68FB86BB79A5560ADC0886AA7CC83F2D7FF647A5626ADE6C4003ED5C14F
Malicious:	false
Reputation:	low
Preview:	.DAYLY LOG..ACTIVITY;44207.7499280787;;;ID: 51 Start of User Session;user..

C:\ProgramData\Spyrix Free Keylogger\logs\44207.wdb Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	SQLite 3.x database, last written using SQLite version 3013000
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.3586764910583943
Encrypted:	false
SSDEEP:	24:TLiuWsm2vjGIqbLyeEu/2vjGIyLieEu/2vjGINx0b0yEdm0+:TZWx2vjY5Eu/2vjKpEu/2vj1eEdG
MD5:	79891721CD58EDCE83918E85242B7EBE
SHA1:	38BBB341F61A8B7F192C61A583256F65F9EA38C1
SHA-256:	71FCDDAF3BF75D29B4E7C499F5612C47AD101C4229097468CF7C079F9DCD9714
SHA-512:	7547AD79BA932BE8C8C407618994EBA605A9CEF2D86C8851A9778E6CE65930621D3454027ADF95C2C38FF7E8293C05E1FB2689CA86C542DC7EAD498CFEA29F16
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ .........................................................................-........A....A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Spyrix Free Keylogger\logs\44207.wdb-journal Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	data
Category:	dropped
Size (bytes):	22092
Entropy (8bit):	0.33990497960485877
Encrypted:	false
SSDEEP:	24:o+t/XqLiuWsm2vjGIOVqLyeEu/2vjGIe+7:oMvqZWx2vj2Vq5Eu/2vjm+7
MD5:	5B87AE7F549B18FD277D05BF25E31141
SHA1:	46AC2071EDA592FD5E53BB87D885D39C737E887B
SHA-256:	A107A38C8CEA3028A75A2F23D815EC491D33F3F7BAF883F44260D89918658601
SHA-512:	578BBB1D8FA3083B278EC17C9D901E6FB1050987D10C793152CDF17432CA3C24EDF66250E55AF66865B749A218FAA15A241896E71B19FA18B01E544F6679FFC1
Malicious:	false
Reputation:	low
Preview:	.............aF..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... .c.................0...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Spyrix Free Keylogger\logs\logs.dat Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.562304859797067
Encrypted:	false
SSDEEP:	3:DpRRLCAXeZoYBnWyCCAXeZoQAOZocA/dov:UOYp4CONFcwdy
MD5:	0152BCDEE781FE8C0BA09600A9A9FD8E
SHA1:	CC68708C64B1C86ED93800CF81ADB955C2DE890A
SHA-256:	CB4338125C9B3BEDBA0810B2CDF6B71BF0CA4EEBE85F85CA863D91FD09819FA8
SHA-512:	628B15F65490ABDFCF095EF436093F064CDE586853F17A1148911734ACEB2449D192924F048619C8FCD94D818546E21C8F4224A9E00E8377BDA3B9E826718FF7
Malicious:	false
Reputation:	low
Preview:	[Logs]..FirstLogName=44207.log..AllSize=0..LastLogName=44207.log..CLog=44207.log..CSize=78..

C:\ProgramData\Spyrix Free Keylogger\temp\desktop\Spyrix Free Keylogger.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue Jan 12 00:59:16 2021, mtime=Tue Jan 12 00:59:24 2021, atime=Tue Jan 14 06:59:00 2020, length=5197960, window=hide
Category:	dropped
Size (bytes):	1875
Entropy (8bit):	3.4076810166556637
Encrypted:	false
SSDEEP:	24:8Bz5zWNBzIgQqAU6YQ5X8sDVX8w4VX89kW0HYxeZ89ip1mC1mEm:8Ds0g8UPQ5M4+w4+9kWz99i1l
MD5:	C8BBDA82FB7179F4369627458DB9C189
SHA1:	34C318DDBC1066F6AD6382BE40F049366E3A839A
SHA-256:	23D5CC51FCF829B7FE58FB01EAEF7205A10DAD519AB0529CA07A99173C1D5AE7
SHA-512:	67DB7638EF70624DEE1C3176353C236FD7C1564C93986731801A9A8927A5F1F1474A4C65D35ADCC2B9072D456018EE0D003B150BFD3C497A06C9FB4D36DF0428
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. .....:................z.....PO..........................P.O. .:i.....+00.../C:\...................`.1.....,Rh...PROGRA~3..H......L.,Rh.....F......................n..P.r.o.g.r.a.m.D.a.t.a.......1.....,Rm...{827D2~1..~......,Rh.,Rm......g.....................w .{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.....Z.2..PO..P`? .spkl.exe..B......,Ri.,Ri...../i........................s.p.k.l...e.x.e.......m...............-.......l............4.......C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe..8.....\.....\.....\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.s.p.k.l...e.x.e.5.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.>.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.m.a.i.n...i.c.o.........%ALLUSERSPROFILE%\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\main.ico.........

C:\ProgramData\Spyrix Free Keylogger\temp\logger.ini Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	8119
Entropy (8bit):	5.199863905442922
Encrypted:	false
SSDEEP:	192:MPTPyPrPjPDPwZYZ4bZ0PQZY727h7WPQZe7W:ML6jbrYZYZ4bZ04ZY727h7W4Ze7W
MD5:	2D16048F01B852447DEA6C86543B0B09
SHA1:	0B45B8A5E97FDC02AA9F5D0B5E8517B0DED91405
SHA-256:	DD080926796A53A62F47D23022ED7046F88A419587D890325C0C0097B498C5F5
SHA-512:	01C7F8A1ABD0632A3EA958C1FC51C7B02C41BA14E1AB5F08DF138B6465732AD68FD0837D05722A2CF85A2BBC6A84499E94308E0330DDFF54F85D2610EF8E112B
Malicious:	false
Reputation:	low
Preview:	tid=-1..lt=..Users=Administrator..Administrator,DefaultAccount..Administrator,DefaultAccount,Guest..Administrator,DefaultAccount,Guest,user..Administrator,DefaultAccount,Guest,user,WDAGUtilityAccount..AllUsers=Administrator,DefaultAccount,Guest,user,WDAGUtilityAccount..Administrator,DefaultAccount,Guest,user,WDAGUtilityAccount[Window]..Top=50..Left=50..Width=1280..Height=620..BottomHeight=170..LeftWidth=315..LeftTop=125..ctNone=48..ctSTime=180..ctAlert=101..ctSearch=141..ctSN=141..ctBlock=141..ctApp=139..ctTitle=132..ctValue=218..KDelay=5..[Window]..Top=50..Left=50..Width=1280..Height=620..BottomHeight=170..LeftWidth=315..LeftTop=125..ctNone=48..ctSTime=180..ctAlert=101..ctSearch=141..ctSN=141..ctBlock=141..ctApp=139..ctTitle=132..ctValue=218..hide=0..[Window]..Top=50..Left=50..Width=1280..Height=620..BottomHeight=170..LeftWidth=315..LeftTop=125..ctNone=48..ctSTime=180..ctAlert=101..ctSearch=141..ctSN=141..ctBlock=141..ctApp=139..ctTitle=132..ctValue=218..hide_p=0..[Window]..Top=50

C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid Download File
Process:	C:\Windows\SysWOW64\regedit.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	1636
Entropy (8bit):	3.7762774370604513
Encrypted:	false
SSDEEP:	48:tKleUhKVfcfCokHCSdiiannHMCadjHMCadvdla:Sh0U64ianujuvdla
MD5:	2EBFB7A6AA03446B019416AD63FD43FF
SHA1:	60D5FFB6117C917BDB077595CE7FB795A698DD48
SHA-256:	414D6296B9B5098C422F665D239634E2875DD31D86894DDD15DA02208058D768
SHA-512:	D062B86D8898BD04A9A3DC87A6B0387B7C47B2ECB5F9FA3FB0445A75457D80C3BAB118C46546133EA2B9E119F438714335A108A8A7BD478382203340AAF564C6
Malicious:	true
Reputation:	low
Preview:	..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.U.n.i.n.s.t.a.l.l.\.S.p.y.r.i.x. .F.r.e.e. .K.e.y.l.o.g.g.e.r._.i.s.1.].....".I.n.n.o. .S.e.t.u.p.:. .S.e.t.u.p. .V.e.r.s.i.o.n.".=.".5...5...9. .(.u.).".....".I.n.n.o. .S.e.t.u.p.:. .A.p.p. .P.a.t.h.".=.".C.:.\.\.P.r.o.g.r.a.m.D.a.t.a.\.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.".....".I.n.s.t.a.l.l.L.o.c.a.t.i.o.n.".=.".C.:.\.\.P.r.o.g.r.a.m.D.a.t.a.\.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.\.".....".I.n.n.o. .S.e.t.u.p.:. .I.c.o.n. .G.r.o.u.p.".=.".S.p.y.r.i.x. .F.r.e.e. .K.e.y.l.o.g.g.e.r.".....".I.n.n.o. .S.e.t.u.p.:. .U.s.e.r.".=.".h.a.r.d.z.".....".I.n.n.o. .S.e.t.u.p.:. .L.a.n.g.u.a.g.e.".=.".e.n.g.l.i.s.h.".....".D.i.s.p.l.a.y.N.a.m.e.".=.".S.p.y.r.i.x. .F.r.e.e. .K.e.y.l.o.g.g.e.r. .1.1...5...1."...

C:\ProgramData\Spyrix Free Keylogger\temp\reg\is-0B1S9.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	GIF image data, version 89a, 327 x 57
Category:	dropped
Size (bytes):	7609
Entropy (8bit):	7.838852889190603
Encrypted:	false
SSDEEP:	192:CRjl+OutIyaaHKip9QY5Lg6pWlicYMG5/b:OshLaIFUug6pGzo
MD5:	359D85C48DCA7C9C529A7EC0F4D30DC4
SHA1:	749EE1A5C90299C9360DD3131222CE92584FFCC2
SHA-256:	03BBB9C7C115C8FD5E2FB573B86687AE27672C7F8B970FB9661E5007FC6E42BE
SHA-512:	9494049C968B6BEE93090630086EB4D8129B48E5E6CBA3CF2E7EEF2114948316D0068F859594EA3A464AB2FE99510C1C94EEF786A933114C0CFC630C13435B1D
Malicious:	false
Reputation:	low
Preview:	GIF89aG.9....Gq.....$...Z...ud.........\|.........,&..........M5.................g.........................yv.....6.............v.72......g.L........C.................T.......m...kg.......eX...X}.k..{................s.......{..........................................n...................C......ZU..................................................`......D@.M........z........F..........\|..a....................i........................s.......UQ...............................4c...................?%....w.#Y.BBB.........000.........fff.....888TTTxxx.ZD..........................d.........................................................................r..*]....Q.....U..~............OM.......................................................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="ht

C:\ProgramData\Spyrix Free Keylogger\temp\reg\is-11S5P.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	GIF image data, version 89a, 884 x 198
Category:	dropped
Size (bytes):	90361
Entropy (8bit):	7.9769989580983625
Encrypted:	false
SSDEEP:	1536:Zy6BW/LDE6LyfJVEr+jMi2hm9YFrRUv9Ie2eIDtTER:M6eL46LCJVpCsy6IAIRe
MD5:	3475836FCF6BBE603D1E83DD8A3C4765
SHA1:	DD92253B2600C1612FDC657FFB41E4FD66352C6B
SHA-256:	F8E582779693B4DAB740E13721093D9B8EB69DC0FF5CFACB5208C04321BA37F8
SHA-512:	8AE5E48692962A7F8049521F3B3510F1F1B9EF7CAF4A40526D7D6286BBEB647CFA54D88AF9A8E03AD884A42AECBA677E0A229577A394CD228CDF98E0F99506E4
Malicious:	false
Reputation:	low
Preview:	GIF89at..........u.J................i]OOH..........mQ...K2..C$..............B.p..X...dH....V<........M........%#"...........z.....[&....x8#.........`..............,$.....}}}.._...d0......Hw.hih...L..............xK..q..v.............e(......~......`.z`..........g.;".......t..........Y....r+.....q....xd...........R...........ad\.......WA......a...Y).R......3... .....]CHA6.......n............z ....a<..2.b...................L0....%+...nst]cc......lnk..M..x....QD.....&........Y..;........syu^^X......~..........fnr..e..xL..................U.hV....`..j................D....g..R....^.....<5.vqCCC..84/..2..5../..;.....&....L%.r+...........).....................................................W..V.......v............R......WYW....?%.........!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="ht

C:\ProgramData\Spyrix Free Keylogger\temp\reg\is-UNGJL.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.248529327128576
Encrypted:	false
SSDEEP:	3:N1KJS40dyTKVQXGNErnVernn:Cc40dyTK6XaErVer
MD5:	8F1A40DDD71F7EA45DF0E2FE0BACA597
SHA1:	E64C2983DE93F6566752E01BC0A2A5F3983759F6
SHA-256:	2360EAEBD32653D08F75DB2F1C2AE67F4AE3906D09F94AD4C532BA35951553D1
SHA-512:	C73BE7BE0C52CDAB4BA1E3022D9D1E1E2DBC897E34A4F243A7D8936BB7B4A2F46DF2BD1F6E7CA63F6A80C799E4EAD1EAEE38550683473EBF53FC8E2569112BBF
Malicious:	false
Reputation:	low
Preview:	http://www.spyrix.com/purchase.php?prg=sfk

C:\ProgramData\Spyrix Free Keylogger\temp\reg\ru\is-12C72.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.248529327128576
Encrypted:	false
SSDEEP:	3:N1KJS40dyTKVQXGNErnVernn:Cc40dyTK6XaErVer
MD5:	8F1A40DDD71F7EA45DF0E2FE0BACA597
SHA1:	E64C2983DE93F6566752E01BC0A2A5F3983759F6
SHA-256:	2360EAEBD32653D08F75DB2F1C2AE67F4AE3906D09F94AD4C532BA35951553D1
SHA-512:	C73BE7BE0C52CDAB4BA1E3022D9D1E1E2DBC897E34A4F243A7D8936BB7B4A2F46DF2BD1F6E7CA63F6A80C799E4EAD1EAEE38550683473EBF53FC8E2569112BBF
Malicious:	false
Reputation:	low
Preview:	http://www.spyrix.com/purchase.php?prg=sfk

C:\ProgramData\Spyrix Free Keylogger\temp\reg\ru\is-D4F46.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	GIF image data, version 89a, 327 x 57
Category:	dropped
Size (bytes):	7829
Entropy (8bit):	7.826687568770807
Encrypted:	false
SSDEEP:	192:ZwZ+70N539DtmJu0clifT2eTb6uRM3Q6q:Z0+QNftOcloTBTtRMHq
MD5:	241545A94AF6185978CFD96B32101E95
SHA1:	75FC98239798D933FD87978D7545964CE0E611D8
SHA-256:	01FD9E13EEF1D14C6C2B4E5EA16E40789FE5423715500C29A7DC58FDF2C1364F
SHA-512:	1A127A5EB9573418B3301A0E498B5335AEE0E99F87C8B4C12B6907476D49D1781264700A692FBE24971D405695AAE9BD5C4F40E95D10A1F26CBB0818A32899E1
Malicious:	false
Preview:	GIF89aG.9...............g.............r...w................m.............$.....Z...ud.........\|..............-(.......M5o...................h.............6{...........yu6.............w.83.........L.....>..d.........U....m...mj.......eYY~.k..{.............................w........c....................!r............p........W.........E.....ZU.......j.................................b.....Qw..D@.N......L.z......F.A...........\|..N......f.............x.........].......UQ.........................................`.....?%.w.#Y....BBB...fff............000...TTT888.....xxx.ZD.....................b.....>j....Iq...................................................@l.......~........Q..U..............4c.........._......OM.................................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="ht

C:\ProgramData\Spyrix Free Keylogger\temp\reg\ru\is-LTAH2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	GIF image data, version 89a, 884 x 198
Category:	dropped
Size (bytes):	90699
Entropy (8bit):	7.976611505014986
Encrypted:	false
SSDEEP:	1536:TO6fc7nz/3pXEtubO/n9l7STXTQXsxalgH8UsX4UzAY3p18N14e86zebLqDf:BEzzRXEtubO/yTXTlxbrUDcu/8v4e8AH
MD5:	EF79CF8AABBC41E42025D3ACF51B36C9
SHA1:	71940D0E9D230D295D8A89397DF4ED0BA5BD72DA
SHA-256:	24D4AC7D4101A76F35F636660A92AD95E1C068065D17BB4F8CC27CD3C91402F8
SHA-512:	E579BEED091D3A4068AE664640BA0EDCFB309F0C7142CD452B45F79A69B6423A8237D9256C9A0E3FFE4F22EBC1C01D26B2BE79FD7B3E3E9643A1142A997E5902
Malicious:	false
Preview:	GIF89at.......s...............f[.......u..mQ...ONH.L1..C;................C+.qX....X.dH......W>...........M..........'&#.z....[&..x7".......................Y........+#{}}.......^...a.......hih...X..............zL....n..v..........e(........`.za..........j.7 .......m..........y.......u,......q....we.........T.............dd[.......WCi......e..Y*.R...4...!.....\BEC?..........n...............a>..b.Cy.............=CH.}.....M0....%+nst]dc......mpl.O...N..x....E?.....).....[..;.......sxq[^X......}.........c...fmr..~M..................L.k_...._..j.{.................D....f....a.....?(..{.\|{974..5...../..;.....&....L%.r+...........).......................................................................W....v...............R...YYW.......?%.........!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="ht

C:\ProgramData\Spyrix Free Keylogger\temp\runprg.ini Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	ISO-8859 text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	8962
Entropy (8bit):	5.256882439394726
Encrypted:	false
SSDEEP:	48:eI80Z8i66cG666666666666666a66a666A6666666666666pP6q9kRng6IbvuZzn:PZ37SeZDyzEMyvDG44Brg9UJ
MD5:	8432F5650E79B208D758026CF5BF338E
SHA1:	1ED26B889173F89DD8EAB1E41F7A32117B2C7247
SHA-256:	E95B4648A7331923EFB1D4A3FDA71F09E7EA8EB90A40DA829C4E8076E24CEECB
SHA-512:	E51F902DEEBED208265536A2789F877F0BC6DA7663ED557494DF132A50E5E9622899F91DDB1EBB1E5186363FFC4527DFB23B29D9F3A15D04D400D4C02EB5E2A8
Malicious:	false
Preview:	[winlogon.exe]..Description=Windows Logon Application..Path=C:\Windows\system32\winlogon.exe..[lsass.exe]..Description=Local Security Authority Process..Path=C:\Windows\system32\lsass.exe..[fontdrvhost.exe]..Description=Usermode Font Driver Host..Path=C:\Windows\system32\fontdrvhost.exe..Usermode Font Driver HostC:\Windows\system32\fontdrvhost.exe[svchost.exe]..Description=Host Process for Windows Services..Path=c:\windows\system32\svchost.exe..Host Process for Windows ServicesC:\Windows\system32\svchost.exeHost Process for Windows Servicesc:\windows\system32\svchost.exeHost Process for Windows Servicesc:\windows\system32\svchost.exe[dwm.exe]..Description=Desktop Window Manager..Path=C:\Windows\system32\dwm.exe..Host Process for Windows Servicesc:\windows\system32\svchost.exeHost Process for Windows Servicesc:\windows\system32\svchost.exeHost Process for Windows ServicesC:\Windows\system32\svchost.exeHost Process for Windows Servicesc:\windows\system32\svchost.exeHost Process for Windo

C:\ProgramData\Spyrix Free Keylogger\temp\start\Spyrix Free Keylogger.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue Jan 12 00:59:16 2021, mtime=Tue Jan 12 00:59:16 2021, atime=Tue Jan 14 06:59:00 2020, length=5197960, window=hide
Category:	dropped
Size (bytes):	1875
Entropy (8bit):	3.4085532684014765
Encrypted:	false
SSDEEP:	24:8BoLzWNBzIgQqAU6YQ5X8sDVX8w4VX89kW0HYxeZ89ip1mC1mEm:8Ss0g8UPQ5M4+w4+9kWz99i1l
MD5:	99C50A578F755B5B7F2944321B54F172
SHA1:	36C177039F9D6E789CBB0E3327F821FD38EC912D
SHA-256:	AA4AEFAD2DF913661F730A40C2C2E98C8938B2F388F401323300274B3C664FD0
SHA-512:	CA7BD242D3933183A7599CE482DB692AB219064D0AE7185F2BAEAEEA908FA4F5E36AA59F59D2A7B755C4196B13B89B16D2F8CAB997C48D30FA32A94A73A13AB9
Malicious:	false
Preview:	L..................F.@.. .....:......Qj........z.....PO..........................P.O. .:i.....+00.../C:\...................`.1.....,Rh...PROGRA~3..H......L.,Rh.....F......................n..P.r.o.g.r.a.m.D.a.t.a.......1.....,Rm...{827D2~1..~......,Rh.,Rm......g.....................w .{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.....Z.2..PO..P`? .spkl.exe..B......,Ri.,Ri...../i........................s.p.k.l...e.x.e.......m...............-.......l............4.......C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe..8.....\.....\.....\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.s.p.k.l...e.x.e.5.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.>.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.m.a.i.n...i.c.o.........%ALLUSERSPROFILE%\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\main.ico.........

