Accuracy= googletradutor.raw? site:.com

Incident Response

Índice Show

Incident Response
File Details
File Sections
File Resources
Screenshots
Hybrid Analysis
Network Analysis
DNS Requests
HTTP Traffic
Memory Forensics
Extracted Files
Notifications

Risk Assessment

Spyware Contains ability to open the clipboard
Found a string that may be used as part of an injection method Persistence Modifies auto-execute functionality by setting/creating a value in the registry
Writes data to a remote process Fingerprint Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID Evasive Marks file for deletion Spreading Opens the MountPointManager (often used to detect additional infection locations) Network Behavior Contacts 7 domains and 8 hosts. View all details

MITRE ATT&CK™ Techniques Detection

This report has 38 indicators that were mapped to 22 attack techniques and 9 tactics. View all details

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

External Systems
- Sample was identified as malicious by a large number of Antivirus engines
  details 33/70 Antivirus vendors marked sample as malicious (47% detection rate) sourceExternal System relevance10/10
- Sample was identified as malicious by at least one Antivirus engine
  details 33/70 Antivirus vendors marked sample as malicious (47% detection rate) sourceExternal Systemrelevance8/10
General
- The analysis extracted a file that was identified as malicious
  details 27/65 Antivirus vendors marked dropped file "Your Package Tracked Now.exe" as malicious (classified as "Gen:Variant.Razy" with 41% detection rate)
  5/68 Antivirus vendors marked dropped file "Uninstall.exe" as malicious (classified as "W32.Adware" with 7% detection rate)
  1/93 Antivirus vendors marked dropped file "System.dll" as malicious (classified as "Adware.Domage.Neobar.BF" with 1% detection rate) sourceExtracted Filerelevance10/10
- The analysis spawned a process that was identified as malicious
  details 27/65 Antivirus vendors marked spawned process "Your Package Tracked Now.exe" (PID: 2568) as malicious (classified as "Gen:Variant.Razy" with 41% detection rate) sourceMonitored Targetrelevance10/10
Installation/Persistance
- Allocates virtual memory in a remote process
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" allocated memory in "%LOCALAPPDATA%\Your Package Tracked Now\Uninstall.exe"
  "iexplore.exe" allocated memory in "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" sourceAPI Callrelevance7/10ATT&CK ID T1055 (Show technique in the MITRE ATT&CK™ matrix)
- Writes data to a remote process
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Your Package Tracked Now\Your Package Tracked Now.exe" (Handle: 1444)
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Your Package Tracked Now\Your Package Tracked Now.exe" (Handle: 1444)
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Your Package Tracked Now\Your Package Tracked Now.exe" (Handle: 1444)
  "Your Package Tracked Now.exe" wrote 32 bytes to a remote process "%PROGRAMFILES%\Internet Explorer\iexplore.exe" (Handle: 1420)
  "Your Package Tracked Now.exe" wrote 52 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 1420)
  "Your Package Tracked Now.exe" wrote 4 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 1420)
  "iexplore.exe" wrote 32 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 884)
  "iexplore.exe" wrote 52 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 884)
  "iexplore.exe" wrote 4 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 884) sourceAPI Callrelevance6/10ATT&CK ID T1055 (Show technique in the MITRE ATT&CK™ matrix)
Network Related
- Malicious artifacts seen in the context of a contacted host
  details Found malicious artifacts related to "3.18.236.124": ...
  URL: http://sbdistro.com/closed.html?p=http://results.hdownloadmyinboxhelper.com/s?uid=1d8767cc-de64-4340-93d4-f613be84451e&uc=20190131&source=d-ccc3-lp0-r1-bb9-sbe-ab&i_id=email_&ap=appfocus1 (AV positives: 2/66 scanned on 04/14/2019 05:54:59)
  URL: http://www.sbdistro.com/cgi/adk/chrdl.cgi?user_id=6691c30c-5b81-4bd1-b22f-694e2f000403 (AV positives: 4/66 scanned on 04/14/2019 05:38:47)
  URL: http://sbdistro.com/uninstalled.html?p=http://results.hdownloadmyinboxhelper.com/s?uid=d5df233d-750d-4fa9-b39c-85576967ba85&uc=20181227&source=d-ccc3-lp0-bb9-sbe&i_id=email_&ap=appfocus1 (AV positives: 2/66 scanned on 04/14/2019 03:39:57)
  URL: http://sbdistro.com/uninstalled.html?p=http://results.hdownloadmyinboxhelper.com/s?uid=7b55b371-0aaf-4df6-934d-20dc3ac3d023&uc=20190408&source=d-ccc3-lp0-r1-cp_1588415440-bb9-sbe-ab&i_id=email_&ap=appfocus1 (AV positives: 2/66 scanned on 04/14/2019 03:39:52)
  URL: http://sbdistro.com/ (AV positives: 2/66 scanned on 04/12/2019 23:00:22)
  File SHA256: e0b4cb5ce6418081d491d97b12bf4c6dde607513fc098a36540240f9deffecd0 (Date: 04/13/2019 09:03:11)
  File SHA256: 6cc9d12a3a4f057d9a433803c1e5212a5df4bf2240f6eb5d3f9802fad58e952b (AV positives: 33/71 scanned on 04/11/2019 00:28:42)
  File SHA256: 24b804ffd8857436f804310ec4ba313edfb73bc77133bf492623949ad3259200 (AV positives: 31/72 scanned on 04/10/2019 21:03:04)
  File SHA256: d9da6dc84de43fcca78a45458d32458ec55e8222785945f1aaf4a2a4d9903233 (AV positives: 43/70 scanned on 04/10/2019 21:33:04)
  File SHA256: d34e5fadb8039985ebd4dd063c19c19821d54678d5e834cf7417992c0ffaa847 (AV positives: 27/68 scanned on 04/08/2019 15:52:29)
  File SHA256: c41b7a15dd75e56ebf2f73faece500e77e942170e620f5084dc859cd3621c364 (AV positives: 39/67 scanned on 04/08/2019 14:58:11)
  Found malicious artifacts related to "13.33.155.54": ...
  URL: http://touch.believeeducation.host/6d019c5303b95c7a9f9f1a463bdd75d137eaa122/ (AV positives: 3/69 scanned on 04/05/2019 13:57:26)
  URL: http://touch.believeeducation.host/56a96abdb00c44f803a9ca1dfeaedb4fff19599c4ecc72/ (AV positives: 3/69 scanned on 04/05/2019 13:05:23)
  URL: http://touch.believeeducation.host/4295465deb873e90208a2673245d56ae89efb099b33fd632620d87fad652f78dc195/ (AV positives: 3/69 scanned on 04/02/2019 13:11:26)
  URL: http://touch.believeeducation.host/18e8a447764095fcae017b81e9fbdda4f57ce740c7a1d4e45336139259521565616b/ (AV positives: 3/69 scanned on 04/02/2019 13:10:15)
  URL: http://touch.believeeducation.host/55ff7b6fd0660802d41bacae7a788222a7a86ac2253014a6c0e19e1027ac4cb727ba/ (AV positives: 3/69 scanned on 04/02/2019 13:07:14)
  File SHA256: db254146990af7f6dac85bde4c9476d625005ab21f429982e20286b8be1854dc (AV positives: 7/69 scanned on 02/26/2019 04:05:15)
  File SHA256: bbee08096243e5e27d03100891315e31083ac2d55bbd5add9d3dd43a4436e70f (AV positives: 1/60 scanned on 01/19/2019 11:42:11)
  File SHA256: e376cf941d83173f85d4a61b9c8770279c202f2fff0c405c0baf4936f9b7d208 (AV positives: 1/67 scanned on 01/02/2018 13:43:03)
  File SHA256: db3bc05afc0874c4851efb0a6f763742f4ea2dd37ce6ed905be41da52cbfd016 (AV positives: 1/68 scanned on 01/02/2018 12:45:04)
  Found malicious artifacts related to "13.33.155.152": ...
  URL: http://heat.kettlestep.info/?affId=1006&appTitle=Installation&s1=3183&s2=18354543&setupName=cpSetup&appVersion=2.92&instId=11&exe=1 (AV positives: 5/69 scanned on 04/06/2019 12:45:12)
  URL: http://wing.namebit.info/ (AV positives: 2/69 scanned on 04/06/2019 03:52:05)
  URL: http://www.winner4today.com/ (AV positives: 3/66 scanned on 02/10/2019 01:32:29)
  URL: http://download.piriform.com/dfsetup221.exe (AV positives: 4/66 scanned on 11/24/2018 09:17:06)
  URL: http://download.piriform.com/rcsetup153.exe (AV positives: 2/66 scanned on 11/24/2018 09:16:54)
  File SHA256: 29a8e556ac9db50b809da213ba3cc2e80d88e90a90e6c58e8177a5f3cf6b134d (AV positives: 3/67 scanned on 11/24/2018 09:17:09)
  File SHA256: 75155568d64e958d8003f9fbb36839fc9a53bfab3b51a8a1106a78e5be98b2e9 (AV positives: 1/67 scanned on 11/24/2018 09:16:58)
  File SHA256: da8f81bc7d08e0cab6d56a160d1eb53744f615ea28c181871ca796fe51581864 (AV positives: 1/61 scanned on 11/21/2018 23:34:45)
  File SHA256: 422177f8f1c3be7fda31852ceed31c1feb73d64894776f55071a44c4eb74b1ee (AV positives: 29/68 scanned on 11/19/2018 09:19:16)
  File SHA256: d9d95f1fae0e4c7d6cf6fac5da36229ecbc7f488b77b2fd8d3a01003d8729f93 (AV positives: 1/68 scanned on 11/16/2018 18:31:22)
  Found malicious artifacts related to "13.33.155.51": ...
  URL: http://cobweb.handboundary.xyz/79f44fec46631ba37f8dca09630a234471dd330b47da09502c63/ (AV positives: 1/69 scanned on 04/03/2019 13:56:47)
  URL: http://cobweb.handboundary.xyz/cdd7c65dda355db7da7e3e28de7ab231664c731d5afea582c9d233/ (AV positives: 1/69 scanned on 04/03/2019 12:59:50)
  URL: http://d1w41g961qthiz.cloudfront.net/c74osv8)tlnk1/adobe_flash_player.exe (AV positives: 1/66 scanned on 04/02/2019 21:14:19)
  URL: http://d1w41g961qthiz.cloudfront.net/lb(nwfa74l2r0/adobe_flash_player.exe (AV positives: 1/66 scanned on 04/02/2019 21:03:10)
  URL: http://cobweb.handboundary.xyz/fd6184ad0b164411b72ffb9e29c4cb22e7010bdc3c13b10a632c/ (AV positives: 1/69 scanned on 04/02/2019 13:25:18)
  File SHA256: 3881e9e920d1d444d21ec600e396b8cd290a66ac60f534a32bb259c9f4bfa2ad (AV positives: 15/66 scanned on 04/02/2019 21:14:23)
  File SHA256: b3657ebdf85e2f28004befa5faca60bf79f1cc952c01c15a5ec9b3ded67d423f (AV positives: 5/50 scanned on 03/30/2019 03:03:08)
  File SHA256: 189637325cb67902ac7b2fb0516c44ca21da6bbc1bd934f45525d3cf59b7c264 (AV positives: 3/56 scanned on 03/30/2019 03:02:08)
  File SHA256: 5b8ef9db151b206b0d8ac7910e26a5ca8830fd4c26bce65c74a5668dbee2212d (AV positives: 4/54 scanned on 03/30/2019 02:59:48)
  File SHA256: 82716620d245cafec233b492467c719494647678cce4db9dcc4372ff44dc9c2c (AV positives: 2/56 scanned on 03/30/2019 02:58:48)
  Found malicious artifacts related to "13.33.155.86": ...
  URL: http://grade.noiseteeth.host/8965b5a2bf0f0024ba675c2ce0381444a87db9020f5028d472343a5b783b/ (AV positives: 1/69 scanned on 04/06/2019 13:44:11)
  URL: http://egg.streamsoup.icu/7b5300a88bdb61607006e596b7effd5c6d6578b94fd259fde33df3903b48/ (AV positives: 2/69 scanned on 04/06/2019 12:53:48)
  URL: http://grade.noiseteeth.host/7725b51022a80254c2b23fca2b617444141a0aea8964e245090ae9cc55/ (AV positives: 1/69 scanned on 04/06/2019 12:52:08)
  URL: http://egg.streamsoup.icu/027170070294d9a341918419714b79c0b6eeed1724dad2e75dd1ee76cbe9/ (AV positives: 2/69 scanned on 04/06/2019 12:42:05)
  URL: http://egg.streamsoup.icu/40ec6a9938661f9ab9c0c04e6c53165c6ccf4f8ce9e88e331c2111105d31/ (AV positives: 2/69 scanned on 04/05/2019 13:35:16)
  File SHA256: 32bcdcf2eb64849c8a29b65cfca00ff9ecd172eff2c92f05cf524023b9c4ae60 (AV positives: 1/72 scanned on 03/22/2019 12:49:18)
  File SHA256: 89a62b4c0f07562680952735a24a5ee159ad8954abc8ed359741e4984b52e064 (AV positives: 42/72 scanned on 03/08/2019 18:43:48)
  File SHA256: 36fda44ab51f1b5a00d102ed46a9eaa0489d34dd9b753d1afc6c084c1d494c17 (AV positives: 37/70 scanned on 02/07/2019 20:05:32)
  File SHA256: 7921a6035cc8a0981a5dee737dd3d29b150ddd48407717d3fca4b6376f2b0e70 (AV positives: 1/55 scanned on 11/01/2018 10:01:28)
  File SHA256: ad9c3e27821e102c8e2d92b3f26135f8c662d16e9b942f63285a5e7ed3fc80fa (AV positives: 17/68 scanned on 10/29/2018 01:34:34)
  Found malicious artifacts related to "3.18.145.221": ...
  URL: http://sbdistro.com/cgi/adk/chrdl.cgi?source=d-ccc1-lp0-bb9&brw=3&adprovider=appfocus1&implementation_id=weather_&sln=1&dfn=Local%20Weather%20Radar&appname=Local%20Weather%20Radar&domain=hlocalweatherradar.co&appdesc=Get%20local%20weather%20forecasts%20in%20an%20instant%20from%20your%20home%20and%20new%20tab%20page%21&user_id=a7c2a3a2-6501-47cb-be00-2337b24f4dbc&edge=1 (AV positives: 3/69 scanned on 04/14/2019 13:39:00)
  URL: http://www.webexplorer.co/?idx_browser=3 (AV positives: 1/66 scanned on 04/14/2019 05:52:52)
  URL: http://getsearchbar.com/Content/kits (AV positives: 4/66 scanned on 04/14/2019 02:30:47)
  URL: http://www.sbdistro.com/cgi/adk/chrdl.cgi?user_id=5528357e-7bfc-4be1-87cd-bc764eb5d02f&source=g-ccc7-lp0-cp_1508293086-bb9&adprovider=appfocus1&implementation_id=maps_&domain=hmapsanddrivingdirection.com&appname=Maps and Driving Direction&appdesc=Get directions or lookup maps for free Search Maps
  Local Traffic
  and Driving Directions directly from your desktop Search Bar as well as quick search results.&sln=1&edge=1&dfn=Maps and Driving Direction&brw=3 (AV positives: 4/69 scanned on 04/13/2019 09:32:03)
  URL: http://www.sbdistro.com/cgi/adk/chrdl.cgi?user_id=5528357e-7bfc-4be1-87cd-bc764eb5d02f&source=g-ccc7-lp0-cp_1508293086-bb9&adprovider=appfocus1&implementation_id=maps_&domain=hmapsanddrivingdirection.com&appname=Maps%20and%20Driving%20Direction&appdesc=Get%20directions%20or%20lookup%20maps%20for%20free%20Search%20Maps
  %20Local%20Traffic
  %20and%20Driving%20Directions%20directly%20from%20your%20desktop%20Search%20Bar%20as%20well%20as%20quick%20search%20results.&sln=1&edge=1&dfn=Maps%20and%20Driving%20Direction&brw=3 (AV positives: 4/66 scanned on 04/13/2019 00:14:11)
  File SHA256: e0b4cb5ce6418081d491d97b12bf4c6dde607513fc098a36540240f9deffecd0 (Date: 04/13/2019 09:03:11)
  File SHA256: 6cc9d12a3a4f057d9a433803c1e5212a5df4bf2240f6eb5d3f9802fad58e952b (Date: 04/13/2019 00:06:12)
  File SHA256: 4b73ba81593c110092960a5b007e2e2f32cf01da1c7d42a7232d95344c532302 (AV positives: 36/69 scanned on 04/11/2019 02:41:21)
  File SHA256: 24b804ffd8857436f804310ec4ba313edfb73bc77133bf492623949ad3259200 (AV positives: 32/67 scanned on 04/10/2019 21:48:36)
  File SHA256: d34e5fadb8039985ebd4dd063c19c19821d54678d5e834cf7417992c0ffaa847 (AV positives: 27/68 scanned on 04/08/2019 15:52:29)
  File SHA256: c82d3b5ac0ff79a54e3f17ff4b5d1d5b21a5dac701c266b8c1e87bf87e051271 (AV positives: 35/71 scanned on 04/08/2019 06:21:00)
  Found malicious artifacts related to "52.202.155.97": ...
  