C:\ProgramData\Spyrix Free Keylogger\temp\start\Uninstall Spyrix Free Keylogger.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Jan 12 00:59:16 2021, mtime=Tue Jan 12 00:59:16 2021, atime=Tue Jan 12 00:58:53 2021, length=1233133, window=hide
Category:	dropped
Size (bytes):	985
Entropy (8bit):	4.5973441775262405
Encrypted:	false
SSDEEP:	12:8m2ma0cmCgCweOLnZPOSipr8AjAkcS62LbX1OSddEbVX1OS7p56656FGm:8m28BzIvfAkz6YbX8kQVX80pP1m
MD5:	DE7239436E5DF210FA738C20EF2B7E87
SHA1:	D7A09F6405B5A4D5E68578A4A5730D96D93ED35F
SHA-256:	74AE6D864FDEB6917B2D051873BF1B426366770C30ED791FF72B1A6DADF35DC6
SHA-512:	AD4E92DE7120183CDB88AFE7DECCE0C1D3AD94E7C5B0BFFD182E43E38531F3AF0EA1C673F1DC5AD90F241FC4387F8F4F632A7F8DF02038F8CA175EDA4A786533
Malicious:	false
Preview:	L..................F.... ...........P@8.......z.................................P.O. .:i.....+00.../C:\...................`.1.....,Rh...PROGRA~3..H......L.,Rh.....F......................n..P.r.o.g.r.a.m.D.a.t.a.......1.....,Rm...{827D2~1..~......,Rh.,Rm......g.....................w .{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.....f.2.....,R[. .unins000.exe..J......,Ri.,Ri.....>K....................7Ak.u.n.i.n.s.0.0.0...e.x.e.......q...............-.......p............4.......C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe..<.....\.....\.....\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.u.n.i.n.s.0.0.0...e.x.e.5.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.`.......X.......123716...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\ProgramData\Spyrix Free Keylogger\temp\stat\dlog\2021-01.wdb Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	SQLite 3.x database, last written using SQLite version 3013000
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.4925293635413527
Encrypted:	false
SSDEEP:	48:TZW+82paYaLa/2paKqLa/2parTlQpz5v6La/2paelwTlQpUKLa/2pa2ENalwTlQW:9Wc03a3sQ723jmQN33M0mQW
MD5:	2A6F593A71D4D55B09EBC6D6BA5CBC03
SHA1:	84290ACD2BA4A4D85F0C6CD0462C1C647345250E
SHA-256:	F9D71422F851EA3253909E3679DADF044680FDA55EE913B209CF5D00464F8ABB
SHA-512:	755928377F734B9691339CEB8A64E74FD21592483AA0E35760F05F6D18316B79DB767712B02AE390D3CB39B17A883911C81D03E650951746994A641EAE54C2C5
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................-........;....;........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Spyrix Free Keylogger\temp\stat\dlog\2021-01.wdb-journal Download File
Process:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
File Type:	data
Category:	dropped
Size (bytes):	55972
Entropy (8bit):	0.4447428671258931
Encrypted:	false
SSDEEP:	48:qMIqZW+82pan9qaLa/2pa4S8TlQp8+BqqLa/2paQMHlwTlQpnq6La/2pax7:qNyWc013GiQ7Bl3IFmQlV32
MD5:	1AE3A16DFBDBF405B378033377304CE7
SHA1:	BF3EBEEFBA5C1B17BC0437C025C9FDAE2DFAB2FA
SHA-256:	E33985C5BAEAC13895B252DF2E6DE067A0902DACB13FB917545F8380F32A1C32
SHA-512:	EAAAC7343427DD7FC0276FAB178BADCD36C74AEEDE261ED7A82A1C2DEFA2F9D9CDA82A5A4AF88E7A40B6D2B8E68743F56D6B47C407D9E516A30753E8972C0295
Malicious:	false
Preview:	...............b.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... .c................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-19DK8.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	888
Entropy (8bit):	7.7525569355376955
Encrypted:	false
SSDEEP:	12:6v/7MyC90RfzncoB9d+Jfty3DKiuhnS1nWXpvQTMmy5ZKr+NLQymmFT040q11aZ2:eJ6iDKNdanodwMmyvKr2+40q1UFWVt
MD5:	D060EB33F8B5DFA18682625CE21C1F46
SHA1:	DEC3B1DE06D2D855408C16D93365711088BBE705
SHA-256:	F6C2720D108D96B429E82883EE44CE7EEC31F4194DA99391DC023D6797FA0886
SHA-512:	BBBCDC3E03214E686DCB05094ADE3A9FFB510CB5BF4DAF28B607BC50349C1B675074AE7EF4DB99E86A00C661B31473D858353EB3DB8734639E8FF00B71AAEC6A
Malicious:	false
Preview:	.PNG........IHDR................a...?IDATx.m.[l.U..33...N.e..m..n.mS....$...Z.. .....K..>..D..`h.D....@..... .4B...,...-.,.......t5....s......;./.huC..]./.d.M.0.3t0....u'.../..o...n-.U.~<..OS.`.-.n..a0..9<..._@U......m..\|....W..y.....g...;. J.e.C..s...5............./....i.".....6I..o...TF..#....=r`N.[.....>R.S..p.(...%.B.%....W{..-@....cr\|....D~.CF..3...q5W...*....k....&..58..40I.+V.."....A.f...e 9^.l....6:.Q....Z..i9..;..6..-.....aX<..1Kqc:w.L.\|\|.d K..V.....o8.6......qA...............;#.h........_I}..S..H.........$....`.A_R.\...r.D9.....fz\|%g....,...N.......n^...v...v;8..(Y.[..P......P0...AB".Rf..vl.On..C.u.(.C..I....h9....\..t..c.c...Xr~...}..^z...(..m....[L)..g.8]......2....v.7.......R..;...^..B........F....k...%.o2.. .^=Q.!.......b..%....P.T.U<v....(..A..w...........M1M7.SS..6fS.mB%..7.....M5....A9.:'...Q^..j...Y.s-.\ \|l......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-19SBS.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	486
Entropy (8bit):	7.403940932243279
Encrypted:	false
SSDEEP:	12:6v/7H2DBCOIXU00QhP+CCTV44lVCcK8ajSR64+eg:C2MXURCCTCXcK8286Heg
MD5:	49CBAB461388899937D45CE5F40FEA6F
SHA1:	4333CFB198B2F8078D38159AE6F37CF2056AC6A9
SHA-256:	30DBAE48834681F6F8E6A6867B5A83582DFBCA8E61C51C8A189687055F1A9042
SHA-512:	5A0C295DC41860B4F650D82B43EFBB4F7369A7DCC6844F8837DA8708F531A4D4C17749152536219492ABAA5667FFC63C0547AB2BD257068CF9BCDD9C47492595
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx..?K.P...3..?C.qi.T.E...,Up..kgg...b.......A.....8..."h...DDA.1...XJmKz..<...wo.... ....M..V.....o.2Q..e.#<`....E..l.....Y......m#..4...Fb2..D..Q7).K...b.i.....y...9`..^._Gv...a..T.j......1..D[.[...!}`.%....5........k...Y.....!z.u....\2!2....1 .H-.P\I)!......2B.!.[......`+....].F.1....F.I...(/..>}?.....v....w.C6C.H...E..w.v.S.q....?I...a......l<#~.....U....U.^.Q.( ~.G.thG/.....,R.).U.K?9.u........g...L_..wt../.....2.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-2EVNU.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.949963945175186
Encrypted:	false
SSDEEP:	24:PE14x6qLv19cI/PRw1ZoPh+tV/HFm+TIe0WmY:s1ALtDtPh+tVvz0WB
MD5:	E929E2F2B14B9EC2EC42A663F3C7EEC2
SHA1:	2E66730E02EEDA9641153D48F408CECFB72E92F6
SHA-256:	A6DB330F99F450E9BBA286E6FE96B13DD8DA5079A7A1F8E191A09123C6A61906
SHA-512:	5AFBE7ABB77DA9F37D5E0392BE622C8AC8BA0C07F02430E5F5FEC624074F12ABA39BEFF2AA4D44CD3029886A8B71BE7AEAE9F6AED8A95D83369984EC39CF066C
Malicious:	false
Preview:	............ .h.......(....... ..... ........................................................E@...K...$..].......................................#.../...C...N0...]!..^...J..............................A&......P...U17>.FOX.Q\g.Vbm.z:..j)..J...].."............A..4^...C;@.OWa.Ual.ox...............^\.y5..g..x-..."......L...`...]%..................................j#..}7...G...5.T....8..Ic........................................<...K...O#..E.......A..h'..............w...v................I...u4..]$...F..Y!......v&.h&.............................V`j..C....@..m0...J..\|(......{)..E!..zq.ehm..........................C...n...<..S..z'.......7.g:.i7".....TUY..................rY..O..._ ..~3.....y(......K..\|7.{C#.._;..~E.^E0.{oj...~.lRP.e3...x3..v..q...;..v'......R...1..d9..yM.(:...v..<..v'..b....^...o$...>..y...+..i.#..........8q.}0..r.......N..h...^%...<..S.....?...1..p...................p"......{..w..W..L..N..A...5...*..u$..........................].:..-..J..;......\|(..y&..u

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-2OGR5.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	921
Entropy (8bit):	7.692568178991757
Encrypted:	false
SSDEEP:	12:6v/7MIPvdQrswMHeAQQI/hnoG82ukRW61fAKmg0sLyVFIMVwIaJ2OnksgHDPkInc:MersR+SIZbnu+FXaYyVBtM2Oksgjlzv4
MD5:	A319CAB2BDD2363F2CE6F71874255367
SHA1:	606F86B9B032C74B9A88240A9A4933B4EA256C52
SHA-256:	0644CF298FE403904496AF78ADDCCDB46C1D3A324BC996A1423F9CC581EBFA39
SHA-512:	D74BB956EF9011436A44617B8DB7519F8335A10F55805BEC4CDB673F971E148614B9A4068146D182BB6024B5774C85CB35A4B10BEC5307F2C367179DEB45E07E
Malicious:	false
Preview:	.PNG........IHDR................a...`IDATx.].Mh.e..w.....Mf..k...BK..B+I..A.%...z(V..b.S...E.=..J...DR.R.P#..d..I..Iv...$......uczp..wx....K.o....;...8$.;Ax...).J..X..;.;...Ru/....<.J.b...`X9x.B.m@I..a-~...Q..p..V...[.....}.h_T.z.........m...6.b......-;..................#pD/........n9.g.....s...F9}..?..</......P..+o.Q.I`f/.^Ma./..\#..N.!..(c....R.S....=.....xX....L.S......}...X._~..8u\....&....p.......w.J..g............1..M...d...x6.......~..yr......[q.......^...@9.efr...:.J....8.O!...X...Y.}.........U."..sbYTm....6.O.5.....[.-.YBK_....W./..x....NVJ..g..e.c..a...../$..&.. sC.t./....].w.na.....4^..S.-..f..Mp....../......;.G.~.+...#..,..<....c.i...E,K&..4D{$.fVaL.\n.....l.WO....,.wL..W$...l.. ..!....c...T.?_e.]...Fd.....h.d..&...m.].4t.u#...^0..y.J....e...Rn..... ...1....U......Av\|}s\|...{#....1..T&......V]J.a..<f..\|..~.b...?U/...e.g..<wM.5.}.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-3N91F.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.995757173580584
Encrypted:	false
SSDEEP:	24:kV8FtQm5AZDsVYmrJcEa7RjyWtYmmatOjk:k6FtQXwY2CEalWyYbatOjk
MD5:	D7F9CD5B7E1275B24EB50769BBBE3021
SHA1:	0B213D27ABDB5016B1805C2FCE5238196F48718C
SHA-256:	414BDEC0A45A95F08390272EDFFF615879E3D0116FFA38AE341770327C8A69ED
SHA-512:	8688C65B158C7F26424C9AF3E59382D7C59155D14377965B14277BE36D49012610D7ADC719E0CC6FFC3946B9D08174FC048E121FDB13104B7BD68365F15130DC
Malicious:	false
Preview:	............ .h.......(....... ..... ....................................................................................................................................................................................................................................................................................................................................................................................................................................................41..2/..................................................\|\|...#...'...'... ..tr......................................ig.."(...+...+......)...$..XW..............................RO....%...#-.. ,...,...+...+...%..87......................C@..63..01..-0..0..&...#-..$-...,.. -...&..#"..............=:..<8..96..74..52..22...1...1..)/..&...#-.."-...(...!..~{..C@..;8..?;..>:..?;..96..:6..74..42..01..21..-0..)/..%..."+...!..=:.=:..=:..<9..;8..85..64..41..3/../,..,)..)&..&%.."$...#..."............................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-4JVHB.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.20340524330819
Encrypted:	false
SSDEEP:	12:F5e2nwbQh05puMPaz5NV9/COvwqsvuKMBwnwfqHtJZcaHqtMbHgGomu/HAmlMscR:aCupu0az5l5R4t7bHqkAN/H7WrefjU8W
MD5:	6974D5655CF050D09AEDEFB0A870B09C
SHA1:	2C87D6EFB277163490FFF31C594A5127E8D0B509
SHA-256:	A5761AE112ECB0B8CA16EDD77F9B112D983D7F8B0C229A8099E1A35B2E4F6993
SHA-512:	AA3DBE81C2BFDBDBF4EF81DE63685BEC3743762254476F278E1FC6956A39910E2C4A1E83E491AB579B107FC0496E134AB946800D7D2CA367AE4AF2E109B6741C
Malicious:	false
Preview:	............ .h.......(....... ..... .............................C.<&D.=SC.?AU.U.....J.@.E.>FC.=XE.=?U.U.........................I.B#B.;.B.;.B.<.C.;.C.;.B.;.B.;.B.;.C.;.C.;.U.U.....................F.>>B.;.B.;.].W................k.f.B.;.C.<.H.A'................F.>BB.;.................~....l.g.t.o.S.M.C.<.U.U.........f.f.C.<..}........a.\.........}............L.E.C.;.........D.;VB.;........n.i.............................C.;.U.U.....B.<.].W....._.Y.....~.z.B.;.B.;.J.D...............B.;.E.=?....C.<.j.e.....E.>.....P.I.B.;.B.;.B.;.......x.s.....B.;.C.=X....C.<.g.b.....O.H.....u.p.B.;.B.;.D.=...............B.;.E.>J....D.<\|D.>..................\|.w..................B.;.I.@.....E.>%C.;........T.N...............}.x........e._.B.;.............B.<{G.A.........z.u.D.>.B.;.X.R...........C.;.G.@$............U.U.B.<.G.@..........................}.C.;.B.=d....................U.U.B.<{C.;.F.?.l.f.t.o.c.].B.;.B.;.E.=;................................G.@$D.<\|C.<.C.<.C.;.D.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-53THT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	712
Entropy (8bit):	7.689986023244019
Encrypted:	false
SSDEEP:	12:6v/7hFFKT/SNQRb8l3lGQdnJ5l9hfP5Y3OLHLeTS8T38YuFc5Hdp8rMPLQX:2rW/SNQRgl38UnJ5Vfy3OjLZ8T38YuFz
MD5:	BA4DA486665B6C79F792A39BF6F03ACF
SHA1:	3746A3488D981870D9CDC6FE16DD6C8171DE6E0F
SHA-256:	5444F65B5694092DD587F8C3E8BB44E159556E45688C856BD5F9515FAD6FF2B8
SHA-512:	9C3D87AEB7C2E5CF5FC08DBF666E9DBBBE431EF71BB83D5C769C9F88DDFB41934C404D72985E320B6BAF0C9F1FF45E057B82C76EBA54BFA01BF2456533F3C0D5
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.S]HSa.~..;.gS..,KDSG6I....$..D..........B.X....].".EH.Be%.$^x......!.b.%..s..Y..%..q...>..>...4. .....&s.~W...X}./..YO....R............h.....Ju....$....e...ij.O...\..%..w..pp-..8I.x...5.]..u.$vo.J.(....b..h..TC.K...>1D.p(.po..5.i...}..:.eP..a..edGs.C.v.y2t..)...OGMA..$..J.v....)\|...$.7Ed~.E.[.J..1...n..'.......BaD..[.) ....(~.1PA...U^<@.y.=,5c\'(rYP[.@yN.0...\.)FV..Q......3.hK.Rb?.j.....j^....q"?.......-....'...)..'.QD...7..U.....^...w.g.........>.......o?e..o.>Bl.A.]+d....C..f4..C......7...?..V...RZ.;/D.V..(...G5"...G.wO.L.D..K-.m-. !......`M...p...evT.L..].....:.P.{...@L..R..r[..?.1.`...+N=...i@S"j2......2!.c....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-5NBD5.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.984582163595734
Encrypted:	false
SSDEEP:	24:ltjzPCZMaBUC2R0pwXqeCvJX/JutpSu39Gl/GofW9y88rk:ltj05gBXqeCJ/8pSx/Gp9y88w
MD5:	4EAA9A0B583BB8C8A369753DBD0DD0EB
SHA1:	2D8F80DF55ADB806651E9B90C32C287825EFA9B6
SHA-256:	EABEFD31E31D5141F75E760FCF96F14844F0824BD20C3FAD28C6E7C6AF4342FB
SHA-512:	B4B5CE8697B0B195F5DFF361B7822207CBC8BB07A3318154A4652A663F9715958770B55ED9D8B0F5EE37AC5BCDD19C4D2389E7D644187B86762565ED27613D8D
Malicious:	false
Preview:	............ .h.......(....... ..... ..........................................................................................................................t4..z9..z9..z9..t5.....................!.9.&.=.!.9.!.9..v4..q3..z9..H..E...D..z9..q3..q3........OG.X.=.O.-.C.`.v.`.v..x8..W..z9...M.f...5...+...%...+.../...?...I.[.\.s.8.O.[.o.[.o...D.....G...J...X...a...X...O...K...V...U...=...`.t.?.d.S...J...S...a...o...a...J...E.....y..d...B.....J...O...Q...Z...f...s...i...W...N........j............K...../...J...X...[...X...L...b....z.................z..Pi........R.eHc.w.m..s...........V....................U..U.............R.eoQ.d.O.b.M.`.L.^.g.Zl.W..W..W..W..W..W.....................:.JW9.J.9.I.9.I`.....q3$.z<.r3..{=.t5$........................:.K.......9.I......{=..\|......X..\|>.........................;.K......:.J......s4.........\|..v6.........................;.LE;.L.:.K.:.KN......@........t...A..............................................~?!..E..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-897LB.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	830
Entropy (8bit):	7.743747035981289
Encrypted:	false
SSDEEP:	12:6v/7MppO0bioeoVRws0LZivpCt1BIwB2QG9Qs1Vzaok9cz7A1oLVDiDkaBx9q8rS:hg0OX6wVduQywAQG9vSkEQiDY5aA7
MD5:	EB5BFEE784207B0EED0CB53FB3CF7509
SHA1:	519EEA88024FE4ABBA292A5097D879D42EEFC813
SHA-256:	450B1779BBDB391E340B1A142C0F2AB89836F6E7BDEAA864F9D660059129F13E
SHA-512:	0404FF8FFCDB1F8A1935837883102FF113EC3E18E550544F7B33D8554D8DFE4EEAF3590A88E9C62A02AFCCDA0946E17BDF2700FD85CF84E912CDDDF09CB883E9
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.u.iHTQ......q2...f"K3...2.6[....5d......J..PadHE.m..mS9QD.E..Q.eaD..c.Fn.::.{...YM....{~...._.?..".Yqo...i&9,..W.ie..2....,x=.J.mR....sV...=w.\.....5.0'r...p...A.<.u.....j..~:...u..w...~Sf..Xc..a9../..<.1.....ks....9.7..Uf.D0....H......B...IR6.\$s..%.2.\|:.)!..[..0.....o......f.6....'Ud.(..x.#.c...v8..'......]....0.".T.Zn.>..}_......@...QP{.B....G..";&...&v}<.bj.....6a.m.f<.E......[....b.1./.....H.M9..Z........%q......bs......\|..%.z.wcp.Y.$.I......oJ.m......[s.'[...:..N[....\|.r...$.b......L7.B..M.n...jx.q!.2.!...I.^.!...6..>*.9.=..~Y.....L.dd..F~.8Pw..J-.mY.(~.c......7..W.f'.n.q1.D}..J...1....Re..t.,........A.g.Gy..x...\|.+c..+.2......f.....{.ui=.....@U...;...U.........Jz....o"...e...J.x.im..{...!.......O@s.O....0X.7f'K.g8......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-8SH8M.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	6.401447563259091
Encrypted:	false
SSDEEP:	24:GxwtVB49rxl+FrnlMxh8M2J382e416LZYuegYtTn2H:YwjBoxlyDlMxj2J3SC6uSuT2H
MD5:	54C24D9A4A0FECA1E1732A2A800FAC29
SHA1:	D089A770D1565011BF54CFF7DCD29885F5595340
SHA-256:	3BD7E6C88BC3E06CF51817BBCB9CE14895D22A71E96E571F108110A33273FF59
SHA-512:	B07A8DE23A7D69413BA31E7ADC81B9F0200D58F7F247F78E5453ABAF737FBAE35D60801E3A33AA2F62C27AEABC2F669CA38198111140BE989E2DD315F651BB56
Malicious:	false
Preview:	............ .h.......(....... ..... .........................................#p-...0......E.........+...A.................................4.l...................z......%..J...............................5.v...... ...1......`.........................................6...]....-.R.K.u.5.H.#.6.=.j.,.L..m...".. f%.$S(.........)+A.:<..!....0I.1.?.`..1.A.+.C.f..9.V..W..............)f+.....12...............4g......\...p...9..z'...)...1...+..... .#.....$$M.&...F?..E?..&....@g......~...^....9.8.i.3.f...H.....'.%........m'><.2=..><..,.................~.#\|!.@.R.?.R...1..g..DT;T..s..!..............w..D...........".a..............v...5......$q#.'.;...)...".........!v%.[.{.C.i...............'.......'..?..5u4.U.m...W...5... ..\|.......\|...........r........>...I.O.c.'x&.\fQ6H.Q.4.U..s..l#...'...............!...!..g"...2.;.d.I.Z.TpKPaeU.XYK./($!.'.u..5...;...6..{"...&...;...:...-..7..),#.YaN.giZ.bhV.>C6......Z'.G.t...E...=..["...3...9...<.L.x."z1.....02.X^N.\bQ.KPA.HK>.F_BLY.q.m.../.N..&.^..>.Y.....

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-95L8E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.739434322498255
Encrypted:	false
SSDEEP:	12:iStQidpNKcrw3FGbVzh8MgzemLqu+kqkng6dPEAaRAdViNSOC09YzmLk:i4xuNYBzh8MkeZLRkng6q/RWmSDKYzR
MD5:	5782C8F6C70B8E884FCB822EEF286EBE
SHA1:	66776EDD49D55F0F440FD5DCCF38FC27147076C2
SHA-256:	C067BD4E1DDB1EDA87201D7BA65BEB416C56A9ED486D17454148E9A013A6BD32
SHA-512:	70366DDABF05D4A60C6AE09266A4911CE61268DE7C3E83292A627344AC048A1510F46B48A566790B986AB1264E3FF38FBCC552A3E60A9249D7F1D12E44657CBD
Malicious:	false
Preview:	............ .h.......(....... ..... .....................................................................................................................................................................),).....)().)()R....................................................),)JJMJ.kmk.)().989.................................................!$!.\Y\...101.kmk.....................................! !B!$!.)().wxw.........sqs.kik.RUR{9<9!................)()!!$!.RQR.................................cec.BEB.989.....),).)()................................................989.9<9.!$!.................................................xzx.{y{.)().),).........................................................)().101.........................................................)().),).........................................................!$!.)()ckmk.................................................JIJ.)()J....),).............................................ZYZ.)()s............101{Z]Z...........................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-9K8JO.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.472732468708232
Encrypted:	false
SSDEEP:	24:eO+ZmtXn7q6EQAkkUNtYa1TBExcA8CNJF22222yLIXTN:eO+4p7q/QAtqTexR8M22222sIXZ
MD5:	F81E507FDAD67F58488CF3D937594180
SHA1:	59C646FB4F2808E0020BDF1728237F067B3264D2
SHA-256:	DCA19404AB1499715ED30AFCA88E4BD85371BADC6A51E1677EAEB1DFFC8CA289
SHA-512:	70FAB93C992E18FE77C53C2DAC203B2F599DCD888D55015E668B2DB149AE51BCA7DF6A772D5FB4633D038BFEB6CFBF4CF64C3384031E7DE4BC23BA6948171357
Malicious:	false
Preview:	............ .h.......(....... ..... .....@...............................................oL..pM...............................................n.3.y...\|..~...~...\|..y...n.5.............................y...................................y..1!...................\|...........................................}...............z.;..................1..\|..........0..............{.?......................$.....h.........p...................a...............\................................g.....+.......D.........................................../.../.......U.............................3............3.}...".."..".."..8.....................].....!.."..........%..&..&..&..&..&..&..W.............$..&..%..........'W.)..)..)..)..)..)..)..)..2..A..)..)..'[.............+..,..,..,..,..,..,..,..,..,..,..+......................./../../../../../../../............................%../e.0..1..1..1..1..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-AHS2A.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.518492008840673
Encrypted:	false
SSDEEP:	24:XTZmE/ZYQwseqlUQQSbG1tHhRNyYkTHHSD:XTgEGiSnZiL8
MD5:	6F6B30B331D4B1B52218C3EE9F6008E5
SHA1:	99BB8C47F45B605BA74866586F9B2AC64CAE082A
SHA-256:	E5995C8370B5C383F7B3A60F3A79D3A67650A85C3A954D208E4736F4021BE24E
SHA-512:	1BA21D5611D96D7090F3A9E80E1DBBE34C390E02AA7145354F069253B0D440D488D24F385CC2A0A9469A9D5D9EFED10D4D1F15A8D36969497593A2B60903B885
Malicious:	false
Preview:	............ .h.......(....... ..... ...........................................................................................................v.........@...@...........................................p...Xy..........................p...................0...........X{..Y\|..Z~..[...\.....................0.................Wy..Xz..Y\|..Z}..[...\...........i...`.................P.....Wx..Wz..Y{..Z}..Z~..z...................`...j.........0.........Wy..X{..Y\|..Z~..........................`...`.........p.......Xz..Y\|..Z}..............q..........._..._..._.................Y{..Y}..y...........]...]...^...r......._..._...................Y\|..Z~..............\...]...............^...^...................Z}..y...............\...................]...]...................Z}................[...................]...\.........`...0.....d...Y}..........Z~..z...............[...\...p......... .............d...Y\|..Z}..Z}..d...y...Z}..Z}..Z}..e.......................................n...Y\|..Y\|.......

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-AP20J.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	6.275771912287761
Encrypted:	false
SSDEEP:	24:INtkHVr7SidRa/Obkfbw8H1y3LIseAevOGZ0bTsB:LVPS0a2AfjeIEeBZ0bTsB
MD5:	6A4FEA20675B423DC5B6AFC565BA2D57
SHA1:	D241A8C16A86789F1B28EAA58B164AE6C9457FC1
SHA-256:	73EC225A303B4A44537CBBCFEB5FC07BB8EEB9FDFE0FACA788309CC7C75F3F74
SHA-512:	2948886496B704F85A71549341A1D8E5DE36375CCC6FF79B0F95BB6FC755147DE35C6F556E02CFF916B5967F95891E1586F065DC329A68E057093032B485A4A0
Malicious:	false
Preview:	............ .h.......(....... ..... ..........................................K.}.s......(...)........w...H.....!... .................W.#.n..&...<...M...i...k...[...C...+....q...K./.............W.#.u.....A...>...'......5~..&...;...G...2....x...V.,.........l.."...>...'...!T..-(..BA..MN..>=..)4..%...D...+....r.......[.j..../...5....J.."...("..63..=;..40..' ..!)../...8........p..p..$...8...+~....f.....$...)"..,&..(!..$........K..:.......v...}......>... F....4...d.......................\..+`.9...3........~..3...C...Ni......................................7...8........~..2...E...?d..z...............................f...9...9........}..0...L...Y...]...]...`...c...c...`...\...]...Y...N...8........r..1...U...\..._...v....xs.....}..........._...^...W...8....y...b.u....R...W...f........LA..........LA.....g...Z...V... ....w......r.....^...m...........................p...a.../....z..'........W.#.w..-...x...........................\|...1....z.....M.............W.#.s..&...k...................o.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-ATN0O.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	488
Entropy (8bit):	7.3920224953533245
Encrypted:	false
SSDEEP:	12:6v/7drHlKbwPKM5RMujiE9hN+clw+798b7w6sJ:orHkbwSwMujiE1+V+JukJ
MD5:	694A53E27D606EC219A2701C6DD6926C
SHA1:	E2EF3DA049160DB18AC5AC2D770B3F05F219722A
SHA-256:	0AD6EB5F37D593E9096640D5C0440D108BE85DCBB0C726CB5E0C8802E1B3421B
SHA-512:	B246D42344E90922EFCCFAB836BADC30DBA8E370BEE29E03524B0310FCDC9FEB727BEF32EDB695DD42B72FC99543520B91D8179A83ECC479C709DB9077861216
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx..K.a....[J..............D.4...I...Q8.iT.......D$-EC.%G.IP....R+.....4.{....s<......-....!.#H=..p........r....!...z=l6....o.8..$.T}...........N'...\....e.3...C8.n..3..R..-y.....j0cX.x.o...4...#!>!u...X..".....V+.!..<#{E.R.aj....J...,,....O.N..8O.C"... ..6R.l6.7B.....9..%.{.b.L..C.ET..v.=....P..x'.....V.s.V...A<w...9...\....T..E...\|...d;`....,G..O..#i..PD6.....5....n....4..<2.4......`.../S..u.>..;._........IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-BG337.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1342
Entropy (8bit):	4.6359350276939795
Encrypted:	false
SSDEEP:	24:dji7RcfMBrFZ4SJP/eM3Oa6xkbHITYphkt:djUcfsr1xG9Ypmt
MD5:	DA65CA13005C823DFDB8A02C0F534EA1
SHA1:	555B00EAB24107ED4B1E86A30E634DED6A3B172C
SHA-256:	73A10CE1010DDF27AD68552766FD5803E9DDAFB7ACE123822E6EB2FD69954D9A
SHA-512:	576FC82838F477AB1806433240C1508184C1E00B5365A2F5719A3FA53DEFD4AE71A6ED5A262F5D174AAF089F46F677332D270C154AC6185E8616DF1D0E53BC17
Malicious:	false
Preview:	............ .(.......(....... ..... ........................................E...D...........................?.............................................d...~...............................\....M...d.>...m.G...C...C...C...C...F.....{...........................o.C...C...C...C...C...B...B...B...B...o.N................<........C...C...C...B...F.....e.......b.@.B.....\|........?........G...C...C...B...j.J.....................B...F.................C...C...B...n.P.........k.K..........n.B...C.................C...B...T.-.........F...B...C...C...B...C...C.................C...B..........`.=.B...C...C...C...C...C...C................C...A..............B...C...C...C...C...C...C.................H...B.............h.B...C...C...C...C...C...F..............1.......B...i.H....E...C...C...C...C...C...C.....\|........>...........x.Z.B...B...C...C...C...C...C...C...v.V................................J...C...C...C...C...H...........................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-DQF44.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	3.614804652904851
Encrypted:	false
SSDEEP:	24:Biiii8ibi0TiSDiiuYxId1diiiiSiiiwKrkIzpJi4arAJbJbJbJbJDg:Biiii8ibiaiSDiiTxIfdiiiiSiiiwKr2
MD5:	92E919F7716BFEC2191169F9D1513737
SHA1:	E7BEB2821E116084C0A516D754A0C7A534956BD6
SHA-256:	C5CB556AFCF8E5F48AA604646FFE93AEDE2607342C4AA93D70791ED8C4FFFE4B
SHA-512:	574F731D0220B353AEAC4B442E6ADED51CE54A7BE93BF3EFC3A7EB8F15161FAA3A1806C859C585ACCC351195AA0376608A5ED5B126DD552296D2305367008014
Malicious:	false
Preview:	............ .h.......(....... ..... .............................................\|\|\|.\|\|\|.\|\|\|.\|\|\|.\|\|\|.\|\|\|.............................\|\|\|.\|\|\|.\|\|\|.........................\|\|\|.\|\|\|.\|\|\|.................\|\|\|.....\|\|\|.......=...$..Y...Q......\|\|\|.....\|\|\|.........\|\|\|.\|\|\|.\|\|\|.....\|\|\|.......T...7..n ..`%.....\|\|\|.....\|\|\|.\|\|\|.\|\|\|.\|\|\|.............\|\|\|...../.n...J...(..g'.....\|\|\|.............\|\|\|.\|\|\|.....\|\|\|.....\|\|\|..........a...,..u(.....\|\|\|.....\|\|\|.....\|\|\|.\|\|\|.............\|\|\|.....{....Z...3..z*.....\|\|\|.............\|\|\|.\|\|\|.\|\|\|.\|\|\|.\|\|\|.\|\|\|.........................\|\|\|.\|\|\|.\|\|\|.\|\|\|.\|\|\|.................\|\|\|.....'.U...A..t3..o:.....\|\|\|.................................\|\|\|.......Y...7..q...\".....\|\|\|.................................\|\|\|.....{....\...-..r&.....\|\|\|.................................\|\|\|.....o.~...^.-.C.=.>.....\|\|\|.................................\|\|\|.........................\|\|\|.....................................\|\|\|.....\|\|\|.}}}.\|\|\|.\|\|\|.........................................\|\|\|.....\|\|\|...........

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-EEF1R.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	2.89668669623498
Encrypted:	false
SSDEEP:	12:dDWdAyhFGViosMZNrBK5aTeiVIrSXgXdaguWUl:hxyTGVihMPBK52edrSXgtbUl
MD5:	2102DF54739C5E5FFEDDA31CE18A430E
SHA1:	B62D93ED6661FE4E0080D7CD575D0F81E8640D9B
SHA-256:	2DFDE998FEAC91E72BFDCDDF174000539C525233D4E3EA4744BD08EF70E6C9C0
SHA-512:	654F18D0C0F4309A8C559E4E0CB2D4497AABE9D9D5BDC51EA100CAF0455FC26702E0AA8390B3D7113CD7F752391B9A3283491B5A1623E0060F302EF2A816B7ED
Malicious:	false
Preview:	............ .h.......(....... ..... ............................"...........................................................".......................................................................................................................................................................................................................@.@.............9.9.............................................................................................................................................................................................................................................................................................................................................................................................................................H.H.........................................I.I.....................^.^.................................^.^.......................................................!.!...........................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-G7O97.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.042561065627236
Encrypted:	false
SSDEEP:	12:Fw3//////oXgAo////////go/P/wK/////YTQRY9K///pLKe//v7WVh5y//ze2JW:7BQC9BDRClcc3TIVBw0CC/6upx8y/V
MD5:	58BB5428EE336A048C0EAEDD11B08CBE
SHA1:	E40B41DCE19B4CEE84943905ACC31F0B624A22DC
SHA-256:	619AB6CC1EB6D48676BA555BFEC94798B8E043052967FAD42356E9D8BFCD08D9
SHA-512:	1424FE21796F05B1BB963F857BE61BD805775BC5F56B1A5ADBA8372057AEAFE01ED559EE9F29212BB74D9A1BF90F4F44DCC27AE09D1A02A674094BF8D7FA2045
Malicious:	false
Preview:	............ .h.......(....... ..... .............................................................................................................................../............../......................................................./.............._.............................................._................/...........................................................................................O...........`...P...........o...........................0...... .........O...................0...................."...a..............p......................................................................./....+..1...q..............X..1..1..1..1..(............(...H...H.............H...H..........j...H................Z...`...`...j...........................s...M................p...w...w...w.........................`......`.............P...............\|.........s...

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-HIK1U.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	586
Entropy (8bit):	7.630848437869861
Encrypted:	false
SSDEEP:	12:6v/7czkgzR/pOsg/sx7MiqeJACAHDTOipuwsOmA8PJO/Y7:xQgzRBX6e7nmC+puF9U/Y7
MD5:	FA83ECDD6AFBEFE0DD30A620574872DE
SHA1:	8B3299A9244809F9541BFFB7A1CCD8D58AB53EB0
SHA-256:	9AEA100DC1DCFA58A542BD9294F67B454CFD8669CC199F6C43ECD9A4C3E99E1D
SHA-512:	202937104E00E187A4CCB1D3D2352F19E1966E71DF015D1E5E529B3C148D4A91FCFF18C0D0A08CB23660962BEC06417D1EABD47D0F48A07A5DB22DFC4EB6048D
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.RAk.`.~c;.U..x..._P0..).t./....":$.......2iuu......O...VH.A>..^..S.....l...H...........}... ....II.E..".$ID....`_X.5.e..q.....q..@RK.U..=..MUT^..!..!hC..X.^....v..RG..j..).&.q.0.oM....Ah..w.....PJgj.....U...^..?.a`......3_..]..)..{9.......P\).z...t.-......pB..Z.QZ).........>...O..C.....%.....O.>q.4....kS...{..... ..Ks.....v.N.....H.<.kb.;....U0f.G..J.._.......?.......q?..-...U....[3v....&.D.Q5.G...IY..7?o...C..,..%*.e.=..~.g.......D.X.Q..]........`+..W.J.^..y.Wm.._..,5....1.sXU.o..<._.....J..Wa.g7....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-K3TN6.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.304963365030796
Encrypted:	false
SSDEEP:	24:cKwiwjHRFNgmsPn71386ICxQo0hkNNNNN9:cMwjxFpi386Yo0ib
MD5:	19A1D5E299A9AEEF8E449AE555935968
SHA1:	E7C1EA89DE88FEE6B616ABBE5365C5AA3E42F672
SHA-256:	27CC231887F86DDB6FF938C1FBBC2CE319057BF90382B764AF86ED3F9C47CCB8
SHA-512:	973CCD95A012657F00B195AF3558E5E67B2AD194F9261EC3E8FD9FFC4F423E10A730E4D0ABFC4243F91FAD35097BE09D1DD0D1646CFCF1821F1928E23015CB8E
Malicious:	false
Preview:	............ .h.......(....... ..... ...............................................................u...................U...................................@'''.....................[[[....U...........................5kkk.............................OOO.........................))).................J4..:)..@@@........................................qqq.SV..w.,...+.....oN...............................*..............\|./...<...@.mL...........................@...j....bbb.0!........N........s0.....aaa%...........U....[[[.........KKK..m...B.....u.....aaa%............zzz......................................_...............U................GGG.....\\\.PPP.............................OOO.........@@@.6C..h...}...>...........................................J4....+.{.....,.............................................HHH.l...-...I...~..D.................................333.........lL.............f.KKK0............................... ggg..........t......T.aaaJ..........