  URL: http://imp.searchlen.com/impression.do?implementation_id=email__1.30&source=bing-bb8&sub_id=20180507&traffic_source=appfocus29&user_id=dc02de29-f55e-4415-983b-6f89e3d52000&useragent=mozilla%2f4.0+(compatible%3b+msie+6.0%3b+windows+nt+5.1%3b+sv1%3b+.net+clr+2.0.50727)&subid2=6.0.2900.get (AV positives: 1/69 scanned on 04/08/2019 06:57:57)
  URL: http://imp.searchfff.com/impression.do?source=bing-bb8&sub_id=20180115&useragent=mozilla%2f4.0+(compatible%3b+msie+6.0%3b+windows+nt+5.1%3b+sv1%3b+.net+clr+2.0.50727)&traffic_source=appfocus29&user_id=ff0cf455-1a9d-4f25-b7be-9784ce41dd19&implementation_id=forms__1.30&subid2=6.0.2900.get (AV positives: 1/69 scanned on 04/08/2019 05:57:24)
  URL: http://imp.searchm3p1.com/ (AV positives: 1/66 scanned on 04/05/2019 03:35:22)
  URL: http://imp.searchlen.com/impression.do?source=bing-bb8&sub_id=20180118&useragent=mozilla%2f4.0+(compatible%3b+msie+6.0%3b+windows+nt+5.1%3b+sv1%3b+.net+clr+2.0.50727)&traffic_source=appfocus29&user_id=8fec15ee-14c1-4c88-a730-cfcf65d5f0ff&implementation_id=email__1.30&subid2=6.0.2900.get (AV positives: 1/69 scanned on 03/29/2019 11:04:43)
  URL: http://imp.searchvfr.com/impression.do?source=bing-bb9&sub_id=20180319&useragent=mozilla%2f4.0+(compatible%3b+msie+6.0%3b+windows+nt+5.1%3b+sv1%3b+.net+clr+2.0.50727)&traffic_source=appfocus157&user_id=b1a106e8-5c82-4451-b3f1-c7f45dfb472c&implementation_id=recipes__1.30&subid2=6.0.29get (AV positives: 1/69 scanned on 03/27/2019 07:55:47)
  File SHA256: b95cacb5c78f7a199baee749d9b38faf59dbfcb8e7ca0c3290889d9d02a7ac38 (AV positives: 49/70 scanned on 04/01/2019 00:54:44)
  File SHA256: 371f2ff3adb17db178e1f24428a09c0f6483709fb3900e6fa6bcd77021c43f1d (AV positives: 44/67 scanned on 03/19/2019 02:28:24)
  File SHA256: 7d96acc063d4c82ce08ec678b0f95c913a602e9ee8ece2fb6e8d54cda581b960 (AV positives: 45/66 scanned on 03/14/2019 02:04:09)
  File SHA256: aa701566582baf157ad0d0a6dfbadea4e73dc5a3660df15a54258b4cb51aaa3f (AV positives: 48/70 scanned on 03/10/2019 02:22:59)
  File SHA256: 73da89153de08a7a2b71aa185149792a57d1b1550ab79077d16b1864589a7847 (AV positives: 46/64 scanned on 03/05/2019 03:38:48)
  File SHA256: ab1039a3d1d2426479f4c08772106e8a1cbfcb6dfda88b18350ba80f4c56fd50 (Date: 10/01/2018 14:38:35)
  File SHA256: 58bf3e36cf1aae070cda5c9b918e619b75f01acfd5f489e35fbea36a79030e70 (Date: 09/14/2018 04:08:17)
  File SHA256: eb10490a536a884c7f1f03ee006baf8a1c00c7cf82c9618c0b5dd9105a6507f5 (Date: 09/14/2018 04:07:55)
  File SHA256: 83bba227ce892b62f0dae761b88b1704a015685f17436a90cac1b64a5d6613b9 (Date: 09/14/2018 04:05:37)
  File SHA256: 452d5a596ddfc7bfb8ef66e70b75da733b3a4efda44c7169f6911f4340f10296 (Date: 09/14/2018 04:05:29)
  sourceNetwork Trafficrelevance10/10
- Multiple malicious artifacts seen in the context of different hosts
  details Found malicious artifacts related to "3.18.236.124": ...
  URL: http://sbdistro.com/closed.html?p=http://results.hdownloadmyinboxhelper.com/s?uid=1d8767cc-de64-4340-93d4-f613be84451e&uc=20190131&source=d-ccc3-lp0-r1-bb9-sbe-ab&i_id=email_&ap=appfocus1 (AV positives: 2/66 scanned on 04/14/2019 05:54:59)
  URL: http://www.sbdistro.com/cgi/adk/chrdl.cgi?user_id=6691c30c-5b81-4bd1-b22f-694e2f000403 (AV positives: 4/66 scanned on 04/14/2019 05:38:47)
  URL: http://sbdistro.com/uninstalled.html?p=http://results.hdownloadmyinboxhelper.com/s?uid=d5df233d-750d-4fa9-b39c-85576967ba85&uc=20181227&source=d-ccc3-lp0-bb9-sbe&i_id=email_&ap=appfocus1 (AV positives: 2/66 scanned on 04/14/2019 03:39:57)
  URL: http://sbdistro.com/uninstalled.html?p=http://results.hdownloadmyinboxhelper.com/s?uid=7b55b371-0aaf-4df6-934d-20dc3ac3d023&uc=20190408&source=d-ccc3-lp0-r1-cp_1588415440-bb9-sbe-ab&i_id=email_&ap=appfocus1 (AV positives: 2/66 scanned on 04/14/2019 03:39:52)
  URL: http://sbdistro.com/ (AV positives: 2/66 scanned on 04/12/2019 23:00:22)
  File SHA256: e0b4cb5ce6418081d491d97b12bf4c6dde607513fc098a36540240f9deffecd0 (Date: 04/13/2019 09:03:11)
  File SHA256: 6cc9d12a3a4f057d9a433803c1e5212a5df4bf2240f6eb5d3f9802fad58e952b (AV positives: 33/71 scanned on 04/11/2019 00:28:42)
  File SHA256: 24b804ffd8857436f804310ec4ba313edfb73bc77133bf492623949ad3259200 (AV positives: 31/72 scanned on 04/10/2019 21:03:04)
  File SHA256: d9da6dc84de43fcca78a45458d32458ec55e8222785945f1aaf4a2a4d9903233 (AV positives: 43/70 scanned on 04/10/2019 21:33:04)
  File SHA256: d34e5fadb8039985ebd4dd063c19c19821d54678d5e834cf7417992c0ffaa847 (AV positives: 27/68 scanned on 04/08/2019 15:52:29)
  File SHA256: c41b7a15dd75e56ebf2f73faece500e77e942170e620f5084dc859cd3621c364 (AV positives: 39/67 scanned on 04/08/2019 14:58:11)
  Found malicious artifacts related to "13.33.155.54": ...
  URL: http://touch.believeeducation.host/6d019c5303b95c7a9f9f1a463bdd75d137eaa122/ (AV positives: 3/69 scanned on 04/05/2019 13:57:26)
  URL: http://touch.believeeducation.host/56a96abdb00c44f803a9ca1dfeaedb4fff19599c4ecc72/ (AV positives: 3/69 scanned on 04/05/2019 13:05:23)
  URL: http://touch.believeeducation.host/4295465deb873e90208a2673245d56ae89efb099b33fd632620d87fad652f78dc195/ (AV positives: 3/69 scanned on 04/02/2019 13:11:26)
  URL: http://touch.believeeducation.host/18e8a447764095fcae017b81e9fbdda4f57ce740c7a1d4e45336139259521565616b/ (AV positives: 3/69 scanned on 04/02/2019 13:10:15)
  URL: http://touch.believeeducation.host/55ff7b6fd0660802d41bacae7a788222a7a86ac2253014a6c0e19e1027ac4cb727ba/ (AV positives: 3/69 scanned on 04/02/2019 13:07:14)
  File SHA256: db254146990af7f6dac85bde4c9476d625005ab21f429982e20286b8be1854dc (AV positives: 7/69 scanned on 02/26/2019 04:05:15)
  File SHA256: bbee08096243e5e27d03100891315e31083ac2d55bbd5add9d3dd43a4436e70f (AV positives: 1/60 scanned on 01/19/2019 11:42:11)
  File SHA256: e376cf941d83173f85d4a61b9c8770279c202f2fff0c405c0baf4936f9b7d208 (AV positives: 1/67 scanned on 01/02/2018 13:43:03)
  File SHA256: db3bc05afc0874c4851efb0a6f763742f4ea2dd37ce6ed905be41da52cbfd016 (AV positives: 1/68 scanned on 01/02/2018 12:45:04)
  Found malicious artifacts related to "13.33.155.152": ...
  URL: http://heat.kettlestep.info/?affId=1006&appTitle=Installation&s1=3183&s2=18354543&setupName=cpSetup&appVersion=2.92&instId=11&exe=1 (AV positives: 5/69 scanned on 04/06/2019 12:45:12)
  URL: http://wing.namebit.info/ (AV positives: 2/69 scanned on 04/06/2019 03:52:05)
  URL: http://www.winner4today.com/ (AV positives: 3/66 scanned on 02/10/2019 01:32:29)
  URL: http://download.piriform.com/dfsetup221.exe (AV positives: 4/66 scanned on 11/24/2018 09:17:06)
  URL: http://download.piriform.com/rcsetup153.exe (AV positives: 2/66 scanned on 11/24/2018 09:16:54)
  File SHA256: 29a8e556ac9db50b809da213ba3cc2e80d88e90a90e6c58e8177a5f3cf6b134d (AV positives: 3/67 scanned on 11/24/2018 09:17:09)
  File SHA256: 75155568d64e958d8003f9fbb36839fc9a53bfab3b51a8a1106a78e5be98b2e9 (AV positives: 1/67 scanned on 11/24/2018 09:16:58)
  File SHA256: da8f81bc7d08e0cab6d56a160d1eb53744f615ea28c181871ca796fe51581864 (AV positives: 1/61 scanned on 11/21/2018 23:34:45)
  File SHA256: 422177f8f1c3be7fda31852ceed31c1feb73d64894776f55071a44c4eb74b1ee (AV positives: 29/68 scanned on 11/19/2018 09:19:16)
  File SHA256: d9d95f1fae0e4c7d6cf6fac5da36229ecbc7f488b77b2fd8d3a01003d8729f93 (AV positives: 1/68 scanned on 11/16/2018 18:31:22)
  Found malicious artifacts related to "13.33.155.51": ...
  URL: http://cobweb.handboundary.xyz/79f44fec46631ba37f8dca09630a234471dd330b47da09502c63/ (AV positives: 1/69 scanned on 04/03/2019 13:56:47)
  URL: http://cobweb.handboundary.xyz/cdd7c65dda355db7da7e3e28de7ab231664c731d5afea582c9d233/ (AV positives: 1/69 scanned on 04/03/2019 12:59:50)
  URL: http://d1w41g961qthiz.cloudfront.net/c74osv8)tlnk1/adobe_flash_player.exe (AV positives: 1/66 scanned on 04/02/2019 21:14:19)
  URL: http://d1w41g961qthiz.cloudfront.net/lb(nwfa74l2r0/adobe_flash_player.exe (AV positives: 1/66 scanned on 04/02/2019 21:03:10)
  URL: http://cobweb.handboundary.xyz/fd6184ad0b164411b72ffb9e29c4cb22e7010bdc3c13b10a632c/ (AV positives: 1/69 scanned on 04/02/2019 13:25:18)
  File SHA256: 3881e9e920d1d444d21ec600e396b8cd290a66ac60f534a32bb259c9f4bfa2ad (AV positives: 15/66 scanned on 04/02/2019 21:14:23)
  File SHA256: b3657ebdf85e2f28004befa5faca60bf79f1cc952c01c15a5ec9b3ded67d423f (AV positives: 5/50 scanned on 03/30/2019 03:03:08)
  File SHA256: 189637325cb67902ac7b2fb0516c44ca21da6bbc1bd934f45525d3cf59b7c264 (AV positives: 3/56 scanned on 03/30/2019 03:02:08)
  File SHA256: 5b8ef9db151b206b0d8ac7910e26a5ca8830fd4c26bce65c74a5668dbee2212d (AV positives: 4/54 scanned on 03/30/2019 02:59:48)
  File SHA256: 82716620d245cafec233b492467c719494647678cce4db9dcc4372ff44dc9c2c (AV positives: 2/56 scanned on 03/30/2019 02:58:48)
  Found malicious artifacts related to "13.33.155.86": ...
  URL: http://grade.noiseteeth.host/8965b5a2bf0f0024ba675c2ce0381444a87db9020f5028d472343a5b783b/ (AV positives: 1/69 scanned on 04/06/2019 13:44:11)
  URL: http://egg.streamsoup.icu/7b5300a88bdb61607006e596b7effd5c6d6578b94fd259fde33df3903b48/ (AV positives: 2/69 scanned on 04/06/2019 12:53:48)
  URL: http://grade.noiseteeth.host/7725b51022a80254c2b23fca2b617444141a0aea8964e245090ae9cc55/ (AV positives: 1/69 scanned on 04/06/2019 12:52:08)
  URL: http://egg.streamsoup.icu/027170070294d9a341918419714b79c0b6eeed1724dad2e75dd1ee76cbe9/ (AV positives: 2/69 scanned on 04/06/2019 12:42:05)
  URL: http://egg.streamsoup.icu/40ec6a9938661f9ab9c0c04e6c53165c6ccf4f8ce9e88e331c2111105d31/ (AV positives: 2/69 scanned on 04/05/2019 13:35:16)
  File SHA256: 32bcdcf2eb64849c8a29b65cfca00ff9ecd172eff2c92f05cf524023b9c4ae60 (AV positives: 1/72 scanned on 03/22/2019 12:49:18)
  File SHA256: 89a62b4c0f07562680952735a24a5ee159ad8954abc8ed359741e4984b52e064 (AV positives: 42/72 scanned on 03/08/2019 18:43:48)
  File SHA256: 36fda44ab51f1b5a00d102ed46a9eaa0489d34dd9b753d1afc6c084c1d494c17 (AV positives: 37/70 scanned on 02/07/2019 20:05:32)
  File SHA256: 7921a6035cc8a0981a5dee737dd3d29b150ddd48407717d3fca4b6376f2b0e70 (AV positives: 1/55 scanned on 11/01/2018 10:01:28)
  File SHA256: ad9c3e27821e102c8e2d92b3f26135f8c662d16e9b942f63285a5e7ed3fc80fa (AV positives: 17/68 scanned on 10/29/2018 01:34:34)
  Found malicious artifacts related to "3.18.145.221": ...
  URL: http://sbdistro.com/cgi/adk/chrdl.cgi?source=d-ccc1-lp0-bb9&brw=3&adprovider=appfocus1&implementation_id=weather_&sln=1&dfn=Local%20Weather%20Radar&appname=Local%20Weather%20Radar&domain=hlocalweatherradar.co&appdesc=Get%20local%20weather%20forecasts%20in%20an%20instant%20from%20your%20home%20and%20new%20tab%20page%21&user_id=a7c2a3a2-6501-47cb-be00-2337b24f4dbc&edge=1 (AV positives: 3/69 scanned on 04/14/2019 13:39:00)
  URL: http://www.webexplorer.co/?idx_browser=3 (AV positives: 1/66 scanned on 04/14/2019 05:52:52)
  URL: http://getsearchbar.com/Content/kits (AV positives: 4/66 scanned on 04/14/2019 02:30:47)
  URL: http://www.sbdistro.com/cgi/adk/chrdl.cgi?user_id=5528357e-7bfc-4be1-87cd-bc764eb5d02f&source=g-ccc7-lp0-cp_1508293086-bb9&adprovider=appfocus1&implementation_id=maps_&domain=hmapsanddrivingdirection.com&appname=Maps and Driving Direction&appdesc=Get directions or lookup maps for free Search Maps
  Local Traffic
  and Driving Directions directly from your desktop Search Bar as well as quick search results.&sln=1&edge=1&dfn=Maps and Driving Direction&brw=3 (AV positives: 4/69 scanned on 04/13/2019 09:32:03)
  URL: http://www.sbdistro.com/cgi/adk/chrdl.cgi?user_id=5528357e-7bfc-4be1-87cd-bc764eb5d02f&source=g-ccc7-lp0-cp_1508293086-bb9&adprovider=appfocus1&implementation_id=maps_&domain=hmapsanddrivingdirection.com&appname=Maps%20and%20Driving%20Direction&appdesc=Get%20directions%20or%20lookup%20maps%20for%20free%20Search%20Maps
  %20Local%20Traffic
  %20and%20Driving%20Directions%20directly%20from%20your%20desktop%20Search%20Bar%20as%20well%20as%20quick%20search%20results.&sln=1&edge=1&dfn=Maps%20and%20Driving%20Direction&brw=3 (AV positives: 4/66 scanned on 04/13/2019 00:14:11)
  File SHA256: e0b4cb5ce6418081d491d97b12bf4c6dde607513fc098a36540240f9deffecd0 (Date: 04/13/2019 09:03:11)
  File SHA256: 6cc9d12a3a4f057d9a433803c1e5212a5df4bf2240f6eb5d3f9802fad58e952b (Date: 04/13/2019 00:06:12)
  File SHA256: 4b73ba81593c110092960a5b007e2e2f32cf01da1c7d42a7232d95344c532302 (AV positives: 36/69 scanned on 04/11/2019 02:41:21)
  File SHA256: 24b804ffd8857436f804310ec4ba313edfb73bc77133bf492623949ad3259200 (AV positives: 32/67 scanned on 04/10/2019 21:48:36)
  File SHA256: d34e5fadb8039985ebd4dd063c19c19821d54678d5e834cf7417992c0ffaa847 (AV positives: 27/68 scanned on 04/08/2019 15:52:29)
  File SHA256: c82d3b5ac0ff79a54e3f17ff4b5d1d5b21a5dac701c266b8c1e87bf87e051271 (AV positives: 35/71 scanned on 04/08/2019 06:21:00)
  Found malicious artifacts related to "52.202.155.97": ...
  URL: http://imp.searchlen.com/impression.do?implementation_id=email__1.30&source=bing-bb8&sub_id=20180507&traffic_source=appfocus29&user_id=dc02de29-f55e-4415-983b-6f89e3d52000&useragent=mozilla%2f4.0+(compatible%3b+msie+6.0%3b+windows+nt+5.1%3b+sv1%3b+.net+clr+2.0.50727)&subid2=6.0.2900.get (AV positives: 1/69 scanned on 04/08/2019 06:57:57)
  URL: http://imp.searchfff.com/impression.do?source=bing-bb8&sub_id=20180115&useragent=mozilla%2f4.0+(compatible%3b+msie+6.0%3b+windows+nt+5.1%3b+sv1%3b+.net+clr+2.0.50727)&traffic_source=appfocus29&user_id=ff0cf455-1a9d-4f25-b7be-9784ce41dd19&implementation_id=forms__1.30&subid2=6.0.2900.get (AV positives: 1/69 scanned on 04/08/2019 05:57:24)
  URL: http://imp.searchm3p1.com/ (AV positives: 1/66 scanned on 04/05/2019 03:35:22)
  URL: http://imp.searchlen.com/impression.do?source=bing-bb8&sub_id=20180118&useragent=mozilla%2f4.0+(compatible%3b+msie+6.0%3b+windows+nt+5.1%3b+sv1%3b+.net+clr+2.0.50727)&traffic_source=appfocus29&user_id=8fec15ee-14c1-4c88-a730-cfcf65d5f0ff&implementation_id=email__1.30&subid2=6.0.2900.get (AV positives: 1/69 scanned on 03/29/2019 11:04:43)
  URL: http://imp.searchvfr.com/impression.do?source=bing-bb9&sub_id=20180319&useragent=mozilla%2f4.0+(compatible%3b+msie+6.0%3b+windows+nt+5.1%3b+sv1%3b+.net+clr+2.0.50727)&traffic_source=appfocus157&user_id=b1a106e8-5c82-4451-b3f1-c7f45dfb472c&implementation_id=recipes__1.30&subid2=6.0.29get (AV positives: 1/69 scanned on 03/27/2019 07:55:47)
  File SHA256: b95cacb5c78f7a199baee749d9b38faf59dbfcb8e7ca0c3290889d9d02a7ac38 (AV positives: 49/70 scanned on 04/01/2019 00:54:44)
  File SHA256: 371f2ff3adb17db178e1f24428a09c0f6483709fb3900e6fa6bcd77021c43f1d (AV positives: 44/67 scanned on 03/19/2019 02:28:24)
  File SHA256: 7d96acc063d4c82ce08ec678b0f95c913a602e9ee8ece2fb6e8d54cda581b960 (AV positives: 45/66 scanned on 03/14/2019 02:04:09)
  File SHA256: aa701566582baf157ad0d0a6dfbadea4e73dc5a3660df15a54258b4cb51aaa3f (AV positives: 48/70 scanned on 03/10/2019 02:22:59)
  File SHA256: 73da89153de08a7a2b71aa185149792a57d1b1550ab79077d16b1864589a7847 (AV positives: 46/64 scanned on 03/05/2019 03:38:48)
  File SHA256: ab1039a3d1d2426479f4c08772106e8a1cbfcb6dfda88b18350ba80f4c56fd50 (Date: 10/01/2018 14:38:35)
  File SHA256: 58bf3e36cf1aae070cda5c9b918e619b75f01acfd5f489e35fbea36a79030e70 (Date: 09/14/2018 04:08:17)
  File SHA256: eb10490a536a884c7f1f03ee006baf8a1c00c7cf82c9618c0b5dd9105a6507f5 (Date: 09/14/2018 04:07:55)
  File SHA256: 83bba227ce892b62f0dae761b88b1704a015685f17436a90cac1b64a5d6613b9 (Date: 09/14/2018 04:05:37)
  File SHA256: 452d5a596ddfc7bfb8ef66e70b75da733b3a4efda44c7169f6911f4340f10296 (Date: 09/14/2018 04:05:29)
  sourceNetwork Trafficrelevance10/10
Unusual Characteristics
- Checks for a resource fork (ADS) file
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" checked file "C:"
  "Your Package Tracked Now.exe" checked file "C:" sourceAPI Call relevance5/10
- Contains ability to reboot/shutdown the operating system
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version