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-KS7HO.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	563
Entropy (8bit):	7.517174524579319
Encrypted:	false
SSDEEP:	12:6v/7w//AIiO/vrFWdRdGBvXRwnHbMwigmsA7F9fS6ofSZHRQX+K:FB/vrEDdGh0ig8zKzSFk+K
MD5:	DB972EE37A5D0AEF2AEA2FE741B82C1D
SHA1:	C286B9CFEDA3CB6D3E19E1D7747790C52D84D377
SHA-256:	6A09E141A38F22AF46750BA3186AB260B0C566DDCA209B083623D8305BDF14A2
SHA-512:	9F35E67F88A4A250F8F983C8273DFD76F07A8CEEFBF54BA97D73FD1AB4C62508D8999AACD204E73CD04B86A0556AF895CA4BC07A722FB3D6143B7B07FF20BFF6
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx...O.A...v...aU<..b.@.F8y!..;.J ..{.w)^ML..../-..0!....GBS.=...v.......v...If.....;.......}.9...k......Q[...YV.........y\|.I\....QUb.....^ HN.....F.y...0r#.d...+.>.`.".....\|....:b..sB.xq..~..]$(U.G....M.;?]\|.....0..I.$\|..7.xz.@....R-......../.....,7C.%.<.".....0N.\|. ........[UU]....0....=.f.2........G...C..p.. ....h...(...r...dR.I.]..h{.d...z~......s_.(U\|..(<J ._.<.+.#,.su3.^.Q&.....ir.j.V....E}...C>.o.m...A..;......E..C./..J...!..I.*....8ij...W._.@;..[.....O.......-V.xD8.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-L53CJ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	786
Entropy (8bit):	7.667079474837334
Encrypted:	false
SSDEEP:	12:6v/7auxjxCwxayWi4r6JPSKu0G1dEnJrZkTAilExOZgaMGQC23gdHtCDswPoLrQJ:Yhgwu6JaPE8aK8GMZPPo3FlEpb6K
MD5:	60B69382DCB4792F0853815F1C3DC793
SHA1:	EF08278795D17F21D3BDE98A44CB5247E18FB6E3
SHA-256:	884887A5D27E4B1F683CF9BA3549797E9F2ACD7763144839CF690C87E38D348A
SHA-512:	115E4BC5A59F02C9F8B72541F256EE683A7FB2DF2F16C560894B83AF2141659553937FAE4FC0246561F7EAFB8E921A1A081F3BEA89825A32BABF96AF00880663
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.}._H.A......uzu.^d...bV..b.).I.$.P.BP.a)......4..FT.=DXf.Y..f.QV...%!5M.<.\..L....P......33...A.y.z...,"...a....5.f.V....W.3\.vRce..H..c.:F.P2..W..,.v'.....an=zo}....H..J.Tk,`..$.aV$@.`.!.>.c...p..i{........(E..!...u90.b....}t.d....L.j.3..4..>}...re..D.W.:.a.!7.V..}{.:1.b.A.>.x.lr..E.y.......\2..&..:8rw@.Q..E..1.LEL....[....X....9p..tF..S.P...........)+...OCm9...?.`...<+...8.N..F...[ ......='..p.9...P........Ua@....1.>...>.(+L.M..HC.X)...H.......h.&.j..$......\|..A.r......w...!..C......0..k#..,R...7,9..............^...'A.>L.<..;.p.,......1..%.bb!?{.mt.....>{....E..dD.W..eZ....9)f....3..W..+Q.......p....v7.C...E...h.a..7}....Q..ME..n.+).p.U..7.%......46..'.S.J........h%.......H...!C'j.4}.7.3[\|h.nQ....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-LDOM6.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	675
Entropy (8bit):	7.483904311870301
Encrypted:	false
SSDEEP:	12:6v/7doMHmeia+juikJeSnm7XW6rJ5XUkABLVsHAVSjneDkMC1:Ao9La+juxnm55uLPs1
MD5:	BD04877B6C91557B84463719664B0292
SHA1:	6B5783097D914F8A463363843B8D24C6C933DDFE
SHA-256:	B2FE786345D8E1802BAA576C0E359240EA2811BCAB1BADB433743792BB9FAA77
SHA-512:	715C6079A00306A46E221C432336B1A4AD23DA6D8AB6BDE7D9F992DF162AAA04D9332D3BAF84DBD6CBA0D4160DE4DE773F266F556CBBEAA015A5D54DC078D33E
Malicious:	false
Preview:	.PNG........IHDR................a...jIDATx.cd... 6.bQ(.+....o...#.+....gee..\|...o...R.l;....{qg.....5...k.......Qy.)....r..8...4.c..=.Wo.u...8...........tb.J....s..^..S~..c...\..XPQQ.H......>..b......._V.+g..:.N]...........O....._`X.>.........o..&.".^....5..C.M........8y...3f..s..../_...a..>.@Q.PUU....-...6,.>...(.AJJj!..0.,,....!...+ &&&.......xT.S...Z:HC...O.>../,X. .....l.%(...........m..F.W..N....:..SV>X...:q.DGF..@k.].XYYy..Cf..7.J(...e.``...p`.........~...../.....t..O.}P.W.....q....}...;h.....e........A..v.......L....~.. .&0s...{...i...fggO-,,.......={..$......333..3......Kkjj.@...~..kWW..K.N d.8<....;0...[.x5..\.'.i......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-M6QCT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	838
Entropy (8bit):	7.7197016545374275
Encrypted:	false
SSDEEP:	12:6v/7Mx+Nre92kjEfcc8YhUaUuYE67bCIUMn+VnMUHAqOIjaDD/yJgQGToLYZFN:Z+LqERhUO67bCIZfmAajkj3tyYjN
MD5:	D9F77B09484FECF86DAB1E27B61481C3
SHA1:	D514C22AC2A1AC4B0826E38C48BABD9CBB077F9F
SHA-256:	CBFBDC4F27D2DE65E5F38B4233C967F1781449DE939BDF7451F2548511CF8F95
SHA-512:	606E0E9800296568C06F6015BB6DF091D5B75E516056032FB28CA1508E67AA0E8BBAC978981CA9FF492F54A7CFE02DF233042442F707588E6E8CFD82C7F8B93C
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx..kHSa......t.4..kj...I0)l.y...ZF.Fe.D.%K.K.....FVH..A.Y..Z..E. .".L..sz.,.\|.}.....wx...O....>... \|.x(x.;!..;S..n..' ...o;.y.TJ!.E)"!.xbh...^..V......,....vG....%.E...7......o]v.l.a..1<_jN24L.hL..,..5q..a.q.V..C.p...=fcup..B.........X^..t......Z.lSX.le@.J..\..kh.B...a.].}(eJl....=e.~..,:C....Sw1..//...W. cd(.[...g0<>....hT.8n.C.<D.i..}`.1...=E.9s~.)u-2............c.m..G.pN..(...:.!a$Y?.W...rN,.A.9...u.X.0292.....Q'.7..T".M...\|...#....".2z'.i.i...,X....+TT7..S..k+..D'...R..q....p....n.`..\..btr..T......D.M...Op.vr,H.T..-.../Fm..T..{....*XG.X...o..qOt`GD..}~....0..Ytm.S{.5.Hvs.mE..yn...=.uC.N....;..O:.....i..R......R.Ix......../..o...x>........7jZ..61.1....6..#..<H. .x...."..H..r...iY.S".Ob.......:cf..L,.9NI...Hgu.........4..`......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-NCOG1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	604
Entropy (8bit):	7.566535696722621
Encrypted:	false
SSDEEP:	12:6v/71+R52wdTd01ObCNVVeNROSj6OjPXgEFE7LEgcuq/yp61MVKCXXN:bR5RG1iwVsRPj68vgvEgcN/RKVBXN
MD5:	4AC295DB7E483693981CDE5340D6DD06
SHA1:	2940C14BCC2C1C975D7DC484C43618F8028350A3
SHA-256:	5DF1EB6894459E748C599DEA4119DBD85F8EE024A7932ADC49E80AED7BC3CDE2
SHA-512:	05562C55530620A0860B6E636C45F035ACAFFF4F468B3F29491D909C795102377F778951033B93A8C143D87D7F779E03381E415B914EB1E8198EB0E838243E18
Malicious:	false
Preview:	.PNG........IHDR................a...#IDATx.S.k.Q..f7b.j.m).c+.h.F.(.......?@.....x..^..A/J....TAk......&b]-".....yo...evf.........LP9=...........ZH.!.....1..r.*.....u......8bi..$b...~..m,..&k..47=.U..A...Z......M...9N..4V.._C.....o.. b.nN"..OE....d.].1A...\|.C..}85;...@Bp.t.A..wW.B7......&.Q......D..p..}l...Bm..j..K#E..Y.t.pc.._<G....r_...X.;1..w...f.......b...uK..XF..c\|y..{...../a......<...+....F.......r..<..Je..k.y....08v.kk....\|>.r.,.............J...}..f...M.\|'Z.6.m....;3..B'.Mo........pf3.v.....>....4cL&m.F......&1+.... )....kri.......g...ip;...A.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-OK28S.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	6.511795576297305
Encrypted:	false
SSDEEP:	12:ON6zzzzzKMSSSSSMa5HVyx7UmImSoH2bnDIjPNNJOtDrc53VrVOt/bQt8wQHz/HC:OD5H4lUbJfUIQ4lQ4j+HPKoCP652q
MD5:	9A89DE631D87C981A0AF3C07FD4AF610
SHA1:	6A5EE66ADA6C57C1FB8B142514DEE3272FF21605
SHA-256:	5E9C12BB009E1DB9568B273B53EBCA3500C3E6D113961729ADF98012FEE299B8
SHA-512:	B3F9BB8803CEAE7E33611BDED0C236C0A14DC6DE730A15910BD80ED15D1CF63BF8A83449E4EB83F593F9FC82C7E4C775AD799A206D3EEC93F8EA99B3746D005F
Malicious:	false
Preview:	............ .h.......(....... ..... .................................\|~..\|..1\|..2\|..2\|..2\|..2\|..2\|..2\|..2\|..2\|~. }.................BI..{..#..."..."..."..."..."..."..."...#... ....AcY[c.Y[c......-...>.. @.. @.. @.. @.. @.. @.. @.. @.. @...?...(..Z]n-Z]n-...-$B..#D..#D.."C..!C.."C..!B.."C.. A..!B..#D..#D...<.._g.M_g.M.../(G..#F.."E..?]..........Ur..<[......]x..$G..#F...A..bl.Obl.O.../(I.."G..,O..............................2T.."G...C..bm.Obm.O.../(K.. H..Qn..........Kh..............<^..#J..#J...E..bn.Obn.O.../(M...I..g.......k....G..$L..........3Z.."K..#L...G..bn.Obn.O.../'P...L..`~......g....L...L..........Qv...M.."O...J..bo.Obo.O.../'R.. P..Bh..........!Q...N..^}......Z}...O.."Q...L..bp.Obp.O.../'T.."T..%T..........r...*[..-[..Ot..h...9g..!S...N..bq.Obq.O.../'V.."V.. U..@i..........................6f..!U...P..bq.Obq.O...-'Y.."Y.."Y.. W..=h..................\...!X.."Y...S..br.Lbr.L...."P..!].."\.."\.. [..!Y..-a..3e..(_.. Z.."\.."]...M..^g~(^g~(....+N.B,_..)^..)^..)^..)_..(^..(^..)^..)^

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-P3SDT.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.54214238379203
Encrypted:	false
SSDEEP:	24:6eIPdVt3Mxoi5U7YoFhqG0f9tX9vWHpWcd9JU:6NCSFhqlvWHpWcd96
MD5:	A7F6DC763A6C440673C6A65E1174379F
SHA1:	E3FE4B3EA5D58231C0326BD5BA9BC1A15D6C095D
SHA-256:	442AEC90EE87A5859CB87703F0ADA203796A24A36F8FA7AAA5C80E87995F1E65
SHA-512:	6A06B633363C13F056B8A23CEB3D507427F26DEC1844A043D49B99BB7F95C18BA21A1F08457E7A714F17A6D1A04ECC6DCEDB855D439E5D881F6D3CFB3C7517CB
Malicious:	false
Preview:	............ .h.......(....... ..... .............................9z.q6t..0q../v..'f..3g......-Y.i.X..7w..:{..6w..9{.z............,~..G...!.......D............E.......,...)...0................r.>1...M...............................6...6....v.'................7.......................................5.................#...#SM......./G..2I..........................Vw.. ..\........1"&...#.^hw.....,A..@Q..........................&...$...$.......A22.-.#.C?F......-...-..4O..Mf..~...............&...%...8/......C44K<./.=:n..+...6..'E...=..%I..3S...?...2..%;..).(.0$&.?43K......../+`..)......%0..@O...'...,......-...$...5..-2..('g.).!..........$.0!2......................................$0...)................y...[..".........Z...(...............$."...A.....................+ #.,.".+.".....................&.".%.".5.-."...................-"%.6&(.2#$...........o.........!...%.".,''.....................-#$)P;:.Q96.....................&.!.%.!." .5........................I97`fMJ.J53.0#%.*.".(.!.'.!.&

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-PITLA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	946
Entropy (8bit):	7.732040020903732
Encrypted:	false
SSDEEP:	12:6v/7Md+AhCq2Ci1b9Hm4UEtkvfdjXxYoCa0jn5/Pt1hC5VbxePpNS/XnxQmHm3EZ:hwRUEtWzxvC1RPpC5Vd4NS/Xnxjnn
MD5:	2F8627CE7D0210CE8A83A237AC9E7FFB
SHA1:	1F7C014538E93EDF5EAB0721AB007C946EDE8130
SHA-256:	CD701C56968BF7138417063032D62ADAFC272C8C6FC98D527AEA342359DA0F7D
SHA-512:	CCDA7916E676BA730D0FE9F803E9CFFF37BEED65B9DA776DA6113B33A75ED351E699D9923B68D37AD83BA04A123815A160E53F24840DF73580802AA510BFF81F
Malicious:	false
Preview:	.PNG........IHDR................a...yIDATx.mSmlSU.~.mo..s...].I[....2..]c..($K.D...1.jP....2...HH4.D...3!.c..c...l...M...]........u?..{sN.7'O....!......N.d'mP.4.kf#.L...N..J......H.,...F..$ ..._. .".B.B.dO.....?.7.?...]Q`...f.-. ).22..,.,W.x..f.X....l>z....{...I..`<b.....4,U5..[.U.KSq,f.H&.{g....2...#.Pt)....aJ.g...[?...{@<.<L.....m...3n..oG..d.\_{.h..=...>L...NC.v..#.h...cu..........%l{...a(c.H./..h}.h.v_13U..5...b....I....W.e.Y.?.-...h....-..M..y8....'.._b..#E/.Q...'<.8.n. I.O$...^.C..8.Z3n...XM....................V3..c..6.@V..P`...=LNL.6.....(l...)A...-S...c."...\|...N....;}J. ...Q...2h.....tt...R....~z.I(.._.L....z?Z.jd...$I.@D!..-....G..0iA))Y..k.r.n.H.S!...m..:j.p:..-[... ......_........).UL#7...?9.l$..Q.V.6.".N.^...k,6.1.CZ.".....!....";.....e..e.]..VV..^Rb...&c.UW...f-m1.tn..2.....`....Y........B.f.e.......`.k*.z..".......W q.U."dZJW.3o.'.u...?..O........m V.......IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-QL6MH.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	763
Entropy (8bit):	7.6950381846314215
Encrypted:	false
SSDEEP:	12:6v/71dxGeeaA/as1IpxNhX3HqPPwVS2TgW41SeJq5RXB4f4a:oqeeaAT1IpxNhKXNW5VBO4a
MD5:	F38AF891CBBDCD155644E65363A01520
SHA1:	BA161945A3E87EA2B3735165854E8AEF28B4F201
SHA-256:	DEF30878F80E5B00CE9F334170DD6369127C52E03959F5673B7193D8B21EE80D
SHA-512:	AFB7BD4EECEF8B2E9E082E3A7203DC393E92683B4AD2B301072A4BC8C22D710AF740BC553EE92997C714FD80F993A3BE0257EC09FF46C75AEEC3EB615553613C
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx..iHTQ...o..of..mT,M.@..Q).R"A.......Yb~0+..,../.}.>....X...J..DV..6.3..t.w{c$A.A....=.w.{....j'.....4-.K$T...W.w$...3m.H........ZT._.t6$..4.....\Z.....#.Z.....V.Og.....Z.oxm._..F..:.;,..0..1.Y.i..^....;qs..}..F..m.6].....JH..W.1.......D.....Rn..!O..T,%..z.........{(........,._.....&....#...........9">..#N..?....l.D.dO..&.....4....0..V}$b"u...ly..0....].F....S........b.....U......P.....@&.B....0.A.\~}A....I!..Eg..0.Z...M^........O.2.Z_.4.Jpv..6C...D.td.....94Db..E..7..,.J...J-..2..,..8T....p.#C.k..SU.y..g[..~a^.q.=.C6k....w.IT+4../...eY..p.P..En.....rY... "j.... .^..l......:.p}PS6P........o...fdD..8.S.&..(Z...A...uqD...f.Y.i2.{?s...}.fMNK..u.].z3.....'....K.R....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-RSB7I.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	1.0136328376606665
Encrypted:	false
SSDEEP:	12:A555L5rr5r5r5r5Lr5L5r5L5L5555555L5556DGkD7GPMg:CiGEg
MD5:	D71543D4396E09496F7724F2EB51819D
SHA1:	8C60CABA094161202D8FCBF5E787E83E586A73D5
SHA-256:	52440F7AC22968C6FB7AB07ECB382F8F047B4EB3989843BF5F396B965F2BECFE
SHA-512:	1A6A95B7FDD731F6CFB55F62DB567DD4EC162872081B8B19DF9BDE1530765FB4ED683959B43E73C1E222389EFEA7554401188B4AE0D65ED3BAE4CD124C21A982
Malicious:	false
Preview:	............ .h.......(....... ..... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-RVEV0.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	318
Entropy (8bit):	6.697181871409298
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+aWg7NSRAkPY+kW37wjNaI79UL00H3zSiw2p:6v/78/2VRZbW37wV9UL00N
MD5:	E472E7B1F2BF2829B8625C32CB02B0A8
SHA1:	49275242752EEC7DFB1ED14A2968F02439EAE54D
SHA-256:	FA0F63928ABF3B36BE9D310A257CABD413B7E7B7D7D92A0975C7FAA7CB2F370E
SHA-512:	02E865BF6802EF4B3851E87A3E0C984395D5A90FFD7C6282F858E8ED2A74769BD968C637ABCC710BE3290CD0D947FBC5620FBA3510CB3ABB29991278F20C44B8
Malicious:	false
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....tEXtSoftware.paint.net 4.0.134.[z....IDAT8O....P...J...@ ... ....Hv.@v.D%........`....M^.=Mh8.4.{i.6....8...m.c@.....a..q...l...'..c...R.Aas.qJg1.......;1.....~.....b.....{u.dt...^.....`..:72..Ru'..2..4_......].....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-UAREM.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1001
Entropy (8bit):	7.758725240902144
Encrypted:	false
SSDEEP:	24:PLiyUaMQzTd2JxkVLDF0b5YPQfmCmGnX49:DFKmR6kVne5YPxCmEa
MD5:	5B29258244BCAD93923044B9CA6349A1
SHA1:	CC6CC6ABE4420DFA97552F5A1FF0DACA652AACE6
SHA-256:	A7D4C1C8C6FCEC92068D60D0DEFBAA38EA75010D01EA753FC913749CC89E8FDF
SHA-512:	AA8345E54E397D1AECE33F8CBE66B12AAB5F373109C787DE7C8C23BB0949A2B184CC1FB2E08CFA66F7374ABFD26EAA21D85857C74B67AEE31590A197971AF15C
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.MS{L[u.=.{o.K{)miy..<G......sF.#..d..;F.#S.-:53.ht31n..BLD.0..9E.3,u.s!.2....W_./.....k.h8._.9...\|.s.7(..!..D..&.g..m.9..D.......-..r..#....!.N.V.+U..tu#".!K2..........db\|"}.?.[s\>....x.....1....T.......z....;......lgv.4.\...\|~,...{....Mk........s...&To..y...H..........l.}m.h).....l.`k...@.O.....6$.N8[...k\"...m.'8....o....i..<......X.HM..Z.H..4R&..P.:k.7..?.zH.....9v.u.`..E..\|Dy...UP3Z.5)..).~5.."..H....v...>..H.......f!u.iEF@.M..k..]......NM".1.K.....,....0(}Dl.%...D.D@"...hp^.C[.g.c@$..w_.K...B.&u`\|..\|..66.>@(...r.......`t......#....i...J..,.....T....oN.V...%.......H.n.v.%...i/.4D..)....w<".=...+ +.......Xw."....\|...s.%..#/g5...8..@...l...........[.E&.`%...w......t.U....w99Z...A...F.v.:(M.O<..W..{x!.z4..)p.<.G..Z.X..A...tu........n.n...9.hy..>...~o....i....1.....O...ZK......&.f=...SW../`\M.......".Yds.R..:.CY...~+srI.@...E.?f...W...aI..,\Xyy.........u..G...{...D.P.....X-...k.b..D.Y^.........1....IEND.B`

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\is-UU3L8.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	728
Entropy (8bit):	7.626939687751021
Encrypted:	false
SSDEEP:	12:6v/7xDWhiMwp8cPv8arNXzjOxin+3sSsNGI+dlb1TXiaG/deT7gYIaMXv3wjxyUU:mDmiMc8cPv8apjjOxA+3sDNGI+pyN/dH
MD5:	19F3CB0BD386402E675788B7D56970F4
SHA1:	EB8E440BC41C57BFEAA8E684C1E95008A3B53161
SHA-256:	12EDB57B3DC1F4FC152FB9DC44E69E669182C36A543E3F9335B14E7BF9AA4787
SHA-512:	030099A142FB428E231C9050304EA59BBFA9AF9E281FCFF0E80F3A2DA4113AA0953D0CD629B269310A47EC901279BB7C0FF5C2C922342AD813296832065022BF
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx..ML.Q....m....D..('...P...r.r1...1....... .^.b.1.?b...#z....&~..L(zP..F..nK..^.....L...7.....C.....y...;m!...!c.e...dUhf....&.^K.Ce.f.V........M..@a..R.k..&.....l:..E..W.H.0.....\8+LC..2..r....!........G18..\g...r...ca:!5....\)N.......77PVaF......q...p.....`..sI)....%.E.z.`.]...(5.?O.^.%....X...kLRz<.<.......jO...@..F\jP.g.....W...\.H.......:..:...l.&H....L.x7....-:JQ...{..e=..p..(..?.....R.P.8j.T.6....t..f.VC)\|..3.g8..q..%.kn....#S...........e.....r4_g()g....ER..?d..+i...Nc3U.B....)...#...q...j...g..U..0)P.S1VQ..R....q..t..C..$5R....~Y...Be.....Y@j.....J...X. .y...6z..B...p.J.y...a..b...)....fb.t..7.@.6&...m..>/j........Z.......(f.U.....IEND.B`.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-0B2TM.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	4.760005259103538
Encrypted:	false
SSDEEP:	48:9cPueb/98+LRtKVF/7x5qcUuD4oxp7SJU9Jhni4GZ9h2u0Kuq+j6vQuQ:efO8Yx42Jhni4GUuLuhmY/
MD5:	6EDC10A9110ACA8413A654526A2C9A08
SHA1:	74515C9BAEE2A5CA04CBF57A179F98FFA650B890
SHA-256:	E15B8D976729695D510F6CD60E047006F57D09DCF477A58F7D3CF09ED9A34AAA
SHA-512:	1E02B7F6028872398FA087B6BCA84E7F5B5D85BBB14BE1F05F576AAC4E531127A2B5919095C8479838F98CDCCBBE8274891A355857515F94061FF2B8D4D286B1
Malicious:	false
Preview:	...... .... .........(... ...@..... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-1AOEA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	5182
Entropy (8bit):	4.429830209492408
Encrypted:	false
SSDEEP:	48:Rd9W4lzzzzzYXFrNmoN03g+iIsaDBYFGmGW2PD51s2ARAAR/sAye8:dW4gnJLI7DBolGW2r51dARAARRye
MD5:	31B5594B3A3289FB258A4EFBAC38F230
SHA1:	E41016FBE49B5B9B292EFC5C252F73452E55B409
SHA-256:	3B0521E3291E2F330873A66864C3DAC163E8E5DA9D62518C4541B38A979DE7B8
SHA-512:	825F05B05B7A0182B8F87AFCF12BD4FA1B4CF9712D39FCF13058BE32C11091145432273B443F955BEAABB995573252BD7006103E03645107FF434C8EFCC90EA6
Malicious:	false
Preview:	...... .... .(.......(... ...@..... ....................................................................................................................................................................?...................................................*......................................................................................v.../...................o.................................o.................................................................................................................................................................................................................................j.q.W.n.T.{.d..........................l.......................................=..........i.z.c...............^.>.A...A...A...A...A...A...A...A...T.4..................................................................B...B...B...K.&.B...B...B...B...B...B...B...B...B...B...B...B...`.A...........................................................B...B...B...B...B.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-34SMA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	0.6322026813246273
Encrypted:	false
SSDEEP:	12:suE555L555L555L555L55r55r55r555r55r555r555r555r555r555r555r55r5I:suvzPFV5
MD5:	E91EE031E8A775B87A966821F46B8003
SHA1:	B093537BEB4335E306C870ECF6C8C1431279F262
SHA-256:	E01B114837D5A19D2AB3492279F6AA0EA6AB960C4FFEB8369BB1A85F18672337
SHA-512:	70D2E0F656E784A10505BF73568E9BA0329EF612512B62458F3C2A6A44B3E09DF0D18D8B481978C9974A54844C7E67B0D94A56FB0FBCA616A95F21D89F6882F0
Malicious:	false
Preview:	...... .... .........(... ...@..... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-3C4BQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	4.992992998632407
Encrypted:	false
SSDEEP:	48:LxwRTmmd4FjFuwKqDBF2fA+O4dwvcYhEEXB7/T/B/cfGt:LxtmiFjKuP+O4dw0Wx7/7qOt
MD5:	BCF4E26316979B5DA494DBEA2C92B1CB
SHA1:	080339DB0B56E86428295596CED9EEBF416D050C
SHA-256:	A34A7DB975EB4367B54DC7BB5BC49A6B12F12501C3BEE21D9C9093717C193999
SHA-512:	D52B6394C34929C4758F7F5C3D805EDE1BED09C47F80B23E4EDA8A8A81D12763014B999F95E9FBDAE41A1C26548718B86C90C02BB0C8714B21078330B12D2B8F
Malicious:	false
Preview:	...... .... .........(... ...@..... ......................................................................................................................................................................................................................................................................................................................................................h?!.h?..i@.jA.jA..jA..jA..jA..jA.jA.i@..h?.................................................................................h?...K...S...X..]...Z...S...M...K..\|E..uB..i@.................................................:.Jc:.J.:.J.:.J.:.J.:.J.:.J.:.J..i@..[..o..............z..j...M..oE..d>.............................................:.J.N.b.c.y.j.}.c.u.X.i.N.a.E.W.A.R..lC..g......................{...g.yoR..wU.wjK.ziG.,ju.,kv.fq.0t.................._...A.Q............y..i.y.c.t.n.a..uH..wM..u...............................j...........k.}.2..F...9 ...6...;...<..@@..IC.qK=.P.G.X..........{.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-7CVNC.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	2.904108079904619
Encrypted:	false
SSDEEP:	48:F+E7L9sciO2jASO/R9Zo6bVUZ0SS/UHL4/h3A4+Brwc2Ni:F+qcjZE7ZL6ZTS/Ur+398rwHw
MD5:	B4C726712268AACA5C8044B19D242C56
SHA1:	82295BE76E35F3B7A017C71DF4AFB7BCB13B8BD9
SHA-256:	67360906D5C412946E6621E6952DCC72E260B4BDA6B1097FB89D0968746B557A
SHA-512:	255E561C23605247FCA1BB3F071CE4E87DA9F580C93F9CB87980F2680C106FEF6B91E478953C667E55AC0B9C4891FB0D6389671AD5C1AEF0DD820ABC032A7F62
Malicious:	false
Preview:	...... .... .........(... ...@..... ...... .............................(...........................................................................................................*...............M...................................................................................................................U.......$...........................................................................................................................-............................................................................................................................................................................................v.v.1.1........................................................................................................................................................................................................................................................................J.J...........................................................................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-E7A5U.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	5.056283894172477
Encrypted:	false
SSDEEP:	96:DZlab9wlipnz12qCLtZ7JgVksVScm8FPcTi:D3aJkipzZKtpJEkiBFEm
MD5:	F501D67C40B9B639411C99B14F60E14D
SHA1:	6F16B1384505A87848A6FB078FC3B62CC55BBF94
SHA-256:	4EC7F2AB9D5FD7E5F1622F007510B4F4D3C1C779E5CDB4B128E2D53A2E468A28
SHA-512:	775647B02208318CCAB7ED6873D9351ADD106D5EDF27857E73B215B18C04310693D210EB43415690D51191CDEF7F21AECED1B7FCF5A3AFB254698A9CF13AF3CF
Malicious:	false
Preview:	...... .... .........(... ...@..... ........................................................4...G...K...I...<...&...........................%...:...I...J...E...3...................................................7.'a..M...Z...i...e...N...C...#`....p...\...[...n..S..C...K...a...g...Z...M...,k....3.........................................R...............................e...,m..........+i..b...z...........................U...#Z..................................7.@....8....................Gp.VSY........................\co..Hz.............'...G........;.@.................................;. ....~...p...,....Sr.NAA........................................^US..S......[...A........@.0.....................................s.....8...02<.qdb....................................................../C..........~...........................................K...u.*'/.rdb..............................................................1E..y..P..............................................-.#.C67...........

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-FV6S4.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	4.548751958766154
Encrypted:	false
SSDEEP:	48:I36IcaNTUkY37c3Yd/oB3cEYp2LctCWZhlt9b7Q01iEtcm:I39NART/EshwaCOLfQmdth
MD5:	3FF113ABAD7A9C6F2AE88B1680E5DE0E
SHA1:	840BDB6139021E1FE655C240324A64481BB999FF
SHA-256:	57EEA00C948FF2F8EE9604160F4143891E5F5792765961408CE99E68CAB04BB6
SHA-512:	52B899DA820C3E3195799300122346B1A461B5139C213CEB8DED89734CDAD45878BE7E2B2F21AB5F9301CDABE6E2628571C9BB62923E318947FB41C0F2D78BF0
Malicious:	false
Preview:	...... .... .........(... ...@..... ..........................................................................................................................................................................................................................................................%...................................................................................................#...G...d...\|....962.:62.;73........]...6..."..."................................................................... .......5...n....gaZ..\|.......................g`Y....K...........................................................................R...vnhb............................................PKEV...................................................................T-+(......................................................................................................................F.+).....................r.~.`...N.bN.`N.X\..sm.v...............}..............................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-I3297.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	5.398174204777635
Encrypted:	false
SSDEEP:	48:Jast2MOHFY/G3BwkW6YvzQNUWRQi+EKbp2uDd4pWRwf2aGAXV:hwMOCGCvzCUW946dfMI
MD5:	E86E5DECCF75CD251149376B2882272B
SHA1:	B84C1608F2E77A4BB78D1523A679F9C74256D227
SHA-256:	228AB3BBAEEA67B9B701E5F034C05E00B61739F4BB8B9256E8FA6E4AE40C74BF
SHA-512:	784EB5883876810C15637C541EB036E87F0964F8A4B39CB7303B3C84EF8FC59425F7528890114B3381EEF021E992CD485A97EB4C58C5B8F5389F3114D6816C63
Malicious:	false
Preview:	...... .... .........(... ...@..... .........................................................................................................................................................................224.02;.15E614E:14D:14D:14D:14D:14D:14D:14D:14D:14D:14D:14D:14D:14D:14D:14D:14D:15E903?/01...................................=...H...u.......z...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x...x.......{...U...%>..B...........................c..%...)...+...)...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(......*...'....u...&E......................B~.'...5...?..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A..!A...@...9...+....b.......................z..;..$D..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..$D...?...(....0F...............'....#E..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..#C..$D...:....Ed...............+.:..#E..#D..#D..#D..#D..#D..#D.."D

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-I5845.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	5.3625361404350915
Encrypted:	false
SSDEEP:	48:Og3bVNe49Z9LhdznJkyBVLBBHb31UOOrO2SB2NNg1F0U:53FLhBeyBlBB73134NNCWU
MD5:	E1286437AA2367AE05B567CA07F7AE38
SHA1:	A258C5400BBC5E28476805B4EBA278BA6D128432
SHA-256:	A886A335B7FC0A8EB88120FDF43E31AC349553D3DF1D3A911E3D2DF8A530BAAD
SHA-512:	E7477879F63A77A50B11D1CFFEC5ECF911A2906568FDFD1912031FAC0C2180834F5540F6EB190C43C0DA6CA52C51FF0C714C08F32C5ADF52C1FCA15EB2804595
Malicious:	false
Preview:	...... .... .........(... ...@..... .................................................................................................................................................................................................................X<.!~V.3.W.3Z=.!................................................................................................pM.!.n.{.u..z..~...~...~...~...{..u..o.}sO.%........................................................................\|U.#.t...~...........................................~...t..~W.'.............................................................m.k.~.........................................................~...n.o.....................................................u...........................................................................v..1!...........................................x...........................................~.......................................y.......................................u.u......................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-JJI58.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	4.015933025401917
Encrypted:	false
SSDEEP:	48:jlLTFwirlRR25mD7NHgf/nrqQ6kcwpgHBWgOXKpAsDn5DnO9eXVP:ZLTFwirlRRymnN0/rqpkcwaDOXZsxqYZ
MD5:	B5DECCE572BF993C4F6CD6BD108DF2C3
SHA1:	21C33E841AF7DE3AF8868EAFF54EDB1492AEBEA4
SHA-256:	42A521BC3EF75526B3A1839DA875A949B369C6A00F2EAA43C8BECBB3E8279555
SHA-512:	EEE0D7F592836DFCEB0D50E2695DF6ACF336211E3C83C9DF8B49325BD03E2B3E5BD39DC8CAE3193A32D953CAA79543F8D356930CC6C6769A861EDA8F31E04D6A
Malicious:	false
Preview:	...... .... .........(... ...@..... .................................................................................................................................................................F.>.C.;.C.<.C.<.C.;.B.<wC.=.............U.@.B.<UD.<\|C.<.C.<.B.<.D.=.C.<nG.@$....................................................U.U.B.=.B.;.B.;.B.;.B.;.B.;.B.<.B.=hB.<.C.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.<.D.=mf.f.................................................C.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.B.;.C.<.C.=P................................................B.;.B.;.B.;.B.;.B.;.B.;.B.;.T.N..........................O.H.B.;.B.;.B.;.B.;.C.;.............................................C.?AB.;.B.;.B.;.B.;.[.U........................................B.;.B.;.B.;.B.;.B.;.C.;.........................................C.;EB.;.B.;.B.;..............................................B.;.B.;.B.;.B.;.B.;.B.;.C.;.................................F.F.C.;.B.;.B.;..........