Anti-Reverse Engineering
- Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
  details "Your Package Tracked Now.exe" is protecting 8192 bytes with PAGE_GUARD access rights sourceAPI Callrelevance10/10
- Looks up many procedures within the same disassembly stream (often used to hide usage)
- Possibly checks for known debuggers/analysis tools
  details "":"2018 tax filing"
  "2018 tax chart":"2018 tax filing"
  "2018 tax computation worksheet":"2018 tax filing"
  "2018 tax computation worksheet line 11a":"2018 tax filing"
  "2018 tax deductions":"2018 tax filing"
  "2018 tax deductions for seniors":"2018 tax filing"
  "2018 tax filing":"2018 tax filing"
  "2018 tax for 717 monticello line 30253 ga":"2018 tax filing"
  "2018 tax form":"2018 tax filing"
  "2018 tax form 1040":"2018 tax filing"
  "2018 tax form 1040a":"2018 tax filing"
  "2018 tax forms":"2018 tax filing"
  "2018 tax forms 1040":"2018 tax filing"
  "2018 tax forms 1040 printable":"2018 tax filing"
  "2018 tax forms 1040a":"2018 tax filing"
  "2018 tax forms 1040ez":"2018 tax filing"
  "2018 tax forms federal":"2018 tax filing"
  "2018 tax forms irs":"2018 tax filing"
  "2018 tax forms schedule 1":"2018 tax filing"
  "2018 tax forms schedule a":"2018 tax filing"
  "2018 tax forms schedule b":"2018 tax filing"
  "2018 tax forms schedule c":"2018 tax filing"
  "2018 tax instructions":"2018 tax filing"
  "2018 tax instructions 1040":"2018 tax" (Indicator: "ntice")
  "18 tax deductions"
  bucketwinner:"2018 tax filing"}
  "2018 tax filing":{subbucketwinner:""
  bucketwinner:"2018 tax filing"}
  "2018 tax for 717 monticello line 30253 ga":{subbucketwinner:""
  bucketwinner:"2018 tax filing"}
  "2018 tax form":{subbucketwinner:"2018 tax form"
  bucketwinner:"2018 tax filing"}
  "2018 tax form 1040":{subbucketwinner:"2018 tax form"
  bucketwinner:"2018 tax filing"}
  "2018 tax form 1040a":{subbucketwinner:"2018 tax form"
  bucketwinner:"2018 tax filing"}
  "2018 tax forms":{subbucketwinner:"2018 tax form"
  bucketwinner:"2018 tax filing"}
  "2018 tax forms 1040":{subbucketwinner:"2018 tax form"
  bucketwinner:"2018 tax filing"}
  "2018 tax forms 1040 printable":{subbucketwinner:"2018 tax form"
  bucketwinner:"2018 tax filing"}
  "2018 tax forms 1040a":{subbucketwinner:"2018 tax form"
  bucketwinner:"2018 tax filing"}
  "2018 tax forms 1040ez":{subbucketwinner:"2018 tax form"
  bucketwinner:"2018 tax filing"}
  "2018 tax forms federal":{subbucketwinner:"2018 tax form"
  bucketwinner:"2018 tax filing"}
  "2018 tax forms irs" (Indicator: "ntice") sourceStringrelevance2/10
Cryptographic Related
- Found a cryptographic related string
  details "DES" (Indicator: "des"; File: "00278712-00002568.00000002.282874.009DF000.00000002.mdmp") sourceStringrelevance10/10
Environment Awareness
- Contains ability to query CPU information
- Contains ability to read monitor info
- Reads the active computer name
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
  "Your Package Tracked Now.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") sourceRegistry Accessrelevance5/10ATT&CK ID T1012 (Show technique in the MITRE ATT&CK™ matrix)
- Reads the cryptographic machine GUID
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
  "Your Package Tracked Now.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") sourceRegistry Accessrelevance10/10ATT&CK ID T1012 (Show technique in the MITRE ATT&CK™ matrix)
External Systems
- Found an IP/URL artifact that was identified as malicious by at least one reputation engine
  details 2/66 reputation engines marked "http://sbdistro.com" as malicious (3% detection rate)
  1/66 reputation engines marked "http://nsis.sf.net" as malicious (1% detection rate) sourceExternal Systemrelevance10/10
General
- Contains ability to find and load resources of a specific module
- Reads configuration files
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" read file "%USERPROFILE%\Desktop\desktop.ini"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" read file "%WINDIR%\win.ini"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" read file "%USERPROFILE%\Users\%OSUSER%\Desktop\desktop.ini" sourceAPI Callrelevance4/10
Installation/Persistance
- Drops executable files
  details "Your Package Tracked Now.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
  "nsDialogs.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
  "npHelper.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
  "Uninstall.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
  "System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" sourceExtracted Filerelevance10/10
- Modifies auto-execute functionality by setting/creating a value in the registry
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "YOUR PACKAGE TRACKED NOW"; Value: ""%LOCALAPPDATA%\Your Package Tracked Now\Your Package Tracked Now.exe" /delay 0") sourceRegistry Accessrelevance 8/10ATT&CK ID T1060 (Show technique in the MITRE ATT&CK™ matrix)
Network Related
- Found potential IP address in binary/memory
  details Heuristic match: "/Content/kits/SBVersion.json?distSubId3=3.1.0.5"
  Heuristic match: "GET /Content/kits/SBVersion.json?distSubId3=3.1.0.5 HTTP/1.1
  Accept-Encoding: gzip,deflate
  Host: sbdistro.com
  Connection: Keep-Alive
  Cache-Control: no-cache"
  "3.1.0.5" sourceStringrelevance3/10
- Sends traffic on typical HTTP outbound port, but without HTTP header
  details TCP traffic to 3.18.236.124 on port 80 is sent without HTTP header
  TCP traffic to 3.18.236.124 on port 443 is sent without HTTP header
  TCP traffic to 13.33.155.54 on port 80 is sent without HTTP header
  TCP traffic to 13.33.155.152 on port 80 is sent without HTTP header
  TCP traffic to 13.33.155.51 on port 80 is sent without HTTP header
  TCP traffic to 13.33.155.86 on port 80 is sent without HTTP header
  TCP traffic to 3.18.145.221 on port 80 is sent without HTTP header
  TCP traffic to 52.202.155.97 on port 80 is sent without HTTP header sourceNetwork Trafficrelevance5/10
Pattern Matching
- Contains ability to download files from the internet
Spyware/Information Retrieval
- Contains ability to enumerate processes/modules/threads
- Contains ability to open the clipboard
System Destruction
- Marks file for deletion
  details "C:\YourPackageTrackedNow_5cadf9e53f83d.exe" marked "%TEMP%\nskC70C.tmp" for deletion
  "C:\YourPackageTrackedNow_5cadf9e53f83d.exe" marked "%TEMP%\nsqC72E.tmp" for deletion
  "C:\YourPackageTrackedNow_5cadf9e53f83d.exe" marked "%TEMP%\nsqC72E.tmp\npHelper.dll" for deletion
  "C:\YourPackageTrackedNow_5cadf9e53f83d.exe" marked "%TEMP%\nsqC72E.tmp\nsDialogs.dll" for deletion
  "C:\YourPackageTrackedNow_5cadf9e53f83d.exe" marked "%TEMP%\nsqC72E.tmp\System.dll" for deletion
  "C:\YourPackageTrackedNow_5cadf9e53f83d.exe" marked "%TEMP%\nsqC72E.tmp\terms.rtf" for deletion sourceAPI Callrelevance10/10ATT&CK ID T1107 (Show technique in the MITRE ATT&CK™ matrix)
- Opens file with deletion access rights
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" opened "%TEMP%\nskC70C.tmp" with delete access
  "YourPackageTrackedNow_5cadf9e53f83d.exe" opened "%TEMP%\nsqC72E.tmp" with delete access
  "YourPackageTrackedNow_5cadf9e53f83d.exe" opened "%TEMP%\nsqC72E.tmp\npHelper.dll" with delete access
  "YourPackageTrackedNow_5cadf9e53f83d.exe" opened "%TEMP%\nsqC72E.tmp\nsDialogs.dll" with delete access
  "YourPackageTrackedNow_5cadf9e53f83d.exe" opened "%TEMP%\nsqC72E.tmp\System.dll" with delete access
  "YourPackageTrackedNow_5cadf9e53f83d.exe" opened "%TEMP%\nsqC72E.tmp\terms.rtf" with delete access
  "YourPackageTrackedNow_5cadf9e53f83d.exe" opened "%TEMP%\nsqC72E.tmp\" with delete access sourceAPI Callrelevance7/10
System Security
- Modifies proxy settings
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  "Your Package Tracked Now.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
  "Your Package Tracked Now.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
  "Your Package Tracked Now.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
  "Your Package Tracked Now.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
  "Your Package Tracked Now.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") sourceRegistry Accessrelevance10/10ATT&CK ID T1112 (Show technique in the MITRE ATT&CK™ matrix)
Unusual Characteristics
- CRC value set in PE header does not match actual value
  details "Your Package Tracked Now.exe" claimed CRC 1635263 while the actual is CRC 780379
  "npHelper.dll" claimed CRC 381063 while the actual is CRC 50653
  "Uninstall.exe" claimed CRC 97853 while the actual is CRC 381063 sourceStatic Parserrelevance10/10
- Imports suspicious APIs
  details RegCreateKeyExW
  RegDeleteValueW
  RegCloseKey
  OpenProcessToken
  RegEnumKeyW
  RegOpenKeyExW
  RegDeleteKeyW
  CopyFileW
  GetModuleFileNameW
  GetFileAttributesW
  GetFileSize
  GetCommandLineW
  LoadLibraryExW
  CreateDirectoryW
  DeleteFileW
  GetProcAddress
  GetTempFileNameW
  GetModuleHandleA
  CreateThread
  FindNextFileW
  GetTempPathW
  FindFirstFileW
  GetModuleHandleW
  WriteFile
  CreateFileW
  CreateProcessW
  Sleep
  GetTickCount
  ShellExecuteW
  FindWindowExW
  SetSecurityDescriptorDacl
  RegEnumKeyExW
  UnhandledExceptionFilter
  FindResourceExW
  ConnectNamedPipe
  OutputDebugStringW
  IsDebuggerPresent
  LoadLibraryExA
  DisconnectNamedPipe
  ExitThread
  TerminateProcess
  GetModuleHandleExW
  CreateToolhelp32Snapshot
  LoadLibraryW
  GetVersionExW
  VirtualProtect
  OpenProcess
  GetStartupInfoW
  GetFileSizeEx
  FindFirstFileExW
  FindResourceW
  Process32NextW
  LockResource
  GetCommandLineA
  Process32FirstW
  VirtualAlloc
  ShellExecuteExW
  GetCursorPos
  GetUpdateRect
  HttpQueryInfoW
  InternetConnectW
  InternetCloseHandle
  InternetCrackUrlW
  HttpSendRequestW
  InternetReadFile
  InternetOpenW
  GetModuleFileNameA
  FindFirstFileExA
  FindNextFileA
  GetModuleFileNameExW sourceStatic Parserrelevance1/10
- Installs hooks/patches the running process
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "d4cec97595a3c97582f3c875987bcb751f93c875bccec9751af1c9753d6dca7587f1c975f8bfc97562f1c9757da3c97527f1c9755ac6c975252ec97500d0c975000000003d4247770000000008225076d1e44d7600000000" to virtual address "0x10003000" (part of module "SYSTEM.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "f8110675" to virtual address "0x750783C4" (part of module "SSPICLI.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "48120675" to virtual address "0x75078364" (part of module "SSPICLI.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "6012796f" to virtual address "0x716B4028" (part of module "WEBIO.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "fae62d77e1a632772e713277ee29327785e22d776da0327726e42d77d16d3277003d3077804b307700000000ad3751758b2d5175b641517500000000" to virtual address "0x74661000" (part of module "WSHTCPIP.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "48120675" to virtual address "0x750783C0" (part of module "SSPICLI.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "f8110675" to virtual address "0x750783E0" (part of module "SSPICLI.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "6012796f" to virtual address "0x75ADE324" (part of module "WININET.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "f8110000" to virtual address "0x750612CC" (part of module "SSPICLI.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "f8110675" to virtual address "0x7507834C" (part of module "SSPICLI.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "f8110000" to virtual address "0x75061408" (part of module "SSPICLI.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "b84013796fffe0" to virtual address "0x75061248" (part of module "SSPICLI.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "c04e307720543177e0653177b53832770000000000d0c97500000000c5eac9750000000088eac97500000000e968337582283277ee29327700000000d2693375000000007dbbc9750000000009be337500000000ba18c97500000000" to virtual address "0x760F1000" (part of module "NSI.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "48120675" to virtual address "0x75078348" (part of module "SSPICLI.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "f8110675" to virtual address "0x75078368" (part of module "SSPICLI.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "68130000" to virtual address "0x75511680" (part of module "WS2_32.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "d0557076647379760000000051c1d3759498d375ee9cd37575dcd575273ed5750fb3d97500000000acdcc9751bf7c975c108cb75c0d9c975152ec97536dac975d5d9c97530c6c975e0c2c97542c6c9751bc6c97586c4c97572c6c97500000000" to virtual address "0x6F941000" (part of module "SHFOLDER.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "e7392e77e1a632772e713277ee29327785e22d776da03277906431773ad5387726e42d77d16d3277003d3077804b307700000000ad3751758b2d5175b641517500000000" to virtual address "0x74B91000" (part of module "WSHIP6.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "b83012796fffe0" to virtual address "0x75511368" (part of module "WS2_32.DLL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" wrote bytes "48120000" to virtual address "0x7506139C" (part of module "SSPICLI.DLL") sourceHook Detectionrelevance10/10ATT&CK ID T1179 (Show technique in the MITRE ATT&CK™ matrix)
- Reads information about supported languages
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
  "Your Package Tracked Now.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") sourceRegistry Accessrelevance3/10ATT&CK ID T1012 (Show technique in the MITRE ATT&CK™ matrix)
Hiding 18 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version