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-JOKOG.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	4.505932325468453
Encrypted:	false
SSDEEP:	48:6x5Iin1G7yKJ1Gs3UNIAB09uq8eq+xn704qtiCA2Kn5t7eUO:6fIinYy7sCIASsq8jKqBA2K5Ber
MD5:	A9756849B11E570FCB8F845201B4A435
SHA1:	6A6085576DD2B871485296BF2EAA1A4E02EF9C81
SHA-256:	4CDD2B35CB1CA9E330D06E184FDA8FA664DD59C7428F67DE9986E77087DEFB5B
SHA-512:	47D16D4EA54B20F7124BDD64B2377D1D00AEECC228EDBCD77A754EDA9D9F977180A2E6E906A0527C9D05EE2C9BEFD52045E7D42B93E69C6E94F9FA73195BDE22
Malicious:	false
Preview:	...... .... .........(... ...@..... .............................................................................................................................................................................................................................................................................................................................................................._..._.P.a..a.._.P._..................................................................................................._...r.)...?...N...R...G...0....w.._......................................................................................._...\|..2...E...:...,...-...>...O...@..."...._...................................................................................m.*...<...'...+H..@>..MO..:G..'t..G...:....y.............................................................................._.@ ...6...-...$)..'"..41..<9..0,..&"..'g..?...(...._.@.........................................................B...F

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-MAUC1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	6.123671236740637
Encrypted:	false
SSDEEP:	96:M6HyDOdzc8+Efv02qJgthMtLdhItbSCIYU2P8x4He:YDOd4QH02qJlZdhUzIY0e+
MD5:	9D963AAEF1A316841C2C34AE32CDEDB3
SHA1:	A73386D3ABE3824621B72143E0402BC1388CE700
SHA-256:	9DD59EBDBAA0D4CB4A4422D597DB6C7EEC60624F042A273AB1C75AD785168945
SHA-512:	81757CF518EFB4CCB90BFE35383D39D16F5C9210BBA8EE2E58F62A4961591F4244D78C6702B1AD022E9205C7177976B2E8EDC8E8FA5C4BCD2BB6F95F504140B2
Malicious:	false
Preview:	...... .... .........(... ...@..... ................................................................h-L/./d5.,R/....t........................................................................................................3M3.).C...5.../...1.(.;..I-.................................................................................................3&.$.;.....................!.,.#-.........("&..-^0.,b1. &......................................................................6t8.............................%c$....));$...(...!...'.".8.)='................................................................&/.0..............................l..!.......................&.2....@............................................................,p(...............0...7...1......i..):#..........................&.s............................................................I#...........8.).M./.U./.P.).?. f.."[&...:.&.J.'.G...5..........".q.......9...M...<........................................... ..._.y....$.,.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-NFQD9.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	4.099397362289201
Encrypted:	false
SSDEEP:	48:SB5/OEO7w9J5CJDojYDgyTAU8Nazp+1RmzzVzab20B+H7YBkLviAhJySdzMVn9f:UGniUvXAdNGtzzu8ALAmS0
MD5:	3236B7EE04864A464C4269EA6772C06B
SHA1:	C32DAC3F987C391FAEEFB48184431669F6C2D961
SHA-256:	641DB9FED269716510F749F98430FBB3563A0DDE013354CA2ECCC572E95EAF84
SHA-512:	F311E36B92F5905B15E9738FE431C287253A2DDD05D5EBA758DCCD7257884D3A7990DCB6A77401C25122EAC419F68F543ACDA12BB3AABA0C790155EE84544702
Malicious:	false
Preview:	...... .... .........(... ...@..... ....................................................................`.........................................................................................................................j.........`.....................................................................................................................Uw..k.........`.................................................................................................................Vw..Wx..w.........@...@...@...@...@.............................................................................................Vx..Wx..Xz..............................................@....................................................... .............Wy..Xy..Xz..X{........................................................ .......................................`.................Wy..Xz..X{..Y{..Z\|..d...Z~..[~..z.........................................P...............................`...............b...Wz..X

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-NVGKS.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	5.865260776041573
Encrypted:	false
SSDEEP:	96:KSAuCHoaNkcD71rTr/JXTL2oOJu2u/V8o52K:KJuCHHN/rTMoOJun/VJUK
MD5:	340BD449C16ECBF1A7BC30C7B3AED555
SHA1:	D4464A700F4A7C6CDA68BE19AE90B0526D980B33
SHA-256:	01F8E1E82FDA69928E9EDA19DE2D775F4194CB8ADC081753C426456BFE2619F6
SHA-512:	16807B0C2B16547397D717DDA738B69122F2C3DC6CF2DE988F8675D4F2E0B5C9592D350FF6F408F012FCB4B3822FDB5ED6CA887D311DDAED090193AFAF0826B1
Malicious:	false
Preview:	...... .... .........(... ...@..... ............................................................................................3...@...-......@...&.......................................................................................................(+...[(..m7..D...G...a1..>......<.......................................................................................'...7...D...E3...L ..V7.f)..X....>".s5.. ..z...................................................................)...0...9...A...I...O...R...S...P..zB...n8&.c(..P...{9!.t1..4...................................................... ...E'......\...D...P...V...Y...Z...[...`...g...i!...E...v:+.T...L...p/".^...8...A..4........................................)..tI..........=...@...P...T...Y...c...j....&&0.<>J.div.....j<5.j(..C...M...Y...E...A...}..=................................=...Q...8......g...Q.......c...V...v((1.?@L.hny...............n\b.a"..O...;...H...t5..c+..L...z..$........................J..\|R...4...0.......).....

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-OB5TQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.327550606417895
Encrypted:	false
SSDEEP:	48:7ok26VKvsyK8gww8d6IrU866xoQ6iekgM7F5F616mlunzNa:7hNqsyw8NxogekgS/01l2zQ
MD5:	B1B0BDF79925656C6612EB420EFDD0CB
SHA1:	67A7A212310C229BD3753F937FE769392719BA85
SHA-256:	02FDCF85764302068222786937E5769650543F7B19B06208B65CE325792E7282
SHA-512:	700EDB186443417B8B5C2FFF44AC0CA4F40492F08789A4C44818F8255E4C5082AB7388AFBEE9DBE86C3979D15FF92F6CF33ED787694470AF7B88B86BD180F01D
Malicious:	false
Preview:	...... .... .........(... ...@..... ........................................................................................................................................................................................................................................................................................................................................!...!........................................................................................................141.........! !.!$!Z...1...1...)...!............................................................................................RQR9....101.Z]Z.........)()s...J...9...)...!........................................................................................BEBZ............sqs.....! !....Z...J...9...).......................................................................................)141.),).............),)........s...R...B...1...!...........................................................................!...1...J..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-RAS3U.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	5.07531325717377
Encrypted:	false
SSDEEP:	48:n2to4hDDD+l6ZtQE1mA/+PWLlClkKAUqjcVGTJUysHFa/IJu:2tthDDal6LL+PWQSB6sTqysHFaQJu
MD5:	D0D41AD531613F51005CFDD6E7AFC134
SHA1:	828A3A01B74603403798155326286743F5E4000C
SHA-256:	0E43F7B2B24A035112F9FACD840EF0856F68260BA890CA1EDD7FF7B4A1DD3036
SHA-512:	3471310FDE5E1341FD75B69C5271B15B385885E90A277E90F989D75638CCCA63E1E04BF4574E2610B24AC16BD0C04113EFC15E5B2A25EBC94191845BD03E8F44
Malicious:	false
Preview:	...... .... .........(... ...@..... .........................................................................RRR.VWW.}...ccd.ccd.~...dee.-...............................................................................................qrr.))).....................................................................................................................PRR.]__.'''.9;:.?CA.<>=.<?=.@CA.011....%uxx.............................................................................................wxw.........................NOO.................TTT.BBB.;;;.........................................JJJ.HHH.OOO=eee.TSS.ZYY+433.........`.y.E.e.F.f.Y.v.................bbb.[[Z....O.......................................................................2...........0...%...'...+...........2...4........XXX.....xxx.............................................................lll....F........1...7...8...............Y............ppp.....ccc.........................\\\.ttt.nnn.non.ddc.rrr...............

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\32x32\is-UN49E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.980115331909525
Encrypted:	false
SSDEEP:	48:zCCCPJgo7qkfGEEEEEEEEEE1vt9COYNybhh3cGcm:O1So7qkf8zyNw33P
MD5:	6447AACD6C19A9D3F0CDB2322620997A
SHA1:	DECED599496691BB5403D8CAA063227181400DED
SHA-256:	B5D3DDED1F4C3F75C033E19008119BC8E283DE10BBBCE39488854028C54511ED
SHA-512:	91942D1C960B176BCA722CB5AF08B38A0072B789EC9E8B75236662BD69418251FBC1A30A41FD1FE0264CA34934608989AD441E728972F1E389CDB3E30F9336FF
Malicious:	false
Preview:	...... .... .........(... ...@..... .................................................................................................................................................................................................................................................................................................................................................../..?..?../............................o...................................................................................................................?.............................................................................................................?......................................o...........................................................................................................................................................................o........................................

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\is-D7G9P.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	683
Entropy (8bit):	5.044623021418303
Encrypted:	false
SSDEEP:	12:0O8xWSwt90CBDgfhkZJ602QWTlu/nyeX+L4m13Fx1kJ3J14g/1WWdS1weLjn7B21:0O8xWSM90EeG3GjTA/nyeX+MmZFxCqSz
MD5:	2AF8A7F7B2C4C7F18069E445DD927C6F
SHA1:	3CF8123F77557EBA8550888B972BB1244E7185A1
SHA-256:	9A8C7E3174434930075FF024E23316984B666C8D8C6692B12245BBC22B9DED88
SHA-512:	5DA67F67420DE60CAB80E2BE3E849B95E481EB2359B0A045854081D1DBC9CE744F2E2893A17C15BC63846FD49048D60CC3BAE364C8E08B6BD70017171D8212FC
Malicious:	false
Preview:	[Skype]..ID="skype.exe"..NodeID=41..[ICQ]..ID="icq.exe"..NodeID=39..[Google Talk]..ID="googletalk.exe"..NodeID=38..[Yahoo! Messenger]..ID="YahooMessenger.exe"..NodeID=40..[AIM]..ID="aim.exe"..NodeID=37..[Trillian]..ID="trillian.exe"..NodeID=42..[Windows Live Messenger]..ID="msnmsgr.exe"..NodeID=43..[Tencent QQ]..ID="QQ.exe"..NodeID=44..[QIP]..ID="qip.exe"..NodeID=45..; 47 48 - mobile..[Viber]..ID="viber.exe"..NodeID=50..[WhatsApp]..ID="whatsapp.exe"..NodeID=51..[Telegram]..ID="telegram.exe"..NodeID=52..[Mail Agent]..ID="magent.exe"..NodeID=53..[Line]..ID="line.exe"..NodeID=58..[Mozilla Thunderbird]..ID="thunderbird.exe"..NodeID=66..[Opera Mail]..ID="operamail.exe"..NodeID=67

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\is-UV691.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.6080756717696785
Encrypted:	false
SSDEEP:	3:yqysmslLEJEEsoAR5kmi8LBJqMxWAixOF:PmslLEJEEs1DqMVSOF
MD5:	13F5FF288606E078AC9039B6B38A1E2C
SHA1:	1C70F719594C4D5186B79862AC8903C849DA1537
SHA-256:	9C6E2764789D6138A98A91FB3081049C3558F08BBBAE6E05814EDBA25C49C45E
SHA-512:	C01F3AB6FD1C1050DCE9EC8CBE37FEDD0EF1CF77268C9F7849C573CFF438509DEEA294672BF2ED4E84C85DCCC27C28AC59484FAE9C984BA20EBC3FCD072AFD76
Malicious:	false
Preview:	Skype..ICQ..Google Talk..Yahoo! Messenger..AIM..Trillian..Windows Live Messenger..Tencent QQ

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\ru\is-6KMM4.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	15
Entropy (8bit):	3.3735572622751846
Encrypted:	false
SSDEEP:	3:yqysm6Un:Pm6U
MD5:	27F304A88B022056B9782E0028658121
SHA1:	910B0D7556D4C187815C7E92C2556A1FB8DC08F3
SHA-256:	A43CAB140F23A03830F146E72920D8CC7C9FA6692B01483947D8919BD63F3625
SHA-512:	F9F5330459D9E8448967574E47995C0774727EBE6C82C7D3C8F577864A98694A90EB99BE8AE06F6BBC08FB08750BCF93B3A23B0A3EDEAEA004FCCFDE6DDD6379
Malicious:	false
Preview:	Skype..ICQ..QIP

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\zh\is-RQO1I.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.150292659616668
Encrypted:	false
SSDEEP:	3:yqyxATSfR6lLEJO:XblLEJO
MD5:	A81D187F7CF46F4FC7336B86CBAEC37F
SHA1:	7B0E93E0B0E167997960C23CCA5A75B051EB30E9
SHA-256:	1231CA0960A50BFE65D8931A816737054757963C4C7CDE91B696E4C171B5D609
SHA-512:	7F1A558A3F19C29093245687B1DE5A20CF63C6134DAFDF8EA9F64D7116B7F83B2996EF26AF6118AC8003DA954A5B1A99262D1F7D7062FC399302508487C31ACC
Malicious:	false
Preview:	Skype..Tencent QQ..ICQ..Google Talk

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\is-K3KTO.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 210 x 336, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	19730
Entropy (8bit):	7.966645049778982
Encrypted:	false
SSDEEP:	384:qJXE056Cv0Ek+u9AOgo8KWTVQSSKOhFjVdQO0MUCguUfrDlk0m0pe:q35fv0fjyKQQT4MyxrZwIe
MD5:	31EC3A003CF3D2C1CDE419B2770AE700
SHA1:	02927572E6B55561B729E37406C197BC782A5B08
SHA-256:	F9050D57ED7DDF92CD1B92505BEB33A606EA90682AE918DF2464C0F4ECC8CBEA
SHA-512:	646C7DEF65B4921CE55246D408348E10628B55FB4D5F920EE69CEC88F3F3C38BB1157C749CA4F0B13710AA431DFA4229E4D67380AF0A0FBF78A9958ACB739464
Malicious:	false
Preview:	.PNG........IHDR.......P...... %....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\is-LBPNQ.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 1122 x 60, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	36574
Entropy (8bit):	7.983280552060311
Encrypted:	false
SSDEEP:	768:3WN9F6pKVwko1aCYqIfw7dVCOyauFqRZd96/UCfD0J1RGz3/:3WDwc6kHYI47wqRzc/bfDG1RGj/
MD5:	6013CCDC5004442BD8EB1EAEE1A2FDFE
SHA1:	7447A346E5E2002E4EF6C56E149EB140ECC5F192
SHA-256:	065857BDAEC7F2E73BA3F7B81D627B94794B67E35D62168F439200FC840412A5
SHA-512:	2047C8F6BAFCC06124A2BD3776475B89C2470090DEB186AF88787E0AFA2DDC0462C70FEBF58ECED3F192E5DC918BE37F4A17EAAA63D337C8A176099F818F9A25
Malicious:	false
Preview:	.PNG........IHDR...b...<.....-.......tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:557A66613F9D11E2B86C971723AA9104" xmpMM:DocumentID="xmp.did:557A66623F9D11E2B86C971723AA9104"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:557A665F3F9D11E2B86C971723AA9104" stRef:documentID="xmp.did:557A66603F9D11E2B86C971723AA9104"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>-2.....RIDATx..].x...~.eM...^....$.@.e.({..B...Z...~J[Z.-PJ[.t0...E.3.;v......=.c;.-[..$.........s.......'...7.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\products_page\is-11HCR.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 58 x 60, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	5507
Entropy (8bit):	7.929272432606936
Encrypted:	false
SSDEEP:	96:LSDZ/I09Da01l+gmkyTt6Hk8nTlzb1sV3wLir9SfPUZ+IK0UAPcWNSB:LSDS0tKg9E05TBbUA+9CGK0xy
MD5:	581AD143944C6620786FE8E8FC09EE1D
SHA1:	E933A895E544CC90F45F3F93E0F28545A780CCBC
SHA-256:	1855774FD5C9C275F57970DDAD469EB71B9841D8C3440128F9351C960A8F0B4E
SHA-512:	072AB07C04E55FE3D1033FFB491EB6F180E40E8691003E46A9EB6CB37857423A2C4704C8683C4DEDFC89D79AB5BE61D2BAA8069245861EBD4865B1C67EBF42E8
Malicious:	false
Preview:	.PNG........IHDR...:...<.....@.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\products_page\is-29SJF.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 58 x 60, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	6513
Entropy (8bit):	7.938370771306964
Encrypted:	false
SSDEEP:	96:LSDZ/I09Da01l+gmkyTt6Hk8nTQ27DriW08tOW633IfYjzfxKoKg49BM+Uf9C4jc:LSDS0tKg9E05TQ2jX08MQgHx6Sxm3Cg7
MD5:	538614FCC5E9A342D74CFB01246E3755
SHA1:	3496DD97D840823F928213E7E69BB8386EA057DC
SHA-256:	3524B51003AC153E7A40775C3955AA8E3F60AE99F99E514DB60A4BED628C16BC
SHA-512:	A2689D78B11B7C48BABAD5FC97672F6173DFF0DF3C082F6403581FFA45AE7E123BAA93B46DC3495CAD42328959E0EEBA68C70F35E371D175A5E406A9BAFED576
Malicious:	false
Preview:	.PNG........IHDR...:...<.....@.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\products_page\is-FRKUA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 58 x 60, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	5798
Entropy (8bit):	7.935696994639288
Encrypted:	false
SSDEEP:	96:LSDZ/I09Da01l+gmkyTt6Hk8nT4+KjhO/UW3j12FlHdjuxgXZLqKhiz:LSDS0tKg9E05TEjE8aoxdqqXZdEz
MD5:	5503FA64C9D05F3025834D93A81AF764
SHA1:	CD2ABB0DD317BAAB5ED12488B7EF0EB76795F95D
SHA-256:	F4EE63F12CE2753CF71A160F5D7772E998CF5B6DBD4BB27502AE43789D9DA822
SHA-512:	AB205307CEA14D14FA7CCE024244FCF5AAE6DA6F7825058A3061CB88DCDE2579DBB6670516559792B631B2A39E756BF4E81ED63C16C205AFDEFCFCBD42F07245
Malicious:	false
Preview:	.PNG........IHDR...:...<.....@.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\products_page\is-GOFQA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 66 x 67, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	7889
Entropy (8bit):	7.956855049886426
Encrypted:	false
SSDEEP:	192:fSDS0tKg9E05TVL0ZW4wNoOfMK98rfXQoEad7vgE:KJXE05105wNl9iPQs7v/
MD5:	5F738BDCCB17BABFD837386300BEF102
SHA1:	41F26EC0399CE58E1550A34C967A876A5F2FC8FB
SHA-256:	07C6155BB34D9BEBF03ECAAD535709B444D156A375F42FED15B26F6414FF63D3
SHA-512:	672E9D39AC2538D2F5CD082BD364E5C554AB0FE0A05A2BBFD4172ABDAA36AB1BCD86CCAACBBE333B85AD3905E25B5E0F0D8355E6290E8340BBE0165FC94C5E57
Malicious:	false
Preview:	.PNG........IHDR...B...C....._.......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\products_page\is-NJN1S.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 346 x 54, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	20030
Entropy (8bit):	7.985863672702684
Encrypted:	false
SSDEEP:	384:KJXE050lAI9uOflF5XFBw+q7hYwPXsUoRGf0wp4vF:K350f95fl1uD7/XuC4vF
MD5:	E01B942B6936DF2AF64EE809086A5334
SHA1:	6601FE8901F8F131CF47352896B01C8DCFD4C963
SHA-256:	E5FEAB5FF923032A51C09F3D61DB2C4AE052CEA6691F034F397207EACC3C2283
SHA-512:	8B21E8B99218F8A0646A418BF3B184A7F8BA1A8061A60383E1EF0BECF85CD07DD68478AD8225A17ED1458DCCC49585B77FF77407F016D95FE57FAD3E8C305BE9
Malicious:	false
Preview:	.PNG........IHDR...Z...6.......au....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\products_page\is-NP20P.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 58 x 60, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	6329
Entropy (8bit):	7.947037633028336
Encrypted:	false
SSDEEP:	192:LSDS0tKg9E05T58Vi5CX4vwjS9b+2xv+RfO17:+JXE05GIg4ojub+2xvt7
MD5:	03AF571726FE2C2A27BFACE13DE342A6
SHA1:	A350EC8147AE0AD79E8155E7FF62772C9A0AB339
SHA-256:	93C34A8EB0A686EDD27DCEFDAD5AFDDB2005FE27E09EE9880475E35F09A68BCA
SHA-512:	29B0DD9B86A559710262CEA72EF08DDDB9B91621C1BFC21A8E2B5EDDEE7D0EBC73A778B2AF1198903F5EC3EC59891E3EA0B991D3D48FD49938FA047706ABEBBB
Malicious:	false
Preview:	.PNG........IHDR...:...<.....@.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\products_page\is-QCJ49.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 122 x 295, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	29784
Entropy (8bit):	7.980725536896858
Encrypted:	false
SSDEEP:	384:RJXE05H3FyEuuqIMky+JU2JzDvj4Ygzc+Cv23bS5PdnFKo79yBbKafVLgkjPSTjG:z35I4qWNJVzAYkl3G51odZfmjymQ7l
MD5:	4C0A6A977EB10BA6ACB252E1C29141F7
SHA1:	3F5E32E79A7D3DB63C8D0BFF06CE43DF0EC6092F
SHA-256:	91853EDF8E536457D93044FCAA5412807368B6B6C88366E05738F3C8A4D031BC
SHA-512:	6C016AABA1B638EC8B2D22CE0AC4B23F662F9D2A372CA016ED5CFDDD72FAAD1A876600E78EEAB27DDE1FAAB47A43AE7CE805B33C43218240BAAC006DA74E569B
Malicious:	false
Preview:	.PNG........IHDR...z...'......9g.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\img\products_page\is-QS9UL.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 58 x 60, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	5873
Entropy (8bit):	7.9422746739510455
Encrypted:	false
SSDEEP:	96:LSDZ/I09Da01l+gmkyTt6Hk8nTbCCivsM0hVEz9EEWJcLWmu9H3s5cVQOVplQG:LSDS0tKg9E05TdMiEz9IJcVOVQG
MD5:	08696DFA1637279FCD315A0D2B13EA6E
SHA1:	9579D2CC5852F05288E2205F060F6C18F5619C39
SHA-256:	7C9CBFC634C58F761DFE138DD770C533B5DDDCF222FDE0B3BACFBB76F9A4CD9F
SHA-512:	F38BDF328BE3A4D7003A9216BDF2A9FAD1E53B130DAE37CA2BFC2CA36A497392A03950B137A1363AA25523068A38C87D6B19D5EFFAF0D5E421CE346140B9B444
Malicious:	false
Preview:	.PNG........IHDR...:...<.....@.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\is-QOTF2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	12965
Entropy (8bit):	4.7252821159716
Encrypted:	false
SSDEEP:	384:fosFgDIOR12U81EfXbWtk4VAwvZRlppVLMQ:fos4II2U81EfLWtk4VAwvNpUQ
MD5:	5EC6E79E4BA242B21EBD31F4EF89BEB8
SHA1:	7D0202CC4739CFA0C8459E9347260F8F44DD72BF
SHA-256:	1B7D810D6F1338C3D06A01E067E0F933319048A03CCA73DBEA955400216448A3
SHA-512:	A4426BE8C9850D699EB3674B5A6C78E0E7666DB8BCC44D89FBA7D8D3158DE4E55548628318D13B35D7F8333C3237F1971750F46897448538F8AC7EDD4EFA985B
Malicious:	false
Preview:	<!DOCTYPE html>..<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<link rel="stylesheet" type="text/css" href="mSpy/widgets.css" media="all">..<link rel="stylesheet" type="text/css" href="mSpy/jquery-ui-1.css" media="all">..<link rel="stylesheet" type="text/css" href="mSpy/reset.css" media="all">..<link rel="stylesheet" type="text/css" href="mSpy/main.css" media="all">..<link rel="stylesheet" type="text/css" href="mSpy/anythingslider.css" media="all">..<link rel="stylesheet" type="text/css" href="mSpy/jquery.css" media="all">..<link rel="stylesheet" type="text/css" href="mSpy/core-ui-select.css" media="all">..<link rel="stylesheet" type="text/css" href="mSpy/jquery_002.css" media="all">..</head>..<body>.. <div class="std"><div class="wrapper">.. <div class="contentZone buyNowSection">.. <div class="product_page_wrap">.. <div class="product_page_top">..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-0852N.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 52 x 44, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	5834
Entropy (8bit):	7.9212427160575425
Encrypted:	false
SSDEEP:	96:PSDZ/I09Da01l+gmkyTt6Hk8nTNNtt/qXgfUmbtKXla2oVvcdWYrIgvPUSxMl:PSDS0tKg9E05TNNtlfUmIXlaZVvcdzIr
MD5:	F3E723BB70B07629C0A18763CD74EBE3
SHA1:	0450CC4E9FEC6C3FD446E2B3D3E68D03D37933A8
SHA-256:	1216AF29845B020BD410C9A4B0B2B0C6B2D528D5C6DDDA7BBDA0A905B4DDC84D
SHA-512:	0E9B25744201D9C3DFE27BE2497A2B6B769846A77E3CEADAB0A6B916B0F342A8EFC13A0817036883D36E7461276004D3B57CE648B9C4C771656CE6FE8B9FB071
Malicious:	false
Preview:	.PNG........IHDR...4...,.....].......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-4IR4C.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 122 x 295, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	29784
Entropy (8bit):	7.980725536896858
Encrypted:	false
SSDEEP:	384:RJXE05H3FyEuuqIMky+JU2JzDvj4Ygzc+Cv23bS5PdnFKo79yBbKafVLgkjPSTjG:z35I4qWNJVzAYkl3G51odZfmjymQ7l
MD5:	4C0A6A977EB10BA6ACB252E1C29141F7
SHA1:	3F5E32E79A7D3DB63C8D0BFF06CE43DF0EC6092F
SHA-256:	91853EDF8E536457D93044FCAA5412807368B6B6C88366E05738F3C8A4D031BC
SHA-512:	6C016AABA1B638EC8B2D22CE0AC4B23F662F9D2A372CA016ED5CFDDD72FAAD1A876600E78EEAB27DDE1FAAB47A43AE7CE805B33C43218240BAAC006DA74E569B
Malicious:	false
Preview:	.PNG........IHDR...z...'......9g.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-93I91.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	222581
Entropy (8bit):	5.08641292920484
Encrypted:	false
SSDEEP:	6144:nml2NjrkK/xiuWs5su3SIM9eCUQqWC5mK7C:nml2NjrkK/xDsu3DM9eCULWC5mK7C
MD5:	B278DC17F1D04A093886C43920057567
SHA1:	25B6F13A20A79632261A7117F55A3F6575EF1A38
SHA-256:	C4FF671620CD870A457D54F926592092B4323ADA8C085ED75CE3705F2DFA11EF
SHA-512:	BE7C6EA7174ED9F1DD6370B6E18C636C36228C75CD25BEA8E1FB87BEB337912F521AEE6F584A873A0C17DCA87A3E2EAE9F4C26A4F154B78E084AE8EB21E6C742
Malicious:	false
Preview:	@font-face {. font-family: 'TeXGyreHerosRegular';. src: url('../fonts/texgyreheros-regular-webfont.eot');. src: url('../fonts/texgyreheros-regular-webfont.eot?#iefix') format('embedded-opentype'),. url('../fonts/texgyreheros-regular-webfont.woff') format('woff'),. url('../fonts/texgyreheros-regular-webfont.ttf') format('truetype'),. url('../fonts/texgyreheros-regular-webfont.svg#TeXGyreHerosRegular') format('svg');. font-weight: normal;. font-style: normal;.}..@font-face {. font-family: 'TeXGyreHerosItalic';. src: url('../fonts/texgyreheros-italic-webfont.eot');. src: url('../fonts/texgyreheros-italic-webfont.eot?#iefix') format('embedded-opentype'),. url('../fonts/texgyreheros-italic-webfont.woff') format('woff'),. url('../fonts/texgyreheros-italic-webfont.ttf') format('truetype'),. url('../fonts/texgyreheros-italic-webfont.svg#TeXGyreHerosItalic') format('svg');. font-weight: normal;. font-style: normal;..}..@font-face {. font-family