Anti-Detection/Stealthyness
- Contains ability to lookup its own filename
Anti-Reverse Engineering
- Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- PE file contains zero-size sections
  details Raw size of ".ndata" is zero sourceStatic Parserrelevance10/10
Environment Awareness
- Contains ability to query machine time
- Contains ability to query the machine timezone
- Contains ability to query the machine version
- Contains ability to query the system locale
- Contains ability to query volume size
- Makes a code branch decision directly after an API that is environment aware
- Possibly tries to detect the presence of a debugger
- Queries volume information
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" queries volume information of "%LOCALAPPDATA%\Your Package Tracked Now\Your Package Tracked Now.exe" at 00275775-00001440-0000010C-66920161423
  "YourPackageTrackedNow_5cadf9e53f83d.exe" queries volume information of "C:\" at 00275775-00001440-0000010C-97671008340
  "Your Package Tracked Now.exe" queries volume information of "%WINDIR%\Fonts\arial.ttf" at 00278712-00002568-0000010C-111380722197
  "Your Package Tracked Now.exe" queries volume information of "%WINDIR%\Fonts\segoeuil.ttf" at 00278712-00002568-0000010C-112211742460 sourceAPI Callrelevance2/10 ATT&CK ID T1120 (Show technique in the MITRE ATT&CK™ matrix)
- Queries volume information of an entire harddrive
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" queries volume information of "C:\" at 00275775-00001440-0000010C-97671008340 source API Callrelevance8/10ATT&CK ID T1120 (Show technique in the MITRE ATT&CK™ matrix)
- Reads the registry for installed applications
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ONEDRIVESETUP.EXE")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{1BB10B8C-6E63-4897-9FB2-3873CE30D7E1}")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\YOURPACKAGETRACKEDNOW_5CADF9E53F83D.EXE")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\YOURPACKAGETRACKEDNOW_5CADF9E53F83D.EXE")
  "Your Package Tracked Now.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IEXPLORE.EXE")
  "Your Package Tracked Now.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IEXPLORE.EXE")
  "Your Package Tracked Now.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IEXPLORE.EXE"; Key: "PATH"; Value: "00000000010000004800000043003A005C00500072006F006700720061006D002000460069006C00650073005C0049006E007400650072006E006500740020004500780070006C006F007200650072003B000000")
  "Your Package Tracked Now.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\YOUR PACKAGE TRACKED NOW")
  "Your Package Tracked Now.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\YOUR PACKAGE TRACKED NOW"; Key: "UNINSTALLIMP"; Value: "0000000001000000CE0200007B00220064006F006D00610069006E0022003A002200680079006F00750072007000610063006B0061006700650074007200610063006B00650064006E006F0077002E0063006F006D0022002C00220069006900640022003A002200620069006F002D007300620065002D007000610063006B0061006700650073002D006100620022002C00220070006100720074006E006500720022003A00220061007000700066006F006300750073003800340022002C00220073006F00750072006300650022003A0022007B0073006F0075007200630065007D005F00760031002D006400730066005F007000610063006B0061006700650073002D002D006200620039005F00760031002D006400730066005F007000610063006B0061006700650073002D002D006200620039002D007300620065002D006100620022002C0022007500610022003A0022004D006F007A0069006C006C0061002F0035002E00300020002800570069006E0064006F007700730020004E0054002000310030002E0030003B002000570069006E00360034003B002000780036003400290020004100700070006C0065005700650062004B00690074002F003500330037002E0033003600200028004B00480054004D004C002C0020006C0069006B00650020004700650063006B006F00290020004300680072006F006D0065002F00360034002E0030002E0033003200380032002E0031003400300020005300610066006100720069002F003500330037002E0033003600200045006400670065002F00310037002E003100370031003300340022002C0022007500630022003A0022003200300031003900300034003100300022002C00220075006900640022003A002200320064003900360066006500320033002D0038003200330064002D0034003300650039002D0061003300310039002D0037003000320032003300300061006400630038003300350022007D000A000000")
  "Your Package Tracked Now.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\YOUR PACKAGE TRACKED NOW"; Key: "INSTALLLOCATION"; Value: "00000000010000007000000043003A005C00550073006500720073005C00340062004A00550074004A007A005C0041007000700044006100740061005C004C006F00630061006C005C0059006F007500720020005000610063006B00610067006500200054007200610063006B006500640020004E006F0077000000") sourceRegistry Accessrelevance10/10ATT&CK ID T1012 (Show technique in the MITRE ATT&CK™ matrix)
General
- Accesses Software Policy Settings
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") sourceRegistry Accessrelevance10/10ATT&CK ID T1012 (Show technique in the MITRE ATT&CK™ matrix)
- Accesses System Certificates Settings
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\2E4916B07F3DE90C8DDE2566FD9B9B400D89BBBA"; Key: "BLOB")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E6A3B45B062D509B3382282D196EFE97D5956CCB"; Key: "BLOB")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") sourceRegistry Accessrelevance10/10ATT&CK ID T1112 (Show technique in the MITRE ATT&CK™ matrix)
- Contacts domains
  details "sbdistro.com"
  "o.ss2.us"
  "ocsp.rootg2.amazontrust.com"
  "ocsp.rootca1.amazontrust.com"
  "ocsp.sca1b.amazontrust.com"
  "imp.hyourpackagetrackednow.com"
  "results.hyourpackagetrackednow.com" sourceNetwork Trafficrelevance1/10
- Contacts server
  details "3.18.236.124:80"
  "3.18.236.124:443"
  "13.33.155.54:80"
  "13.33.155.152:80"
  "13.33.155.51:80"
  "13.33.155.86:80"
  "3.18.145.221:80"
  "52.202.155.97:80" sourceNetwork Trafficrelevance1/10
- Contains PDB pathways
  details "D:\Autobuild\Work\trunk\SearchBar\Release\SearchBar.pdb" sourceStringrelevance1/10
- Contains ability to create named pipes for inter-process communication (IPC)
- Creates a writable file in a temporary directory
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" created file "%TEMP%\nsaC71D.tmp"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" created file "%TEMP%\nsqC72E.tmp\npHelper.dll"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" created file "%TEMP%\nsqC72E.tmp\npHelper.dll"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" created file "%TEMP%\nsqC72E.tmp\System.dll"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" created file "%TEMP%\nsqC72E.tmp\System.dll"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" created file "%TEMP%\nsqC72E.tmp\nsDialogs.dll"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" created file "%TEMP%\nsqC72E.tmp\terms.rtf" sourceAPI Callrelevance1/10
- Creates mutants
  details "\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\Global\search_incognito_39970387-5943-430E-9CB4-DAF514B58CAF"
  "Global\search_incognito_39970387-5943-430E-9CB4-DAF514B58CAF"
  "Local\ZonesLockedCacheCounterMutex"
  "Local\ZonesCacheCounterMutex"
  "\Sessions\1\BaseNamedObjects\!IECompat!Mutex"
  "\Sessions\1\BaseNamedObjects\Local\MSIMGSIZECacheMutex"
  "Local\MSIMGSIZECacheMutex"
  "!IECompat!Mutex"
  "\Sessions\1\BaseNamedObjects\IsoScope_ef0_IESQMMUTEX_0_519" sourceCreated Mutantrelevance3/10
- Drops files marked as clean
  details Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")
  Antivirus vendors marked dropped file "nsDialogs.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows") sourceExtracted Filerelevance10/10
- GETs files from a webserver
  details "GET /cgi/adk/chrdlid.cgi?id=5cadf9e53f83d HTTP/1.1
  Host: sbdistro.com
  Connection: Keep-Alive
  Cache-Control: no-cache"
  "GET /Content/kits/sbui/widgets/packages/packages_ab.json?useragent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/64.0.3282.140%20Safari/537.36%20Edge/17.17134&user_id=2d96fe23-823d-43e9-a319-702230adc835&source={source}_v1-dsf_packages--bb9_v1-dsf_packages--bb9-sbe-ab&traffic_source=appfocus84&subid=20190410&implementation_id=packages_ HTTP/1.1
  Accept-Encoding: gzip,deflate
  Host: sbdistro.com
  Connection: Keep-Alive
  Cache-Control: no-cache"
  "GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D HTTP/1.1
  Connection: Keep-Alive
  Accept: */*
  User-Agent: Microsoft-CryptoAPI/6.1
  Host: o.ss2.us"
  "GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D HTTP/1.1
  Connection: Keep-Alive
  Accept: */*
  User-Agent: Microsoft-CryptoAPI/6.1
  Host: ocsp.rootg2.amazontrust.com"
  "GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D HTTP/1.1
  Connection: Keep-Alive
  Accept: */*
  User-Agent: Microsoft-CryptoAPI/6.1
  Host: ocsp.rootca1.amazontrust.com"
  "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAWEQXoxdztJoS725NO%2FiO8%3D HTTP/1.1
  Connection: Keep-Alive
  Accept: */*
  User-Agent: Microsoft-CryptoAPI/6.1
  Host: ocsp.sca1b.amazontrust.com"
  "GET /Content/kits/rotate_strings.json?useragent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/64.0.3282.140%20Safari/537.36%20Edge/17.17134&user_id=2d96fe23-823d-43e9-a319-702230adc835&source={source}_v1-dsf_packages--bb9_v1-dsf_packages--bb9-sbe-ab&traffic_source=appfocus84&subid=20190410&implementation_id=packages_ HTTP/1.1
  Accept-Encoding: gzip,deflate
  Host: sbdistro.com
  Connection: Keep-Alive
  Cache-Control: no-cache"
  "GET /Content/kits/SBVersion.json?distSubId3=3.1.0.5 HTTP/1.1
  Accept-Encoding: gzip,deflate
  Host: sbdistro.com
  Connection: Keep-Alive
  Cache-Control: no-cache"
  "GET /impression.do?event=sbe_alive&useragent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/64.0.3282.140%20Safari/537.36%20Edge/17.17134&user_id=2d96fe23-823d-43e9-a319-702230adc835&source={source}_v1-dsf_packages--bb9_v1-dsf_packages--bb9-sbe-ab&traffic_source=appfocus84&subid=20190410&implementation_id=packages_&subid2=3.1.0.5 HTTP/1.1
  Host: imp.hyourpackagetrackednow.com
  Connection: Keep-Alive
  Cache-Control: no-cache"
  "GET /impression.do?event=ex_installed&useragent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/64.0.3282.140%20Safari/537.36%20Edge/17.17134&user_id=2d96fe23-823d-43e9-a319-702230adc835&source={source}_v1-dsf_packages--bb9_v1-dsf_packages--bb9-sbe-ab&traffic_source=appfocus84&subid=20190410&implementation_id=packages_ HTTP/1.1
  Host: imp.hyourpackagetrackednow.com
  Connection: Keep-Alive
  Cache-Control: no-cache" sourceNetwork Trafficrelevance5/10
- Launches a browser
  details Launches browser "iexplore.exe" (Show Process)
  Launches browser "iexplore.exe" (Show Process) sourceMonitored Targetrelevance3/10
- Loads rich edit control libraries
- Logged script engine calls
  details "Your Package Tracked Now.exe" called "Microsoft.XMLHTTP.1.0.CreateObject" ... sourceAPI Callrelevance10/10
- Overview of unique CLSIDs touched in registry
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" touched "Shortcut" (Path: "HKCU\CLSID\{00021401-0000-0000-C000-000000000046}")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched "WinInetBroker Class" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched "PSFactoryBuffer" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched "NetworkListManager" (Path: "HKCU\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\TREATAS")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched "Network List Manager" (Path: "HKCU\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\TREATAS")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\TREATAS")
  "Your Package Tracked Now.exe" touched "Security Manager" (Path: "HKCU\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}")
  "Your Package Tracked Now.exe" touched "Microsoft Web Browser" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}")
  "Your Package Tracked Now.exe" touched "Microsoft HTML Resource Pluggable Protocol" (Path: "HKCU\CLSID\{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}\TREATAS")
  "Your Package Tracked Now.exe" touched "HTML Document" (Path: "HKCU\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\TREATAS")
  "Your Package Tracked Now.exe" touched "Microsoft HTML About Pluggable Protocol" (Path: "HKCU\CLSID\{3050F406-98B5-11CF-BB82-00AA00BDCE0B}\TREATAS")
  "Your Package Tracked Now.exe" touched "Browser Application State" (Path: "HKCU\CLSID\{E569BDE7-A8DC-47F3-893F-FD2B31B3EEFD}\TREATAS")
  "Your Package Tracked Now.exe" touched "JScript Language" (Path: "HKCU\CLSID\{16D51579-A30B-4C8B-A276-0FF4DC41E755}\TREATAS")
  "Your Package Tracked Now.exe" touched "Task Bar Communication" (Path: "HKCU\CLSID\{56FDF344-FD6D-11D0-958A-006097C9A090}\TREATAS")
  "Your Package Tracked Now.exe" touched "CActiveIMMAppEx_Trident" (Path: "HKCU\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\TREATAS")
  "Your Package Tracked Now.exe" touched "PSOAInterface" (Path: "HKCU\CLSID\{00020424-0000-0000-C000-000000000046}\TREATAS")
  "Your Package Tracked Now.exe" touched "XML HTTP Request" (Path: "HKCU\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\TREATAS")
  "Your Package Tracked Now.exe" touched "TF_ThreadMgr" (Path: "HKCU\CLSID\{529A9E6B-6587-4F23-AB9E-9C7D683E3C50}\TREATAS")
  "Your Package Tracked Now.exe" touched "TF_InputProcessorProfiles" (Path: "HKCU\CLSID\{33C53A50-F456-4884-B049-85FD643ECFED}\TREATAS") sourceRegistry Accessrelevance3/10
- Process launched with changed environment
  details Process "iexplore.exe" (Show Process) was launched with new environment variables: "PATH="%PROGRAMFILES%\Internet Explorer;"" sourceMonitored Targetrelevance10/10
- Reads Windows Trust Settings
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE") sourceRegistry Accessrelevance5/10ATT&CK ID T1012 (Show technique in the MITRE ATT&CK™ matrix)
- Scanning for window names
  details "Your Package Tracked Now.exe" searching for class "Shell_TrayWnd"
  "Your Package Tracked Now.exe" searching for class "MS_AutodialMonitor"
  "Your Package Tracked Now.exe" searching for class "MS_WebCheckMonitor" sourceAPI Callrelevance10/10ATT&CK ID T1010 (Show technique in the MITRE ATT&CK™ matrix)
- Spawns new processes
  details Spawned process "Your Package Tracked Now.exe" with commandline "/firstrun" (Show Process)
  Spawned process "iexplore.exe" with commandline "http://results.hyourpackagetrackednow.com/s?uid=2d96fe23-823d-43 ..." (Show Process)
  Spawned process "iexplore.exe" with commandline "SCODEF:3824 CREDAT:275457 /prefetch:2" (Show Process) sourceMonitored Targetrelevance3/10
- Spawns new processes that are not known child processes
  details Spawned process "Your Package Tracked Now.exe" with commandline "/firstrun" (Show Process)
  Spawned process "iexplore.exe" with commandline "http://results.hyourpackagetrackednow.com/s?uid=2d96fe23-823d-43 ..." (Show Process)
  Spawned process "iexplore.exe" with commandline "SCODEF:3824 CREDAT:275457 /prefetch:2" (Show Process) sourceMonitored Targetrelevance3/10
- The input sample is signed with a certificate
  details The input sample is signed with a certificate issued by "CN=thawte SHA256 Code Signing CA, O="thawte
  Inc.", C=US" (SHA1: A1:5F:EA:EE:DD:59:01:F3:9B:DD:BE:7D:FB:08:7F:37:13:DA:53:37; see report for more information)
  The input sample is signed with a certificate issued by "CN=thawte Primary Root CA, OU="c 2006 thawte
  Inc. - For authorized use only", OU=Certification Services Division, O="thawte
  Inc.", C=US" (SHA1: D0:0C:FD:BF:46:C9:8A:83:8B:C1:0D:C4:E0:97:AE:01:52:C4:61:BC; see report for more information) sourceCertificate Datarelevance10/10ATT&CK ID T1116 (Show technique in the MITRE ATT&CK™ matrix)
- The input sample is signed with a valid certificate
  details The entire certificate chain of the input sample was validated successfully. sourceCertificate Datarelevance 10/10
Installation/Persistance
- Connects to LPC ports
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" connecting to "\ThemeApiPort"
  "Your Package Tracked Now.exe" connecting to "\ThemeApiPort" sourceAPI Callrelevance1/10
- Dropped files
  details "Your Package Tracked Now.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
  "urlblockindex_1_.bin" has type "data"
  "nsDialogs.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
  "npHelper.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
  "Uninstall.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
  "Your Package Tracked Now .lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Has command line arguments Icon number=0 Archive ctime=Fri Apr 5 11:54:38 2019 mtime=Sun Apr 14 19:09:07 2019 atime=Fri Apr 5 11:54:38 2019 length=1630136 window=hide"
  "System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
  "Your Package Tracked Now .lnk" has type "empty"
  "widgets.json" has type "ASCII text with very long lines"
  "main_templates_1_" has type "HTML document ASCII text with CRLF line terminators"
  "6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" has type "data"
  "BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894" has type "data"
  "search-icon_1_" has type "PNG image data 13 x 13 8-bit/color RGBA non-interlaced"
  "main_templates_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"
  "50D6B15D9F2DCE1EDBB0C098625FBE47_281AC807DE0FEF15F2CA9911FE760A9B" has type "data"
  "B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62" has type "data"
  "FC5A820A001B41D68902E051F36A5282_C1406F61BD308379547E8CA6AF548845" has type "data"
  "57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 6529 bytes 1 file"
  "_17E1E285-5EE9-11E9-B23A-0A00272B5918_.dat" has type "Composite Document File V2 Document Cannot read section info"
  "style_1_" has type "ASCII text with CRLF line terminators" sourceExtracted File relevance3/10
- Touches files in the Windows directory
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000020.db"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "C:\Windows\System32\wshqos.dll"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "C:\Windows\System32\en-US\user32.dll.mui"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "C:\Windows\System32\oleaccrc.dll"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "C:\Windows\System32\rsaenh.dll"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
  "YourPackageTrackedNow_5cadf9e53f83d.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files" sourceAPI Callrelevance7/10
Network Related
- Found potential URL in binary/memory
 details Pattern match: "http://tl.symcb.com/tl.crl0"
 Pattern match: "https://www.thawte.com/cps0/"
 Pattern match: "https://www.thawte.com/repository0W"
 Pattern match: "http://tl.symcd.com0&"
 Pattern match: "http://tl.symcb.com/tl.crt0"
 Pattern match: "http://t2.symcb.com0"
 Pattern match: "http://t1.symcb.com/ThawtePCA.crl0"
 Pattern match: "http://nsis.sf.net/NSIS_Error"
 Heuristic match: "sbdistro.com"
 Heuristic match: "o.ss2.us"
 Heuristic match: "GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D HTTP/1.1
 Connection: Keep-Alive
 Accept: */*
 User-Agent: Microsoft-CryptoAPI/6.1
 Host: o.ss2.us"
 Heuristic match: "ocsp.rootg2.amazontrust.com"
 Heuristic match: "GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D HTTP/1.1
 Connection: Keep-Alive
 Accept: */*
 User-Agent: Microsoft-CryptoAPI/6.1
 Host: ocsp.rootg2.amazontrust.com"
 Heuristic match: "ocsp.rootca1.amazontrust.com"
 Heuristic match: "GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D HTTP/1.1
 Connection: Keep-Alive
 Accept: */*
 User-Agent: Microsoft-CryptoAPI/6.1
 Host: ocsp.rootca1.amazontrust.com"
 Heuristic match: "ocsp.sca1b.amazontrust.com"
 Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAWEQXoxdztJoS725NO%2FiO8%3D HTTP/1.1
 Connection: Keep-Alive
 Accept: */*
 User-Agent: Microsoft-CryptoAPI/6.1
 Host: ocsp.sca1b.amazontrust.com"
 Heuristic match: "imp.hyourpackagetrackednow.com"
 Heuristic match: "results.hyourpackagetrackednow.com"
 Pattern match: "http://www.w3.org/1999/02/22-rdf-syntax-ns#"
 Heuristic match: "hyourpackagetrackednow.com"
 Pattern match: "http://legal.hyourpackagetrackednow.com/legal/privacy"
 Pattern match: "http://search.hemailaccessonline.com/Home/ContactUs"
 Pattern match: "http://search.hemailaccessonline.com"
 Pattern match: "http://search.hemailaccessonline.com/home/privacy"
 Pattern match: "https://suggestqueries.google.com/complete/search?output=firefox&hl=en&q="
 Heuristic match: "his)||Promise.resolve(this._bodyArrayBuffer):this.blob().then(f)}),this.text=function(){var t=h(this);if(t)return t;if(this._bodyBlob)return d(this._bodyBlob);if(this._bodyArrayBuffer)return Promise.resolve(l(this._bodyArrayBuffer));if(this._bodyFormData)t"
 Pattern match: "http://www.w3.org/2000/svg,g"
 Heuristic match: "):y(q,r)?(e&&L(disallowed character reference),q[r]):(e&&function(r,e){for(var a=-1,t=r.length;++a<t;)if(r[a]==e)return!0;return!1}(v,r)&&L(disallowed character reference),r>65535&&(a+=w((r-=65536)>>>10&1023|55296),r=56320|1023&r),a+=w(r))},x=function"
 Pattern match: "https://ac.duckduckgo.com/ac/?q=+r,{jsonpCallbackFunction:autocompleteCallback"
 Pattern match: "www.yahoo.com,0],[yahoo.com,0,[131]],[yahoo"
 Pattern match: "https://clients1.google.com/complete/search?+r,{method:GET"
 Pattern match: "completion.amazon.com/search/complete?+n,{method:GET"
 Pattern match: "https://sugg.search.yahoo.net/sg/?+r,{method:GET"
 Heuristic match: "t[e])},this)}function u(t){if(t.bodyUsed)return Promise.reject(new TypeError(Already read));t.bodyUsed=!0}function f(t){return new Promise(function(e,r){t.onload=function(){e(t.result)},t.onerror=function(){r(t.error)}})}function d(t){var e=new FileReade"
 Pattern match: "https://ff.search.yahoo.com/gossip?output=+o+&command=+r,{method:GET,headers:{Content-Type:application/x-suggestions+json"
 Heuristic match: "om sign in),e(o,gmail create,gmail.com sign in),e(o,gmail email,gmail.com sign in),e(o,gmail email login,gmail.com sign in),e(o,gmail inbox,gmail.com sign in),e(o,gmail log in,gmail.com sign in),e(o,gmail login,gmail.com sign in),e"
 Heuristic match: "om),e(o,fox 4 kansas city,fox.com),e(o,fox 4 news,fox.com),e(o,fox 5 news,),e(o,fox 5 san diego,fox.com),e(o,fox 6 news,fox.com),e(o,fox 6 weather,fox.com),e(o,fox 8,fox.com),e(o,fox 8 news,fox.com),e(o,fox 8 news lee zuri"
 Heuristic match: "s tax filing}),n(e,irs.gov wheres my refund,{subbucketwinner:,bucketwinner:irs tax filing}),n(e,irs.gov.com,{subbucketwinner:,bucketwinner:irs tax filing}),n(e,irs.govaccount,{subbucketwinner:,bucketwinner:irs tax filing}),n(e,irs.govch"
 Heuristic match: ",bucketwinner:map directions}),n(e,mapquest route planner,{subbucketwinner:mapquest.com directions,bucketwinner:map directions}),n(e,mapquest.com,{subbucketwinner:mapquest.com directions,bucketwinner:map directions}),n(e,mapquest.com directi"
 Heuristic match: "),n(e,turbo tax log in,{subbucketwinner:,bucketwinner:turbo tax.com}),n(e,turbo tax login,{subbucketwinner:,bucketwinner:turbo tax.com}),n(e,turbo tax service code,{subbucketwinner:,bucketwinner:turbo tax.com}),n(e,turbo tax sign in,{su"
 Pattern match: "https://+this.config.admPartnerCode+.cps.ampfeed.com/suggestions?+i,{method:GET"
 Pattern match: "www.aol.com/,aol.com,you"
 Pattern match: "https://api.s"
 Pattern match: "suggeng.nsgnav.com/?+n,{method:GET"
 Pattern match: "http://navigation.nsgnav.com/query.php?a=nav&p=SSS&l=+this.locale+&qid=+e.qid,image_url:http://img.nsgnav.com/img/+e.img}}},{key:getLocaleFromCountry,value:function(e){switch(e){caseus:case--:returnen-US;casegb:caseuk:returnen-GB;casede"
 Pattern match: "www.+s"
 Pattern match: "https://prf.hn/click/camref:1101l4nMX/destination:http:/www.bookingbuddy.com/en-US/hero/?mode=air&currency=USD&tab_limit=7,image_url:https://fsquizmast.blob.core.windows.net/images/1_adbistro/20181019/bookingbuddy-W5uH1XLPAYA.png}:null"
 Pattern match: "https://link.searchemoji.global/link/r?u=https%3A%2F%2Fwww.ebay.com&campaign_id=DgMPCgkKAAoMCQMHBAEHDQ&zsb=ebus,image_url://s3.amazonaws.com/autosuggest-files/logos/ebay.png}:null"
 Pattern match: "https://homedepot.sjv.io/c/1257166/456723/8154?subId1=Search_ext&u=https%3A%2F%2Fwww.homedepot.com%2F,image_url:https://fsquizmast.blob.core.windows.net/images/1_adbistro/20181030/home_depot-fzTSuXHUAYA.png}:null"
 Pattern match: "http://www.jdoqocy.com/click-8827574-13019640,image_url:https://fsquizmast.blob.core.windows.net/images/1_adbistro/20181005/adam_and_eve-uPdNUJZJAYA.png"
 Pattern match: "hce.com/click-8827574-11413781,image_url:https://fsquizmast.blob.core.windows.net/images/1_adbistro/20181005/costplus-61rW0B2JAYA.png"
 Pattern match: "http://www.kqzyfj.com/click-8827574-5656364,image_url:https://fsquizmast.blob.core.windows.net/images/1_adbistro/20181107/autobarn-uqWitpfXAYA.png}:(e=(0,s.suggestionsFuzzy)(o,[avianca]))?{source:adbistro,provider:cj,title:Avianca,click_url:htt"
 Pattern match: "http://www.kqzyfj.com/click-8827574-11486842,image_url:https://fsquizmast.blob.core.windows.net/images/1_adbistro/20181005/livingsocial-sEPqTZZJAYA.png"
 Pattern match: "lob.core.windows.net/images/1_adbistro/20181030/showtickets-bCbg9X9VAGA.png"
 Pattern match: "http://www.awin1.com/awclick.php?mid=7970&id=533367,image_url://s3.amazonaws.com/autosuggest-files/logos/axa.png"
 Pattern match: "https://link.searchemoji.global/link/r?u=http%3A%2F%2Fwww.overstock.com&client_id=BQoLAQ8LAwsOAgsPBA8GDQ&campaign_id=CAQMCQoMAQMJBAMLBA8FBw&cid=p6&environment=production&zi=b6fdc5b0-308c-11e9-a58d-438cfd540131&zh=2087614764,image_url://s3.amazonaws.com/a"
 Pattern match: "http://redirect.viglink.com?key=8899039f90b318987523f0cdea660b71&u=http%3A%2F%2Fadvanceautoparts.com,image_url://s3.amazonaws.com/autosuggest-files/logos/advanceautoparts.png}:(e=(0,s.suggestionsFuzzy)(o,[dkny]))?{source:adbistro,provider:viglink,"
 Pattern match: "s3.amazonaws.com/autosuggest-files/logos/1800contacts.png}:(e=(0,s.suggestionsFuzzy)(o,[zulily]))?{source:adbistro,provider:viglink,title:Zulily,click_url:http://redirect.viglink.com?key=8899039f90b318987523f0cdea660b71&u=http%3A%2F%2Fzulily.com"
 Pattern match: "s3.amazonaws.com/autosuggest-files/logos/shutterfly.png"
 Pattern match: "http://www.jdoqocy.com/click-8827574-13398600,image_url://s3.amazonaws.com/autosuggest-files/logos/countryinn.png}:(e=(0,s.suggestionsFuzzy)(o,[1800florals]))?{source:adbistro,provider:cj,title:1-800-Florals,click_url:http://www.jdoqocy.com/cli"
 Pattern match: "http://redirect.viglink.com?key=8899039f90b318987523f0cdea660b71&u=http%3A%2F%2Ftaxslayer.com,image_url://s3.amazonaws.com/autosuggest-files/logos/taxslayer.png,backfill:!0}:(e=(0,s.suggestionsFuzzy)(o,[carhartt]))?{source:adbistro,provider:cj,tit"
 Pattern match: "www.kqzyfj.com/click-8827574-13547456,image_url://s3.amazonaws.com/autosuggest-files/logos/stubhub.png}:(e=(0,s.suggestionsFuzzy)(o,[walgreens]))?{source:adbistro,provider:cj,title:Walgreens,click_url:http://www.tkqlhce.com/click-8827574-108355"
 Pattern match: "http://redirect.viglink.com?key=8899039f90b318987523f0cdea660b71&u=http%3A%2F%2Fblair.com,image_url://s3.amazonaws.com/autosuggest-files/logos/blair.png}:(e=(0,s.suggestionsFuzzy)(o,[blinds.com]))?{source:adbistro,provider:viglink,title:Blinds.co"
 Pattern match: "s3.amazonaws.com/autosuggest-files/logos/cheapoair.png}:(e=(0,s.suggestionsFuzzy)(o,[columbia]))?{source:adbistro,provider:viglink,title:Columbia"
 Pattern match: "http://redirect.viglink.com?key=8899039f90b318987523f0cdea660b71&u=http%3A%2F%2Feharmony.com,image_url://s3.amazonaws.com/autosuggest-files/logos/eharmony.png"
 Pattern match: "s3.amazonaws.com/autosuggest-files/logos/nordstrom.png"
 Pattern match: "s3.amazonaws.com/autosuggest-files/logos/sephora.png}:(e=(0,s.suggestionsFuzzy)(o,[wwe]))?{source:adbistro,provider:cj,title:WWE"
 Pattern match: "s3.amazonaws.com/autosuggest-files/logos/jcpenney.png,backfill:!0}:(e=(0,s.suggestionsFuzzy)(o,[ancestry]))?{source:adbistro,provider:viglink,title:Ancestry,click_url:http://redirect.viglink.com?key=8899039f90b318987523f0cdea660b71&u=http%3A%2F%2"
 Pattern match: "http://redirect.viglink.com?key=8899039f90b318987523f0cdea660b71&u=http%3A%2F%2Fhrblock.com,image_url://s3.amazonaws.com/autosuggest-files/logos/hrblock.png,backfill:!0}:(e=(0,s.suggestionsFuzzy)(o,[macys,macy's]))?{source:adbistro,provider:vigli"
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=13304463,image_url://s3.amazonaws.com/autosuggest-files/logos/bestwestern.png"
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=13305529,image_url://s3.amazonaws.com/autosuggest-files/logos/acehardware.png}:(e=(0,s.suggestionsFuzzy)(o,[appleseeds]))?{source:adbistro,provider:namespace,title:Appleseeds,click_url:http"
 Pattern match: "s3.amazonaws.com/autosuggest-files/logos/barenecessities.png}:(e=(0,s.suggestionsFuzzy)(o,[billabong]))?{source:adbistro,provider:namespace,title:Billabong,click_url:http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=13581601,image_url://s3"
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=13306292,image_url://s3.amazonaws.com/autosuggest-files/logos/burpee.png"
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=13305351,image_url://s3.amazonaws.com/autosuggest-files/logos/worldmarket.png"