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-9V1AM.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 346 x 54, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	20030
Entropy (8bit):	7.985863672702684
Encrypted:	false
SSDEEP:	384:KJXE050lAI9uOflF5XFBw+q7hYwPXsUoRGf0wp4vF:K350f95fl1uD7/XuC4vF
MD5:	E01B942B6936DF2AF64EE809086A5334
SHA1:	6601FE8901F8F131CF47352896B01C8DCFD4C963
SHA-256:	E5FEAB5FF923032A51C09F3D61DB2C4AE052CEA6691F034F397207EACC3C2283
SHA-512:	8B21E8B99218F8A0646A418BF3B184A7F8BA1A8061A60383E1EF0BECF85CD07DD68478AD8225A17ED1458DCCC49585B77FF77407F016D95FE57FAD3E8C305BE9
Malicious:	false
Preview:	.PNG........IHDR...Z...6.......au....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-AE97G.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	9410
Entropy (8bit):	4.808156480467523
Encrypted:	false
SSDEEP:	192:8xTTXb1y2qsr2WlPFGU6NQ78CodleKl5DJ:8Rysr2UgnXeKl59
MD5:	8FE70C8D484CF5852239704F1A614273
SHA1:	F13788A7DDCD3EA44A34779803CC8D27EC5C3C13
SHA-256:	6D46AD7400BA5FE7CADB930AEDAF0A8FEAD8609A5E26DCD48B274E6AC146DD94
SHA-512:	754CCE55105E01CD9668E2570212140022BB52FDC0FD02C60C34C8B691BC45D7B2187FCBA95FB9FC196D6F438154A22DAD4AFC044A3A1FC80024725AFA3066A6
Malicious:	false
Preview:	./! normalize.css v1.0.1 \| MIT License \| git.io/normalize /../* ==========================================================================. HTML5 display definitions. ========================================================================== /../. * Corrects `block` display not defined in IE 6/7/8/9 and Firefox 3.. /..article,.aside,.details,.figcaption,.figure,.footer,.header,.hgroup,.nav,.section,.summary {. display: block;.}../. * Corrects `inline-block` display not defined in IE 6/7/8/9 and Firefox 3.. /..audio,.canvas,.video {. display: inline-block;. display: inline;. zoom: 1;.}../. * Prevents modern browsers from displaying `audio` without controls.. * Remove excess height in iOS 5 devices.. /..audio:not([controls]) {. display: none;. height: 0;.}../. * Addresses styling for `hidden` attribute not present in IE 7/8/9, Firefox 3,. * and Safari 4.. * Known issue: no IE 6 support.. /..[hidden] {. display: none;.}../ ===========================

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-BKJ08.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	4.942541983682357
Encrypted:	false
SSDEEP:	24:hwyUwTlgKWSv5JZ0rKvG45jdSYqE2JeXNDs6izDNHZzz:h7+KZxJqQAeXi6i3Vtz
MD5:	6C9118F4F853D7ABC63505FD692D75F3
SHA1:	76B3CE5EC7FBEC277BD5357E2BD6AD2C461D2AEB
SHA-256:	077AA5312F62AC255FAB801D71E08970BC70E2DB469292BD9622B80EA15281C8
SHA-512:	1B81E2879067223419D09B4C6DF8A90F1255CD707EBEF0C490701E4701B721A7D4AC65860EB04083B51EB2F4CDD02D53AE880D6CD5534FF2A53C4824BE5D9E78
Malicious:	false
Preview:	/*. Magento. . NOTICE OF LICENSE. . This source file is subject to the Academic Free License (AFL 3.0). * that is bundled with this package in the file LICENSE_AFL.txt.. * It is also available through the world-wide-web at this URL:. * http://opensource.org/licenses/afl-3.0.php. * If you did not receive a copy of the license and are unable to. * obtain it through the world-wide-web, please send an email. * to license@magentocommerce.com so we can send you a copy immediately.. . DISCLAIMER. . Do not edit or add to this file if you wish to upgrade Magento to newer. * versions in the future. If you wish to customize Magento for your. * needs please refer to http://www.magentocommerce.com for more information.. . @category design. * @package default_modern. * @copyright Copyright (c) 2012 Magento Inc. (http://www.magentocommerce.com). * @license http://opensource.org/licenses/afl-3.0.php Academic Free License (AFL 3.0). /. { background:none !important;

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-Q6H70.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	4266
Entropy (8bit):	4.888037026868242
Encrypted:	false
SSDEEP:	96:FL8hjXF4ZFQF9FN/bIbx/yG2aC98ZehV9KF5Kf5k8gItrGZWFXyLYPBYzzDGt50s:F4xCKHT/bIbty19ee79KF5K68gI/yLsT
MD5:	94AED20EA3D620951F905B410B0058B2
SHA1:	0D4EA80D39F277A92FD4946CFB60EDFDEC72FADD
SHA-256:	4A2DE64E3701F68BE8FE448B569E3E2D36E54EA4AC59C25C91209F657ADD6C89
SHA-512:	FC5C107B7275A54966CC575EFAB496BF8D1BC3048D4ACD8916A62E0FE8B29AEDB4C44DE4513645CD4837ED58EBDF337BC3C9768E427B2DB3CF5D86CE07050649
Malicious:	false
Preview:	.b-core-ui-select { . margin:10px 0 0 0;. position: relative;. width: 86%;. padding: 6px 10px 6px 12px;. font-size: 12px;. line-height: 18px;. color: #333;. text-shadow: 0 1px 1px rgba(255, 255, 255, 0.75);. cursor: pointer;. background-color: #f3f3f3;. background-image: -ms-linear-gradient(top, #f3f3f3, #fff);. background-image: -webkit-gradient(linear, 0 0, 0 100%, from(#f3f3f3), to(#fff));. background-image: -webkit-linear-gradient(top, #f3f3f3, #fff);. background-image: -o-linear-gradient(top, #f3f3f3, #fff);. background-image: linear-gradient(top, #f3f3f3, #fff);. background-image: -moz-linear-gradient(top, #f3f3f3, #fff);. background-repeat: repeat-x;. border: 1px solid #f1f1f1;. border-radius: 16px;. -webkit-box-shadow:inset 2px 2px 2px 0px rgba(0, 0, 0, 0.4);. box-shadow:inset 2px 2px 2px 0px rgba(0, 0, 0, 0.4);. -webkit-user-select: none;. -moz-user-select: none;. -ms-user-select: none;. -o-user-select:

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-QQDCV.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	4357
Entropy (8bit):	5.086666572264107
Encrypted:	false
SSDEEP:	48:h7+KZxJqQACHvdNOHAQVVZoxkVSmoAVxrYFQAR8/cr0Rx//rxCP7Rit/i7ri:hiex4CvdK30WvBcAMm9jxCP1iJini
MD5:	1BC699D294BA8BD26942A616C3EA89BF
SHA1:	A9D12A169CB0280B92DE02AB8C6C7C8DC1C1B378
SHA-256:	F54611C97CE99395B222F18FAB12115EA88182BD5FA922B8942DC5E792184D91
SHA-512:	895F0F099AE6A4CDF35B076B84D353762555A74C1A0FCA45DE438E2FD8E0468484FA4480FB84F94AEC42F2FC4EA5939E2A3107B446656D1ABFEAFAE86DCAA2D2
Malicious:	false
Preview:	/*. Magento. . NOTICE OF LICENSE. . This source file is subject to the Academic Free License (AFL 3.0). * that is bundled with this package in the file LICENSE_AFL.txt.. * It is also available through the world-wide-web at this URL:. * http://opensource.org/licenses/afl-3.0.php. * If you did not receive a copy of the license and are unable to. * obtain it through the world-wide-web, please send an email. * to license@magentocommerce.com so we can send you a copy immediately.. . DISCLAIMER. . Do not edit or add to this file if you wish to upgrade Magento to newer. * versions in the future. If you wish to customize Magento for your. * needs please refer to http://www.magentocommerce.com for more information.. . @category design. * @package default_modern. * @copyright Copyright (c) 2012 Magento Inc. (http://www.magentocommerce.com). * @license http://opensource.org/licenses/afl-3.0.php Academic Free License (AFL 3.0). /../ Widgets =======================

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-R7SLK.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 520 x 260, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	163954
Entropy (8bit):	7.997380423199459
Encrypted:	true
SSDEEP:	3072:TXsC50/yArWhc9OsI3zpKpMy4HqUmHtcg/osHXLYlYbxl9NimU:AC5gGgZOKpx4+H0lYbxrK
MD5:	22DCF2D7C51348D365D4C6DB11AAA615
SHA1:	8CFDAD2E3F5757438D9B6A7E42E2EFC1D0378ED4
SHA-256:	30F40B224D899FADEB89099E87B702FAF573914259A955BF3861F4E970C8D9D0
SHA-512:	5B22757CA8BEF67B89CF23ACC51BF6B35F21D203939FE2D6C6E0FC5FCF17BA5486A982BA58141E052DDA8D1D58374E68ED33A2E15F359306AAD433EED80C9B24
Malicious:	false
Preview:	.PNG........IHDR..............[.....tEXtSoftware.Adobe ImageReadyq.e<...$iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:C31305036C6011E28948F21434340203" xmpMM:DocumentID="xmp.did:C31305046C6011E28948F21434340203"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:C31305016C6011E28948F21434340203" stRef:documentID="xmp.did:C31305026C6011E28948F21434340203"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...p..\|.IDATx..G.$Iz&.*tD.\|.tuOuO..g0..X.....H..F.......N{ .<.@..5#y......b...aX..@...iY.....;.../2#2.j15Hk..

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-VE9US.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	PNG image data, 80 x 80, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	19946
Entropy (8bit):	7.9802553970586985
Encrypted:	false
SSDEEP:	384:PJXE05NCJU1LcNVmza+d5HrM5NKtj7iYGVRMS+GE1aSjk6N86:N35NCJU1LTRrw0tC1VRGGMbv7
MD5:	67762894881BFB63FB6961C18CB31251
SHA1:	0A1E5D5BF083BF5AB745CEF7F2F7DEEA28FA70D4
SHA-256:	9652BA4942B40A66C17785230946AB83320878DA3432B64B5815BFBFF267E247
SHA-512:	549A137F2E628D4BEEF1259F836FCEA8DD8E0C095F43DC9E1196CEA410CB232A7A6D8AE43501FA3DE78F6E242F2A66405E9543CF2B803DD1A9FFF2868A7DD653
Malicious:	false
Preview:	.PNG........IHDR...P...P........;....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\PR\1\mSpy\is-VFFTA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	9084
Entropy (8bit):	5.065593140327065
Encrypted:	false
SSDEEP:	192:hHkh1vcghAgzaYToWEaRuBMYzwd8Hj5YuMe2Ec:qjkqAgZVSwdYw
MD5:	5F2BED4A85218C1C9C056201259D9477
SHA1:	352547773546BB1D33CB0C2384F7BD97B158C7C7
SHA-256:	FC4B85956CF6A007BEF8A531757A85F15C65937C717D6294B78D24688F36FF0F
SHA-512:	2D9E9A2B2B305B9178179D2A69322EABE394287F1C31A2D40B930C5A249433B1C646118D6EC67495926FE138306291A9C29F4F35004F18D9D5E1FB6267A20405
Malicious:	false
Preview:	/..AnythingSlider v1.8+ Default theme..By Chris Coyier: http://css-tricks.com..with major improvements by Doug Neiner: http://pixelgraphics.us/..based on work by Remy Sharp: http://jqueryfordesigners.com/./../***************************. SET DEFAULT DIMENSIONS HERE. **************************/./ change the ID & dimensions to match your slider /.#main_slider { ..width: 992px; ..height: 352px;..list-style: none;../ Prevent FOUC (see FAQ page) and keep things readable if javascript is disabled /..overflow-y: auto;..overflow-x: hidden;.}../.caption{..filter:alpha(opacity=0);..-moz-opacity: 0;..opacity: 0;.}/../***************. SET STYLING HERE. ***************. =================================. Default state (no keyboard focus). ==================================/./* Overall Wrapper /..anythingSlider-default {..margin: 0 auto;../ 45px right & left padding for the arrows, 28px @ bottom for navigation /..padding:0;.}./ slider window - top & bottom borders, default

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-0N1KC.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	6.138741072579881
Encrypted:	false
SSDEEP:	24:+qqGcDzDzzrspvYD/teTclAZOPUzydT4l7Rx6IRzav29P9B66k:a/DzDPrsK/tegAZOPAku7H5zav2d9B6Z
MD5:	4BF5323641C8B9F667BE8A2530CB17C4
SHA1:	8824036ED659C4D0A23376329B397BB01632B9DB
SHA-256:	533DAA8DE562BB129564B41E2BBD734D74178E4CBB02B060A780A6C5DAE9D6B6
SHA-512:	E63C20BF94A9DE5D6344E56A3D6934B32D65D13201BA3326E70F1DC0AFA9475ED2BFA44EB829498AB80265DC1B3B5ADB0BE866F50F685276E5B1FD0E0AFF73FA
Malicious:	false
Preview:	............ .h.......(....... ..... ..........................q...y...x...x...x...x...w...x...x...x...w...x...x...x...x...r...\|...s...s...s...s...s...s...r...s...t...s...s...s...s...s...{...~...v...v...w...w...v...v...v...u...u...v...v...v...w...v...\|.......z....P..........z.............z...z............P..z...........}....X..........}.............}...}............W..}............!..^..........."............."...!..........]...!...........'..e...........'.............'...'..........d...'......."...-..k...........,.............-...J..........h...,...!...%...2..q...........2..............................K...3...%...)...7..w...........8...........................6...8..........=...7...)...)...>...0......0...7...@...=...9...>...=.......2...C..[...........B...C...C...D...C...D...C...C...C...C...3...8...I..p...........I...I...J...I...J...J...J...I...J...J...6...;...O...L..`...R...O...N...N...N...O...O...O...O...N...O...:...=..U...T..U..U...T...T..U..U..T...