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=13306503,image_url://s3.amazonaws.com/autosuggest-files/logos/dooneybourke.png}:(e=(0,s.suggestionsFuzzy)(o,[emirates]))?{source:adbistro,provider:namespace,title:Emirates,click_url:http://"
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=13305225,image_url://s3.amazonaws.com/autosuggest-files/logos/famousfootwear.png}:(e=(0,s.suggestionsFuzzy)(o,[fingerhut]))?{source:adbistro,provider:namespace,title:Fingerhut,click_url:htt"
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=13585085,image_url://s3.amazonaws.com/autosuggest-files/logos/harryanddavid.png"
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=13305789,image_url://s3.amazonaws.com/autosuggest-files/logos/kmart.png"
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=13305845,image_url://s3.amazonaws.com/autosuggest-files/logos/destinationmaternity.png"
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=13305067,image_url://s3.amazonaws.com/autosuggest-files/logos/peapod.png"
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=13305637,image_url://s3.amazonaws.com/autosuggest-files/logos/sportsmansguide.png"
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=8679667,image_url://s3.amazonaws.com/autosuggest-files/logos/athleta.png"
 Pattern match: "s3.amazonaws.com/autosuggest-files/logos/bluehost.png}:(e=(0,s.suggestionsFuzzy)(o,[brownells]))?{source:adbistro,provider:namespace,title:Brownells,click_url:http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=8057725,image_url://s3.amazona"
 Pattern match: "mazonaws.com/autosuggest-files/logos/dell.png"
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=13317418,image_url://s3.amazonaws.com/autosuggest-files/logos/keihls.png}:(e=(0,s.suggestionsFuzzy)(o,[merrell]))?{source:adbistro,provider:namespace,title:Merrell.com,click_url:http://navi"
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=684665,image_url://s3.amazonaws.com/autosuggest-files/logos/petco.png}:(e=(0,s.suggestionsFuzzy)(o,[sephora]))?{source:adbistro,provider:namespace,title:Sephora,click_url:http://navigation."
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=229,image_url://s3.amazonaws.com/autosuggest-files/logos/vans.png}:(e=(0,s.suggestionsFuzzy)(o,[zazzle]))?{source:adbistro,provider:namespace,title:Zazzle,click_url:http://navigation.nsgnav"
 Pattern match: "http://agoda.uzvs.net/QGEb6,image_url://s3.amazonaws.com/autosuggest-files/logos/agoda.png"
 Pattern match: "http://www.anrdoezrs.net/click-8827574-12954575,image_url://s3.amazonaws.com/autosuggest-files/logos/goodyear.png}:(e=(0,s.suggestionsFuzzy)(o,[playmobil]))?{source:adbistro,provider:CJ,title:Playmobil,click_url:http://www.anrdoezrs.net/click-8"
 Pattern match: "http://redirect.viglink.com?key=8899039f90b318987523f0cdea660b71&u=http%3A%2F%2Fedmunds.com,image_url://s3.amazonaws.com/autosuggest-files/logos/edmunds.png"
 Pattern match: "s3.amazonaws.com/autosuggest-files/logos/carters.png"
 Pattern match: "www.google.com===o||http://google.com===o||http://www.google.com===o||http://google.com/===o||http://www.google.com/===o||https://google.com===o||https://www.google.com===o||https://google.com/===o||https://www.google.com/===o?{source:adb"
 Pattern match: "https://goto.target.com/c/1248655/81938/2092?subId1=toolbar&subId2=homepage&u=https%3A%2F%2Fwww.target.com%2F,image_url:https://fsquizmast.blob.core.windows.net/images/1_adbistro/20181030/target-eIH2V9dKAMA.png}:null"
 Pattern match: "https://link.searchemoji.global/link/r?u=http%3A%2F%2Fwww.walmart.com&client_id=BQoLAQ8LAwsOAgsPBA8GDQ&campaign_id=CAQMCQoMAQMJBAMLBA8FBw&cid=p6&environment=production&zi=7b81c410-2a46-11e9-b5de-81de9b848dda&zh=2087"
 Pattern match: "s3.amazonaws.com/autosuggest-files/logos/walmart.png}:null"
 Pattern match: "www.pearlevision,pizzahut,pizza"
 Pattern match: "jquery.org/license"
 Heuristic match: ".removeAttr(this,a)})}}),n.extend({attr:function(a,b,c){var d,e,f=a.nodeType;if(a&&3!==f&&8!==f&&2!==f)return typeof a.getAttribute===L?n.prop(a,b,c):(1===f&&n.isXMLDoc(a)||(b=b.toLowerCase(),d=n.attrHooks[b]||(n.expr.match.bool.test(b)?oc:nc)),void 0===c?"
 Pattern match: "https://github.com/mattboldt/typed.js"
 Pattern match: "https://accounts.google.com/Login"
 Pattern match: "ns.adobe.com/xap/1.0/"
 Pattern match: "http://ns.adobe.com/xap/1.0/"
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qi"
 Heuristic match: "x filing}),n(e,irs.gov tax refund,{subbucketwinner:irs.gov tax forms 2018,bucketwinner:irs tax filing}),n(e,irs.gov tax return,{subbucketwinner:irs.gov tax forms 2018,bucketwinner:irs tax filing}),n(e,irs.gov tax scale,{subbucketwinner:irs."
 Pattern match: "s3.amazonaws.com/autosuggest-files/logos/over"
 Pattern match: "s3.amazonaws.com/autosuggest-files/logos/acehardware.png}:(e=(0,s.suggestionsFuzzy)(o,[appleseeds]))?{source:adbistro,provider:namespace,title:Appleseeds,click_url:http://navigation.nsgnav.com/query.php?p=SSS&a"
 Pattern match: "http://navigation.nsgnav.com/query.php?p=SSS&a=nav&qid=1717053,image_url://s3.amazonaws.com/autosuggest-files/logos/z"
 Heuristic match: "nction(){p.overflow=c.overflow[0],p.overflowX=c.overflow[1],p.overflowY=c.overflow[2]}));for(d in b)if(e=b[d],bc.exec(e)){if(delete b[d],f=f||toggle===e,e===(q?hide:show)){if(show!==e||!r||void 0===r[d])continue;q=!0}o[d]=r&&r[d]||n.style(a,d)}if(!"
 Pattern match: "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab"
 Pattern match: "http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D"
 Pattern match: "http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEw"
 Pattern match: "https://tools.usps.com,usps],[ups,Go"
 Pattern match: "http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2Fl"
 Pattern match: "http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAWEQXox"
 Pattern match: "http://results.hyourpackagetrackednow.com/s?uid=2d96fe23-823d-43e9-a319-702230adc835&uc=20190410&source={source}_v1-dsf_packages--bb9_v1-dsf_packages--bb9-sbe-ab&i_id=packages_&ap=appfocus84"
 Pattern match: "https://mail.yahoo.com"
 Pattern match: "https://login.live.com"
 Pattern match: "https://www.facebook.com"
 Pattern match: "http://sbdistro.com/Content/kits/sbui/widgets/%s/%s.json?useragent=%s&user_id=%s&source=%s&traffic_source=%s&subid=%s&implementation_id=%s_"
 Pattern match: "http://searchbardistro.com/cgi/adk/chrdlid.cgi?dfn=%s&err=%d"
 Heuristic match: "hemailaccessonline.com"
 Pattern match: "http://sbdistro.com/cgi/adk/chrdlid.cgi?id=%s"
 Pattern match: "http://sb.springtech-apps.com/cgi/adk/chrdlid.cgi?id=%s" sourceStringrelevance10/10
- HTTP request contains Base64 encoded artifacts
Spyware/Information Retrieval
- Found a reference to a known community page
 details "))throw new TypeError("Cannot call a class as a function")}function t(o,e){for(var t=0;t<e.length;t++){var a=e[t];a.enumerable=a.enumerable||!1,a.configurable=!0,"value"in a&&(a.writable=!0),Object.defineProperty(o,a.key,a)}}function a(o,e,a){return e&&t(o.prototype,e),a&&t(o,a),o}var r=function(){function t(o){e(this,t),this.active=o,this.hardcoded={},this.hardcoded.yahoo=[["yahoo",0,[131]],["yahoomail",0,[131]],["yahoo mail sign in",0,[131]],["yahoo Mail",0,[131]],["yahoo",0,[131]],["yahoo finance",0],["www.yahoo.com",0],["yahoo.com",0,[131]],["yahoo news",0,[131]]],this.hardcoded.youtube=[["www.youtube.com",0,[131]],["youtube to mp3",0,[131]],["youtube videos",0,[131]],["youtube.com",0,[131]],["YouTube",0,[131]],["youtube music",0,[131]],["You Tube",0,[131]]],this.hardcoded.aol=[["AOL email",0,[131]],["aol.com mail",0,[131]],["aol mail",0,[131]],["aol.com",0,[131]],["www.aol.com",0,[131]],["aolmail",0,[131]]," (Indicator: "youtube")
 "ebook log in":"facebook app"
 "facebook login":"facebook app"
 "facebook login page":"facebook app"
 "facebook logon":"facebook app"
 "facebook loign":"facebook app"
 "facebook loin":"facebook app"
 "facebook marsha daughtry":"facebook app"
 "facebook messenger":"facebook app"
 "facebook portal":"facebook app"
 "facebook ralph miner":"facebook app"
 "facebook robert bradley":"facebook app"
 "facebook search":"facebook app"
 "facebook sign in":"facebook app"
 "facebook trasmitir en vivo ":"facebook app"
 "facebook.":"facebook app"
 "facebook.com":"facebook app"
 "facebook.com login":"facebook app"
 "facebook.comecsboyshoops.com":"facebook app"}
 "facebook"
 "facebook app")
 e(o,"facebookcom","facebook app")
 e(o,"facebooklogin","facebook app")
 e(o,"facebookok","facebook app")
 e(o,"facebooks","facebook app")
 e(o,"gmail","gmail.com sign in")
 e(o,"gmail access","gmail.com sign in")
 e(o,"gmail account","gmail.com sign in")
 e(o,"gmail account login","gmail.com sign in")
 e(o,"gmail app","gmail.com sign in")
 e(o,"gmail contacts","gmail." (Indicator: "facebook.com")
 "me accounts"
 "google online")
 e(o,"google image","google online")
 e(o,"google image search","google online")
 e(o,"google images","google online")
 e(o,"google images advanced search","google online")
 e(o,"google images search","google online")
 e(o,"google indonesia youtube","google online")
 e(o,"google keep","google online")
 e(o,"google kids","google online")
 e(o,"google kids account","google online")
 e(o,"google latitude app","google online")
 e(o,"google log in ","google online")
 e(o,"google login","google online")
 e(o,"google logo","google online")
 e(o,"google mail","google online")
 e(o,"google mail account","google online")
 e(o,"google mail sign in","google online")
 e(o,"google map","google online")
 e(o,"google map directions","google online")
 e(o,"google map joseph dunseath pllc stands","google online")
 e(o,"google maps","google online")
 e(o,"google maps denver","google online")
 e(o,"google maps directions","google online")
 e(o,"google maps driving directions","google online")
 e(o,"google maps michigan","" (Indicator: "youtube")
 "(o,"yahoofinance","yahoo.mail"),e(o,"yahoologin","yahoo.mail"),e(o,"yahoomail","yahoo.mail"),e(o,"yahoomail.com","yahoo.mail"),e(o,"yahoomaillogin","yahoo.mail"),e(o,"yahoonasdaq","yahoo.mail"),e(o,"yahoonews","yahoo.mail"),e(o,"yahoonews.com","yahoo.mail"),e(o,"yahooo.com","yahoo.mail"),e(o,"youtube",""),e(o,"youtube .com activate",""),e(o,"youtube .com home",""),e(o,"youtube .com video",""),e(o,"youtube 40 amp 600 volt blocking diode installation",""),e(o,"youtube and google analytics integration",""),e(o,"youtube app",""),e(o,"youtube arnold schwarzenegger its not a tumor",""),e(o,"youtube basic arrhythmias",""),e(o,"youtube benjamin franklin washington dc nation capital white house monument licoln jefferson memorial",""),e(o,"youtube broadcast yourself",""),e(o,"youtube butterfly shoes",""),e(o,"youtube can and sanem",""),e(o,"youtube cannon mx430 series how to take apart a rubiks cube",""),e(o,"youtube capas de la tierra",""),e(o,"youtube childrens stories read aloud",""),e(o,"youtube christian music"," (Indicator: "youtube")
 "")
 e(o,"youtube christian music gaither homecoming friends video","")
 e(o,"youtube christian music in spanish","")
 e(o,"youtube com","")
 e(o,"youtube comedy","")
 e(o,"youtube converter","")
 e(o,"youtube deep state arrests","")
 e(o,"youtube double scoop mandarin","")
 e(o,"youtube downloader","")
 e(o,"youtube for kids","")
 e(o,"youtube fox news","")
 e(o,"youtube free movies","")
 e(o,"youtube gordon lightfoot carefree highway","")
 e(o,"youtube gossaye tesfaye new album","")
 e(o,"youtube gracie spidell","")
 e(o,"youtube halsey without me","")
 e(o,"youtube hindi songs","")
 e(o,"youtube how to be a clinical director of a mental health iop","")
 e(o,"youtube how to draw ssj broly from broly movie","")
 e(o,"youtube how to set up fitbit charge 3","")
 e(o,"youtube how to speak with a southern accent","")
 e(o,"youtube jo stafford you belong to me","")
 e(o,"youtube john adams declaration of independence women in revolution","")
 e(o,"youtube john grisham","")
 e(o,"youtube kids","")
 e(o,"youtube kids slime videos","")
 e(o," (Indicator: "youtube")
 "youtube koleksi lagu raya terengganu malaysia"
 "")
 e(o,"youtube leave it to beaver","")
 e(o,"youtube lou dobbs tonight","")
 e(o,"youtube malayalam movies","")
 e(o,"youtube more ameerah pranks","")
 e(o,"youtube movies","youtube movies")
 e(o,"youtube movies free","youtube movies")
 e(o,"youtube mp3","")
 e(o,"youtube music","youtube music")
 e(o,"youtube music playlist","youtube music")
 e(o,"youtube music videos","youtube music")
 e(o,"youtube news","")
 e(o,"youtube on the fall of israel and judah for kids","")
 e(o,"youtube orepo vending maching","")
 e(o,"youtube oscars 2019","")
 e(o,"youtube pastor john hannah","")
 e(o,"youtube pigs ear notches","")
 e(o,"youtube proxy","")
 e(o,"youtube real time with bill maher","")
 e(o,"youtube reviews difference between lash blast flourish and lash blast bloom mascaras","")
 e(o,"youtube rewind","")
 e(o,"youtube richard smallwood the blood","")
 e(o,"youtube roblox games","")
 e(o,"youtube rock n roll variety show","")
 e(o,"youtube rookie blue","")
 e(o,"youtube rookie blue sam an" (Indicator: "youtube")
 "andy"
 "")
 e(o,"youtube sis vs bro","")
 e(o,"youtube steve wilkos","")
 e(o,"youtube to mp3","youtube to mp")
 e(o,"youtube to mp3 converter","youtube to mp")
 e(o,"youtube to mp4","youtube to mp")
 e(o,"youtube tv","")
 e(o,"youtube unblocked","")
 e(o,"youtube video downloader","youtube video")
 e(o,"youtube video governmental accounting","youtube video")
 e(o,"youtube videos","youtube video")
 e(o,"youtube wont load on my samsung smart tv","")
 e(o,"youtube ynic","")
 e(o,"youtube youtube","")
 e(o,"youtube.com","youtube.com")
 e(o,"youtube.com activate","youtube.com")
 e(o,"youtube.com music","youtube.com")
 e(o,"youtube.com unblocked","youtube.com")
 e(o,"youtube.comactivate","youtube.com")
 e(o,"youtube","")
 e(o,"youtubecom","")
 e(o,"youtubee","")
 e(o,"youtubekingnqueensofcarinivaltntsemi19","")
 e(o,"youtubelist of signature less paul guitars pre 1980","")
 e(o,"youtubemusic","")
 e(o,"youtubeonlythrujesuschurch","")
 e(o,"youtuber","")
 e(o,"youtubes email","")
 e(o,"youtubetntcarinival","")
 e(o,"1040 tax form 2018","10" (Indicator: "youtube")
 "")
 e(o,"fox news live stream","")
 e(o,"fox news live stream free","fox.com")
 e(o,"fox news nashville","fox.com")
 e(o,"fox news national headline news","fox.com")
 e(o,"fox news official site","fox.com")
 e(o,"fox news on youtube","fox.com")
 e(o,"fox news trump","")
 e(o,"fox news youtube","fox.com")
 e(o,"fox official site","fox.com")
 e(o,"fox school game unblocked","fox.com")
 e(o,"fox sports","fox.com")
 e(o,"fox sports go","fox.com")
 e(o,"fox.com","fox.com")
 e(o,"fox13now","fox.com")
 e(o,"fox2detroit","fox.com")
 e(o,"fox2now","fox.com")
 e(o,"fox4news dfw","fox.com")
 e(o,"foxnation.com","fox.com")
 e(o,"foxnews","fox.com")
 e(o,"foxnews live","fox.com")
 e(o,"foxnews.com","fox.com")
 e(o,"freetaxusa","freetaxusa reviews")
 e(o,"freetaxusa 2015","freetaxusa reviews")
 e(o,"freetaxusa 2016","freetaxusa reviews")
 e(o,"freetaxusa 2017","freetaxusa reviews")
 e(o,"freetaxusa 2018","freetaxusa reviews")
 e(o,"freetaxusa 2018 login","freetaxusa reviews")
 e(o,"freetaxusa 2018 review","freetaxusa reviews")
 e(o,"freetaxusa 2019"," (Indicator: "youtube")
 "flix movies")
 e(o,"netflix login","netflix movies")
 e(o,"netflix march 2019","netflix movies")
 e(o,"netflix moves that start with an i","netflix movies")
 e(o,"netflix movies","netflix movies")
 e(o,"netflix series","netflix movies")
 e(o,"netflix shows","netflix movies")
 e(o,"netflix sign in","netflix movies")
 e(o,"netflix stock","netflix movies")
 e(o,"netflix tv shows 2019","netflix movies")
 e(o,"netflix umbrella academy","netflix movies")
 e(o,"netflix you","netflix movies")
 e(o,"netflix.com","netflix movies")
 e(o,"netflix.compayment","netflix movies")
 e(o,"netflix","netflix movies")
 e(o,"netflixs","netflix movies")
 e(o,"pinterest","pinterest recipes")
 e(o,"pinterest app","pinterest recipes")
 e(o,"pinterest crafts","pinterest recipes")
 e(o,"pinterest diy","pinterest recipes")
 e(o,"pinterest everything","pinterest recipes")
 e(o,"pinterest fashion busines cards ","pinterest recipes")
 e(o,"pinterest food","pinterest recipes")
 e(o,"pinterest hydro flask stickers","pinterest recipes")
 e(o,"pinterest log in","pinte" (Indicator: "netflix.com")
 "y":{subbucketwinner:""
 bucketwinner:"facebook app"}
 "facebook messenger":{subbucketwinner:""
 bucketwinner:"facebook app"}
 "facebook portal":{subbucketwinner:""
 bucketwinner:"facebook app"}
 "facebook ralph miner":{subbucketwinner:""
 bucketwinner:"facebook app"}
 "facebook robert bradley":{subbucketwinner:""
 bucketwinner:"facebook app"}
 "facebook search":{subbucketwinner:""
 bucketwinner:"facebook app"}
 "facebook sign in":{subbucketwinner:""
 bucketwinner:"facebook app"}
 "facebook trasmitir en vivo ":{subbucketwinner:""
 bucketwinner:"facebook app"}
 "facebook.":{subbucketwinner:""
 bucketwinner:"facebook app"}
 "facebook.com":{subbucketwinner:""
 bucketwinner:"facebook app"}
 "facebook.com login":{subbucketwinner:""
 bucketwinner:"facebook app"}
 "facebook.comecsboyshoops.com":{subbucketwinner:""
 bucketwinner:"facebook app"}}
 "facebook"
 {subbucketwinner:""
 bucketwinner:"facebook app"})
 n(e,"facebookcom",{subbucketwinner:"",bucketwinner:"facebook app"})
 n(e,"facebooklogin",{subbucketwinner:"",bucketwinner:"facebook app"}" (Indicator: "facebook.com")
 "line"})
 n(e,"google images search",{subbucketwinner:"google images",bucketwinner:"google online"})
 n(e,"google indonesia youtube",{subbucketwinner:"",bucketwinner:"google online"})
 n(e,"google keep",{subbucketwinner:"",bucketwinner:"google online"})
 n(e,"google kids",{subbucketwinner:"google kids",bucketwinner:"google online"})
 n(e,"google kids account",{subbucketwinner:"google kids",bucketwinner:"google online"})
 n(e,"google latitude app",{subbucketwinner:"",bucketwinner:"google online"})
 n(e,"google log in ",{subbucketwinner:"google login",bucketwinner:"google online"})
 n(e,"google login",{subbucketwinner:"google login",bucketwinner:"google online"})
 n(e,"google logo",{subbucketwinner:"google login",bucketwinner:"google online"})
 n(e,"google mail",{subbucketwinner:"google mail sign in",bucketwinner:"google online"})
 n(e,"google mail account",{subbucketwinner:"google mail sign in",bucketwinner:"google online"})
 n(e,"google mail sign in",{subbucketwinner:"google mail sign in",bucketwinner:"google online"})
 n" (Indicator: "youtube"), "asdaq",{subbucketwinner:"",bucketwinner:"yahoo.mail"}),n(e,"yahoonews",{subbucketwinner:"yahoonews",bucketwinner:"yahoo.mail"}),n(e,"yahoonews.com",{subbucketwinner:"yahoonews",bucketwinner:"yahoo.mail"}),n(e,"yahooo.com",{subbucketwinner:"",bucketwinner:"yahoo.mail"}),n(e,"youtube",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube .com activate",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube .com home",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube .com video",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube 40 amp 600 volt blocking diode installation",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube and google analytics integration",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube app",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube arnold schwarzenegger its not a tumor",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube basic arrhythmias",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube benjamin franklin washington dc nation capital white house monument licoln jefferson memorial",{sub" (Indicator: "youtube")
 "ucketwinner:"",bucketwinner:""}),n(e,"youtube broadcast yourself",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube butterfly shoes",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube can and sanem",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube cannon mx430 series how to take apart a rubiks cube",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube capas de la tierra",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube childrens stories read aloud",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube christian music",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube christian music gaither homecoming friends video",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube christian music in spanish",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube com",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube comedy",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube converter",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube deep state arrests",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube double scoop mandari" (Indicator: "youtube"), "",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube downloader",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube for kids",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube fox news",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube free movies",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube gordon lightfoot carefree highway",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube gossaye tesfaye new album",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube gracie spidell",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube halsey without me",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube hindi songs",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube how to be a clinical director of a mental health iop",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube how to draw ssj broly from broly movie",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube how to set up fitbit charge 3",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube how to speak with a southern accent",{subbucketwinner:"",bucketwinner:""}),n(e" (Indicator: "youtube")
 ""youtube jo stafford you belong to me",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube john adams declaration of independence women in revolution",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube john grisham",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube kids",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube kids slime videos",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube koleksi lagu raya terengganu malaysia",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube leave it to beaver",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube lou dobbs tonight",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube malayalam movies",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube more ameerah pranks",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube movies",{subbucketwinner:"youtube movies free",bucketwinner:"youtube movies"}),n(e,"youtube movies free",{subbucketwinner:"youtube movies free",bucketwinner:"youtube movies"}),n(e,"youtube mp3",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube music",{subbu" (Indicator: "youtube")
 "ketwinner:"youtube music videos",bucketwinner:"youtube music"}),n(e,"youtube music playlist",{subbucketwinner:"youtube music videos",bucketwinner:"youtube music"}),n(e,"youtube music videos",{subbucketwinner:"youtube music videos",bucketwinner:"youtube music"}),n(e,"youtube news",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube on the fall of israel and judah for kids",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube orepo vending maching",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube oscars 2019",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube pastor john hannah",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube pigs ear notches",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube proxy",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube real time with bill maher",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube reviews difference between lash blast flourish and lash blast bloom mascaras",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube rewind",{subbucketwinner:"",bucketwinner:""}),n(e,"you" (Indicator: "youtube"), "ube richard smallwood the blood",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube roblox games",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube rock n roll variety show",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube rookie blue",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube rookie blue sam and andy",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube sis vs bro",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube steve wilkos",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube to mp3",{subbucketwinner:"youtube to mp4",bucketwinner:"youtube to mp"}),n(e,"youtube to mp3 converter",{subbucketwinner:"youtube to mp4",bucketwinner:"youtube to mp"}),n(e,"youtube to mp4",{subbucketwinner:"youtube to mp4",bucketwinner:"youtube to mp"}),n(e,"youtube tv",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube unblocked",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube video downloader",{subbucketwinner:"youtube videos",bucketwinner:"youtube video"}),n(e,"youtube video governmental accounting",{subbucketwinner" (Indicator: "youtube")
 ""youtube videos",bucketwinner:"youtube video"}),n(e,"youtube videos",{subbucketwinner:"youtube videos",bucketwinner:"youtube video"}),n(e,"youtube wont load on my samsung smart tv",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube ynic",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube youtube",{subbucketwinner:"",bucketwinner:""}),n(e,"youtube.com",{subbucketwinner:"youtube.com unblocked",bucketwinner:"youtube.com"}),n(e,"youtube.com activate",{subbucketwinner:"youtube.com unblocked",bucketwinner:"youtube.com"}),n(e,"youtube.com music",{subbucketwinner:"youtube.com unblocked",bucketwinner:"youtube.com"}),n(e,"youtube.com unblocked",{subbucketwinner:"youtube.com unblocked",bucketwinner:"youtube.com"}),n(e,"youtube.comactivate",{subbucketwinner:"youtube.com unblocked",bucketwinner:"youtube.com"}),n(e,"youtube",{subbucketwinner:"",bucketwinner:""}),n(e,"youtubecom",{subbucketwinner:"",bucketwinner:""}),n(e,"youtubee",{subbucketwinner:"",bucketwinner:""}),n(e,"youtubekingnqueensofcarinivaltntsemi19",{subbucke" (Indicator: "youtube")
 "winner:"",bucketwinner:""}),n(e,"youtubelist of signature less paul guitars pre 1980",{subbucketwinner:"",bucketwinner:""}),n(e,"youtubemusic",{subbucketwinner:"",bucketwinner:""}),n(e,"youtubeonlythrujesuschurch",{subbucketwinner:"",bucketwinner:""}),n(e,"youtuber",{subbucketwinner:"",bucketwinner:""}),n(e,"youtubes email",{subbucketwinner:"",bucketwinner:""}),n(e,"youtubetntcarinival",{subbucketwinner:"",bucketwinner:""}),n(e,"1040 tax form 2018",{subbucketwinner:"",bucketwinner:"1040 tax form"}),n(e,"1040 2018 tax form",{subbucketwinner:"",bucketwinner:"1040 tax form"}),n(e,"1040 ez",{subbucketwinner:"1040 ez tax form",bucketwinner:"1040 tax form"}),n(e,"1040 ez tax form",{subbucketwinner:"1040 ez tax form",bucketwinner:"1040 tax form"}),n(e,"1040 federal tax form",{subbucketwinner:"1040 federal tax form 2018",bucketwinner:"1040 tax form"}),n(e,"1040 federal tax form 2018",{subbucketwinner:"1040 federal tax form 2018",bucketwinner:"1040 tax form"}),n(e,"1040 federal tax instructions 2018",{subbucketwin" (Indicator: "youtube")
 "m"})
 n(e,"fox news free live stream",{subbucketwinner:"fox news live stream",bucketwinner:"fox.com"})
 n(e,"fox news live",{subbucketwinner:"fox news live stream",bucketwinner:"fox.com"})
 n(e,"fox news live stream",{subbucketwinner:"fox news live stream",bucketwinner:""})
 n(e,"fox news live stream free",{subbucketwinner:"fox news live stream",bucketwinner:"fox.com"})
 n(e,"fox news nashville",{subbucketwinner:"fox news live stream",bucketwinner:"fox.com"})
 n(e,"fox news national headline news",{subbucketwinner:"fox news live stream",bucketwinner:"fox.com"})
 n(e,"fox news official site",{subbucketwinner:"fox news live stream",bucketwinner:"fox.com"})
 n(e,"fox news on youtube",{subbucketwinner:"fox news live stream",bucketwinner:"fox.com"})
 n(e,"fox news trump",{subbucketwinner:"",bucketwinner:""})
 n(e,"fox news youtube",{subbucketwinner:"fox news live stream",bucketwinner:"fox.com"})
 n(e,"fox official site",{subbucketwinner:"",bucketwinner:"fox.com"})
 n(e,"fox school game unblocked",{subbucketwinner:"",bucketwi" (Indicator: "youtube") sourceStringrelevance7/10
System Security
- Creates or modifies windows services
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
  "Your Package Tracked Now.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS") sourceRegistry Accessrelevance10/10ATT&CK ID T1112 (Show technique in the MITRE ATT&CK™ matrix)
- Opens the Kernel Security Device Driver (KsecDD) of Windows
  details "YourPackageTrackedNow_5cadf9e53f83d.exe" opened "\Device\KsecDD"
  "Your Package Tracked Now.exe" opened "\Device\KsecDD" sourceAPI Callrelevance10/10ATT&CK ID T1215 (Show technique in the MITRE ATT&CK™ matrix)
Unusual Characteristics
- Matched Compiler/Packer signature
  details "Your Package Tracked Now.exe" was detected as "VC8 -> Microsoft Corporation"
  "npHelper.dll" was detected as "Borland Delphi 3.0 (???)" sourceStatic Parserrelevance10/10ATT&CK ID T1002 (Show technique in the MITRE ATT&CK™ matrix)

File Details

All Details:

Your Package Tracked Now_5cadf9e53f83d.exe

FilenameYour Package Tracked Now_5cadf9e53f83d.exeSize720KiB (736808 bytes)Typepeexe executableDescriptionPE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archiveArchitecture WINDOWSSHA256bd85622762bf36b5e2416519702b4c1b2346c204aa615aea7ff67b034fec43e7

Resources

LanguageENGLISHIcon

Visualization

Input File (PortEx)

Version Info

LegalCopyright (c) 2018 Springtech Ltd FileVersion 3.1.0.5 CompanyName Springtech Ltd ProductName Desktop Search Bar ProductVersion 3.1.0.5 FileDescription Desktop web search OriginalFilename SBInstaller Translation 0x0409 0x0000

Classification (TrID)

41.0% (.EXE) Win32 Executable MS Visual C++ (generic)
36.3% (.EXE) Win64 Executable (generic)
8.6% (.DLL) Win32 Dynamic Link Library (generic)
5.9% (.EXE) Win32 Executable (generic)
2.6% (.EXE) OS/2 Executable (generic)

File Sections

Details	Name	Entropy	Virtual Address	Virtual Size	Raw Size	MD5	Characteristics
Name.textEntropy6.45023172617Virtual Address0x1000Virtual Size0x615dRaw Size0x6200MD50b0812166ebbd0109e7f5e007b182949	.text	6.45023172617	0x1000	0x615d	0x6200	0b0812166ebbd0109e7f5e007b182949	-
Name.rdataEntropy5.16300165576Virtual Address0x8000Virtual Size0x13a4Raw Size0x1400MD54ac891d4ddf58633f14436f9f80ac6b6	.rdata	5.16300165576	0x8000	0x13a4	0x1400	4ac891d4ddf58633f14436f9f80ac6b6	-
Name.dataEntropy3.98240095831Virtual Address0xa000Virtual Size0x20338Raw Size0x600MD566b45fceba0f24d768fb09e0afe23c99	.data	3.98240095831	0xa000	0x20338	0x600	66b45fceba0f24d768fb09e0afe23c99	-
Name.ndataEntropy0Virtual Address0x2b000Virtual Size0x26000Raw Size0x0MD5d41d8cd98f00b204e9800998ecf8427e	.ndata	0	0x2b000	0x26000	0x0	d41d8cd98f00b204e9800998ecf8427e	-
Name.rsrcEntropy6.04043427514Virtual Address0x51000Virtual Size0x7c20Raw Size0x7e00MD5c4a6b45c7f3795bd7a9e163b490a3541	.rsrc	6.04043427514	0x51000	0x7c20	0x7e00	c4a6b45c7f3795bd7a9e163b490a3541	-