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-1AEF7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	5.462526568231166
Encrypted:	false
SSDEEP:	24:xDsK0GRS99Rss9RRgJw3Y8/atH9aVGS4pF8lY2GSVSSSSSaGR/X/f:lML9RYwottHQVGR8l9TVSSSSSaUvf
MD5:	EA31E69B4C099C0090A088937CE958D6
SHA1:	CC50F1927506BA8B94C17BFEBBA8D7B928C3A2E0
SHA-256:	3F5FDBA100DD35B0BB4DBBC216A6D0E555C11E3C4907871A1B641BAFCEF6AC99
SHA-512:	B3A62801B292D27F8614E8612399A13A1B66C15EE8ED7781A4DE87C05CE8530255A8F4BA993775810D8E4E1DA2647E58B57C3026BB0718294AA6E4C515E888D2
Malicious:	false
Preview:	............ .h.......(....... ..... ..........................D...C...A...A...A...@...@...@...@...@...@...A...A...A...C...D...E../r...e...c...b...`...^...`...`...^..._...a...c...e../r...E...G...k...V...U...T...M...J...K...L...J...L...R...U...V...k...G...I...m...Y...Y...X..........@{...`...........m...Y...Y...m...I...K...q..._..._...^...e..................$r...]..._..._...q...K...M...v...c...c...a...Z...d..........9z...X...^...b...c...v...M...N..!{...g...g...d..s.......................(w...e...g..!{...N...R..$....l...m...k..........R...P...w............l...l..$....R...S..'....q...r...p..#z..`...........z...&{...{...r...q..'....S...U..,....v...v...r..Y........................q...t...v..,....U...W..1....z...z...w...........r...r..........?....y...z..1....W...Y..6....}...}...{...........p...m..........E....}...}..6....Y...[..;...............l.......................%...........;....[...^..A...#..."...#...$...y...............,...#..."...#...A....^...`..[...G...D...E...F...F...F...F...F...F.

C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\SNets\16x16\is-21JHN.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	dropped
Size (bytes):	1150
Entropy (8bit):	4.007783593279535
Encrypted:	false
SSDEEP:	24:w66666666666BOOOOOOOOOOSXOOOOOOOOOOSXOOO2OOOSXOeKLOSRMlSkHdOOOO9:w66666666666P3O66666666666/Ojk
MD5:	887346B0A7F145675E44AB17E35F54FE
SHA1:	C22531915DF0528177698EA3AD39DB9A70EA6869
SHA-256:	BAC266365103ED4DDCA35A3B2398886E2090BBE53899DC809FA7DC9599654BC9
SHA-512:	7EEC4DAE36617AE74FA8A916ED16746FD97BBC742C05BBA3250904660D1C8E87989D39BCEEAE405016A95F22BE937EBDB789A22E42CD1088F0ABF623916679B8
Malicious:	false
Preview:	............ .h.......(....... ..... .........................................................................................................................................................U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6V..........................................................Z..V..........................................................Z..V..........................................................Z..V..........................................................Z..V......................p...q...q...p.......................Z..V..............t...s...................u...s...............Z..V......z...p...................................q...w.......Z..T..j...................................................k...W..V..........................................................Z..V..........................................................Z..U..6V..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tV..tU..6..........................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.99949179236823
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sfk_setup.exe
File size:	24086096
MD5:	945d981860358a2da40321783865f6da
SHA1:	df551d918354421e60b458cbd7a9032080835bc9
SHA256:	407ae7a2edaae00d7e109b746153310fcfed60104687bde65b90b9a46c85f655
SHA512:	e430c21007912817794c63721f7bfa03ef29731210d2d5c4ad1016e9fd7e9819b7313fca8acee9cf688e62bb9d8702e17f3fa6433334994fbe0e5b48499eb8b7
SSDEEP:	393216:Jke/HXgYtDypsYf1cfKdsVQjL2DL7ybBgK2jfQg/J13nM3D58YOEhDSwF/4v9tp6:2kX1lqH1aLQL2LOgpLlnc58oDDgtq1bT
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	f2699df1626d79b0

Static PE Info

General
Entrypoint:	0x4117dc
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x57051F88 [Wed Apr 6 14:39:04 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	20dd26497880c05caed9305b3c8b9109

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/25/2019 4:00:00 PM 12/25/2020 3:59:59 PM
Subject Chain	CN=Craft LLC, O=Craft LLC, STREET="Melkombinatovsky travel, 8a5 office;1st floor", L=Kirov, S=Kirov Region, PostalCode=610017, C=RU
Version:	3
Thumbprint MD5:	763472766FF80241B7745A9B34379D5F
Thumbprint SHA-1:	7EC79998CC60F60CBCF8C5287C888C619CEB74E7
Thumbprint SHA-256:	FFC8E2421577BAD82677C42BB4B73265A83138800666C24BE2F59B5664AD42AF
Serial:	0771722FC86D51EDCD1D9B6DCCDB9919

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 00410144h
call 00007FF2FC91053Dh
xor eax, eax
push ebp
push 00411EBEh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 00411E7Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [00415B48h]
call 00007FF2FC918C83h
call 00007FF2FC9187D2h
cmp byte ptr [00412ADCh], 00000000h
je 00007FF2FC91B77Eh
call 00007FF2FC918D98h
xor eax, eax
call 00007FF2FC90E5D5h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007FF2FC91581Bh
mov edx, dword ptr [ebp-14h]
mov eax, 00418658h
call 00007FF2FC90EBAAh
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [00418658h]
mov dl, 01h
mov eax, dword ptr [0040C04Ch]
call 00007FF2FC916132h
mov dword ptr [0041865Ch], eax
xor edx, edx
push ebp
push 00411E26h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FF2FC918CF6h
mov dword ptr [00418664h], eax
mov eax, dword ptr [00418664h]
cmp dword ptr [eax+0Ch], 01h
jne 00007FF2FC91B7BAh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19000	0xe04	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x12850	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x16f6dc8	0x1888
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1b000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19304	0x214	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf244	0xf400	False	0.548171746926	data	6.37521350405	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0x11000	0xf64	0x1000	False	0.55859375	data	5.73220066616	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x12000	0xc88	0xe00	False	0.253348214286	data	2.29672090879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0x13000	0x56bc	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x19000	0xe04	0x1000	False	0.321533203125	data	4.59781255771	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x1a000	0x8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x1b000	0x18	0x200	False	0.05078125	data	0.20448815744	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1c000	0x12850	0x12a00	False	0.187460675336	data	5.0847150123	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1c44c	0x4228	data	English	United States
RT_ICON	0x20674	0x25a8	data	English	United States
RT_ICON	0x22c1c	0x10a8	data	English	United States
RT_ICON	0x23cc4	0xcd8	data	English	United States
RT_ICON	0x2499c	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_STRING	0x24e04	0x68	data
RT_STRING	0x24e6c	0xd4	data
RT_STRING	0x24f40	0xa4	data
RT_STRING	0x24fe4	0x2ac	data
RT_STRING	0x25290	0x34c	data
RT_STRING	0x255dc	0x294	data
RT_RCDATA	0x25870	0x82e8	data	English	United States
RT_RCDATA	0x2db58	0x10	data
RT_RCDATA	0x2db68	0x150	data
RT_RCDATA	0x2dcb8	0x2c	data
RT_GROUP_ICON	0x2dce4	0x4c	data	English	United States
RT_VERSION	0x2dd30	0x4f4	data	English	United States
RT_MANIFEST	0x2e224	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, DeleteFileW, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CloseHandle
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
comctl32.dll	InitCommonControls
kernel32.dll	Sleep
advapi32.dll	AdjustTokenPrivileges

Version Infos

Description	Data
LegalCopyright
FileVersion
CompanyName
Comments	This installation was built with Inno Setup.
ProductName
ProductVersion
FileDescription
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2021 17:59:42.483756065 CET	49746	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:42.484730005 CET	49747	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:42.618139029 CET	80	49747	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:42.618268013 CET	49747	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:42.618953943 CET	49747	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:42.621529102 CET	80	49746	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:42.621646881 CET	49746	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:42.751964092 CET	80	49747	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:42.752037048 CET	80	49747	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:42.752116919 CET	49747	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:42.764344931 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:42.898768902 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:42.898996115 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:42.913793087 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.047821045 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.048188925 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.048230886 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.048274040 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.048297882 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.048301935 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.048352957 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.048372030 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.051188946 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.051254988 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.113617897 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.119852066 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.248575926 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.250466108 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.293092966 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.309756041 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.309809923 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.309845924 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.309883118 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.309954882 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.309964895 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.310015917 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.310039997 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.310094118 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.310118914 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.310164928 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.310185909 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.310220003 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.310319901 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.310326099 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.452526093 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.465100050 CET	49746	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.465136051 CET	49747	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.469568014 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.469605923 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.470282078 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.470335960 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.471849918 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.586801052 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.587321997 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.587374926 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.587445974 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.587486029 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.587493896 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.587519884 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.587537050 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.587546110 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.587590933 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.587599039 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.588327885 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.590691090 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.598434925 CET	80	49747	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.599673033 CET	49747	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.602674961 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.602803946 CET	80	49746	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.602938890 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.602960110 CET	49746	80	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.603108883 CET	443	49749	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.603916883 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.604854107 CET	443	49752	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.605041981 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.605103016 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.605268002 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.605881929 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.606201887 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.611850023 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.612154961 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.612189054 CET	49752	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.612505913 CET	49751	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.613655090 CET	49753	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.725737095 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.725804090 CET	443	49748	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.725894928 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.725955009 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.728725910 CET	49748	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.754601002 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754635096 CET	443	49750	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754654884 CET	443	49749	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754689932 CET	443	49749	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754714966 CET	443	49752	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754755974 CET	49750	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.754812956 CET	443	49752	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754832983 CET	443	49751	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754851103 CET	443	49753	54.39.133.136	192.168.2.3
Jan 11, 2021 17:59:43.754868984 CET	49749	443	192.168.2.3	54.39.133.136
Jan 11, 2021 17:59:43.754873991 CET	443	49751	54.39.133.136	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2021 17:58:42.740089893 CET	53023	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:42.788237095 CET	53	53023	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:43.606468916 CET	49563	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:43.654539108 CET	53	49563	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:44.545748949 CET	51352	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:44.602273941 CET	53	51352	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:46.714562893 CET	59349	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:46.763588905 CET	53	59349	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:47.755930901 CET	57084	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:47.803766966 CET	53	57084	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:48.533551931 CET	58823	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:48.581424952 CET	53	58823	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:53.237919092 CET	57568	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:53.286305904 CET	53	57568	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:54.134023905 CET	50540	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:54.187947989 CET	53	50540	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:55.017010927 CET	54366	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:55.064964056 CET	53	54366	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:55.820069075 CET	53034	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:55.868105888 CET	53	53034	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:56.678369045 CET	57762	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:56.726350069 CET	53	57762	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:57.494085073 CET	55435	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:57.541990042 CET	53	55435	8.8.8.8	192.168.2.3
Jan 11, 2021 17:58:58.311652899 CET	50713	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:58:58.362329960 CET	53	50713	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:12.790934086 CET	56132	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:12.841727972 CET	53	56132	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:20.220263958 CET	58987	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:20.278008938 CET	53	58987	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:27.469937086 CET	56579	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:27.528049946 CET	53	56579	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:31.911442041 CET	60633	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:31.974312067 CET	53	60633	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:33.320950985 CET	61292	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:33.379729986 CET	53	61292	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:36.437645912 CET	63619	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:36.493783951 CET	53	63619	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:41.218703985 CET	64938	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:41.270613909 CET	61946	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:41.276972055 CET	53	64938	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:41.335743904 CET	53	61946	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:42.405960083 CET	64910	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:42.464117050 CET	53	64910	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:43.465065956 CET	52123	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:43.534511089 CET	53	52123	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:44.996952057 CET	56130	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:45.056008101 CET	53	56130	8.8.8.8	192.168.2.3
Jan 11, 2021 17:59:47.764730930 CET	56338	53	192.168.2.3	8.8.8.8
Jan 11, 2021 17:59:47.835721970 CET	53	56338	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:11.194204092 CET	59420	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:11.242177010 CET	53	59420	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:12.079523087 CET	58784	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:12.136121988 CET	53	58784	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:12.191696882 CET	59420	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:12.248117924 CET	53	59420	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:13.083915949 CET	58784	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:13.140383959 CET	53	58784	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:13.191121101 CET	59420	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:13.247313023 CET	53	59420	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:14.136617899 CET	58784	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:14.184643030 CET	53	58784	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:15.191504002 CET	59420	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:15.247745037 CET	53	59420	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:16.144259930 CET	58784	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:16.192390919 CET	53	58784	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:19.232702971 CET	59420	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:19.289062023 CET	53	59420	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:20.160113096 CET	58784	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:20.208046913 CET	53	58784	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:21.074881077 CET	63978	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:21.122796059 CET	53	63978	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:38.154186964 CET	62938	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:38.205246925 CET	53	62938	8.8.8.8	192.168.2.3
Jan 11, 2021 18:00:38.603552103 CET	55708	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:00:38.675530910 CET	53	55708	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:35.698355913 CET	56803	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:35.804193020 CET	53	56803	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:36.441159964 CET	57145	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:36.497481108 CET	53	57145	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:38.153460979 CET	55359	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:38.214943886 CET	53	55359	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:38.685592890 CET	58306	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:38.757034063 CET	53	58306	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:39.297667027 CET	64124	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:39.356237888 CET	53	64124	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:40.050431013 CET	49361	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:40.106930971 CET	53	49361	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:40.786555052 CET	63150	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:40.843008995 CET	53	63150	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:41.999900103 CET	53279	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:42.058938980 CET	53	53279	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:43.430733919 CET	56881	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:43.487091064 CET	53	56881	8.8.8.8	192.168.2.3
Jan 11, 2021 18:01:44.163132906 CET	53642	53	192.168.2.3	8.8.8.8
Jan 11, 2021 18:01:44.222630978 CET	53	53642	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 11, 2021 17:59:41.270613909 CET	192.168.2.3	8.8.8.8	0x3680	Standard query (0)	www.spyrix.com	A (IP address)	IN (0x0001)
Jan 11, 2021 17:59:42.405960083 CET	192.168.2.3	8.8.8.8	0x5aef	Standard query (0)	www.spyrix.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 11, 2021 17:59:41.335743904 CET	8.8.8.8	192.168.2.3	0x3680	No error (0)	www.spyrix.com	spyrix.com		CNAME (Canonical name)	IN (0x0001)
Jan 11, 2021 17:59:41.335743904 CET	8.8.8.8	192.168.2.3	0x3680	No error (0)	spyrix.com		54.39.133.136	A (IP address)	IN (0x0001)
Jan 11, 2021 17:59:42.464117050 CET	8.8.8.8	192.168.2.3	0x5aef	No error (0)	www.spyrix.com	spyrix.com		CNAME (Canonical name)	IN (0x0001)
Jan 11, 2021 17:59:42.464117050 CET	8.8.8.8	192.168.2.3	0x5aef	No error (0)	spyrix.com		54.39.133.136	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.spyrix.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49747	54.39.133.136	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 11, 2021 17:59:42.618953943 CET	3840	OUT	GET /spyrix-products.php?from=sfk_install HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: www.spyrix.com Connection: Keep-Alive
Jan 11, 2021 17:59:42.752037048 CET	3841	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.17.3 Date: Mon, 11 Jan 2021 16:59:42 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://www.spyrix.com/spyrix-products.php?from=sfk_install Strict-Transport-Security: max-age=0; Data Raw: 61 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 37 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a9<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.17.3</center></body></html>0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 11, 2021 17:59:43.051188946 CET	54.39.133.136	443	192.168.2.3	49748	CN=spyrix.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Nov 10 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019	Sun Dec 12 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Fri Nov 02 01:00:00 CET 2018	Wed Jan 01 00:59:59 CET 2031
					CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 12 01:00:00 CET 2019	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: sfk_setup.exe PID: 6736 Parent PID: 5780

General

Start time:	17:58:52
Start date:	11/01/2021
Path:	C:\Users\user\Desktop\sfk_setup.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\sfk_setup.exe'
Imagebase:	0x400000
File size:	24086096 bytes
MD5 hash:	945D981860358A2DA40321783865F6DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Analysis Process: sfk_setup.tmp PID: 6772 Parent PID: 6736

General

Start time:	17:58:53
Start date:	11/01/2021
Path:	C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\is-MG0AC.tmp\sfk_setup.tmp' /SL5='$2A0068,23551647,152064,C:\Users\user\Desktop\sfk_setup.exe'
Imagebase:	0x400000
File size:	1210368 bytes
MD5 hash:	E40F7EB5C693C2D90A28CBA04D85D286
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000003.338505056.0000000009303000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: regedit.exe PID: 6364 Parent PID: 6772

General

Start time:	17:59:24
Start date:	11/01/2021
Path:	C:\Windows\SysWOW64\regedit.exe
Wow64 process (32bit):	true
Commandline:	'regedit.exe' /e 'C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid' 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1'
Imagebase:	0xfa0000
File size:	316416 bytes
MD5 hash:	617538C965AC4DDC72F9CF647C4343D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: iexplore.exe PID: 1844 Parent PID: 6772

General

Start time:	17:59:40
Start date:	11/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' http://www.spyrix.com/spyrix-products.php?from=sfk_install
Imagebase:	0x7ff6cb5e0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: spkl.exe PID: 6448 Parent PID: 6772

General

Start time:	17:59:41
Start date:	11/01/2021
Path:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
Imagebase:	0x400000
File size:	5197960 bytes
MD5 hash:	B3660FFBFB44E9C85287E9BF41126C41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000011.00000002.613741986.0000000000401000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000011.00000003.316681311.0000000004810000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: iexplore.exe PID: 4848 Parent PID: 1844

General

Start time:	17:59:40
Start date:	11/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1844 CREDAT:17410 /prefetch:2
Imagebase:	0x1150000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: spmm.exe PID: 5340 Parent PID: 6448

General

Start time:	17:59:59
Start date:	11/01/2021
Path:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe' 'Spyrix Free Keylogger 11.5.1'
Imagebase:	0x400000
File size:	975496 bytes
MD5 hash:	E0C9D91F9EBD2F3974B42B4DDFC1F6DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000003.353294835.0000000003670000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000002.613417816.0000000000401000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: sime64.exe PID: 6400 Parent PID: 6448

General

Start time:	18:00:06
Start date:	11/01/2021
Path:	C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe
Wow64 process (32bit):	false
Commandline:	'C:\ProgramData\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sime64.exe' exitime64
Imagebase:	0x400000
File size:	3255944 bytes
MD5 hash:	66D5C7CA9D59F4F6F51907CBC2C9A5E7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report sfk_setup.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre