Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B329F7 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, |
0_2_00B329F7 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B3CD67 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, |
0_2_00B3CD67 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_103E4517 FindFirstFileW,GetLastError,__invoke_watson, |
1_2_103E4517 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.32 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.46.162.224 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.222.162.32 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.114.59.183 |
Source: Client.dll |
String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html |
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://pcinfoupload.110route.com/forum.php?from=discuz |
Source: Cyber.exe |
String found in binary or memory: http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07 |
Source: Cyber.exe |
String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr |
Source: Cyber.exe |
String found in binary or memory: http://pki-ocsp.symauth.com0 |
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://sbk.sgamer.com/cyberdown.php?cc= |
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://tj.110route.com/index.html |
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://uploadimg.110route.com/Upload.php |
Source: Client.dll |
String found in binary or memory: http://www.openssl.org/support/faq.html |
Source: Client.dll |
String found in binary or memory: http://www.openssl.org/support/faq.html.................... |
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://www.yileyoo.com/help |
Source: Cyber.exe, 00000001.00000002.2884433228.0000000000011000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://beian.wwwscn.com/report.php?bd= |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B359CA |
0_2_00B359CA |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B4C8C0 |
0_2_00B4C8C0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B37A93 |
0_2_00B37A93 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B512E4 |
0_2_00B512E4 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B41214 |
0_2_00B41214 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B42392 |
0_2_00B42392 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B41B28 |
0_2_00B41B28 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B45352 |
0_2_00B45352 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B4CD6E |
0_2_00B4CD6E |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B38677 |
0_2_00B38677 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B41710 |
0_2_00B41710 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B31773 |
0_2_00B31773 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B41F5D |
0_2_00B41F5D |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032C4320 |
1_2_032C4320 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032D11A0 |
1_2_032D11A0 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032B6090 |
1_2_032B6090 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032A4637 |
1_2_032A4637 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032CF52E |
1_2_032CF52E |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032C0525 |
1_2_032C0525 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032C3475 |
1_2_032C3475 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_0329EF47 |
1_2_0329EF47 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_03294F81 |
1_2_03294F81 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032D2EB7 |
1_2_032D2EB7 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032C4D00 |
1_2_032C4D00 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032D8D71 |
1_2_032D8D71 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032A4C8B |
1_2_032A4C8B |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032DBCE0 |
1_2_032DBCE0 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_102811D0 |
1_2_102811D0 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_10281688 |
1_2_10281688 |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_0040C9C0 |
10_2_0040C9C0 |
Source: Cyber.exe, Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp |
Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence'; |
Source: Cyber.exe, Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp |
Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s; |
Source: Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp |
Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name, %d+18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger'); |
Source: Cyber.exe, Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp |
Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q); |
Source: Cyber.exe, Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp |
Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence'; |
Source: Cyber.exe, Cyber.exe, 00000001.00000002.2887468224.0000000003290000.00000040.00001000.00020000.00000000.sdmp, Cyber.exe, 00000001.00000002.2884767342.00000000000D6000.00000004.00000001.01000000.00000007.sdmp |
Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' |
Source: unknown |
Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe" |
|
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Process created: C:\tcls\Cyber.exe "C:\tcls\Cyber.exe" |
|
Source: C:\tcls\Cyber.exe |
Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\" /grant Administrator:(OI)(CI)F |
|
Source: C:\tcls\Cyber.exe |
Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\" /grant Administrators:(OI)(CI)F |
|
Source: C:\tcls\Cyber.exe |
Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\Temp\" /grant Administrator:(OI)(CI)F |
|
Source: C:\Windows\SysWOW64\icacls.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\tcls\Cyber.exe |
Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\Temp\" /grant Administrators:(OI)(CI)F |
|
Source: C:\Windows\SysWOW64\icacls.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\icacls.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\icacls.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\tcls\Cyber.exe |
Process created: C:\Windows\mbrmqqboi.exe C:\Windows\mbrmqqboi.exe 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC l |
|
Source: C:\Windows\mbrmqqboi.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\tcls\Cyber.exe |
Process created: C:\Windows\SysWOW64\sc.exe sc.exe config Winmgmt start= AUTO |
|
Source: C:\Windows\SysWOW64\sc.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\mbrmqqboi.exe |
Process created: C:\Windows\mbrmqqboi.exe "C:\Windows\mbrmqqboi.exe" 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC |
|
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Process created: C:\tcls\Cyber.exe "C:\tcls\Cyber.exe" |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\" /grant Administrator:(OI)(CI)F |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Windows\" /grant Administrators:(OI)(CI)F |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\Temp\" /grant Administrator:(OI)(CI)F |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\Temp\" /grant Administrators:(OI)(CI)F |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Process created: C:\Windows\mbrmqqboi.exe C:\Windows\mbrmqqboi.exe 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC l |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Process created: C:\Windows\SysWOW64\sc.exe sc.exe config Winmgmt start= AUTO |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Process created: C:\Windows\mbrmqqboi.exe "C:\Windows\mbrmqqboi.exe" 573361E268EEA0A1AAD8FBFEC537B9EAF74E7373E764BF2C092E5EA54598082958EC |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: <pi-ms-win-core-synch-l1-2-0.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: <pi-ms-win-core-synch-l1-2-0.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: <pi-ms-win-core-localization-l1-2-1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: dxgidebug.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: riched20.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: usp10.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: pcacli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: quartz.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: wtsapi32.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: olepro32.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: client.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: ieframe.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\icacls.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\icacls.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\icacls.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\icacls.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\mbrmqqboi.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B400F6 push ecx; ret |
0_2_00B40109 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B359BA push dword ptr [ebp+03046A00h]; ret |
0_2_00B359C4 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B3F484 push eax; ret |
0_2_00B3F4A2 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032D5370 push eax; ret |
1_2_032D539E |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_103EB47D push ecx; ret |
1_2_103EB490 |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_004055D4 push 00405639h; ret |
10_2_00405631 |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_0040586E push 0040589Ch; ret |
10_2_00405894 |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00405870 push 0040589Ch; ret |
10_2_00405894 |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00409834 push 004098A3h; ret |
10_2_0040989B |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_0040C968 push 0040C9B6h; ret |
10_2_0040C9AE |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00405119 push eax; ret |
10_2_00405155 |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_0040D1A4 push 0040D1D0h; ret |
10_2_0040D1C8 |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00405A00 push 00405A2Ch; ret |
10_2_00405A24 |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00405A38 push 00405CF4h; ret |
10_2_00405CEC |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00409BC8 push 00409BFCh; ret |
10_2_00409BF4 |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00409BD0 push 00409BFCh; ret |
10_2_00409BF4 |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00409B90 push 00409BBCh; ret |
10_2_00409BB4 |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00409C40 push 00409C74h; ret |
10_2_00409C6C |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00409C48 push 00409C74h; ret |
10_2_00409C6C |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00409C08 push 00409C34h; ret |
10_2_00409C2C |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_0040D42E push 0040D456h; ret |
10_2_0040D44E |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_0040D430 push 0040D456h; ret |
10_2_0040D44E |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00405CC8 push 00405CF4h; ret |
10_2_00405CEC |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00409CF0 push 00409D74h; ret |
10_2_00409D6C |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00409C80 push 00409CACh; ret |
10_2_00409CA4 |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00409CB8 push 00409CE4h; ret |
10_2_00409CDC |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00409D48 push 00409D74h; ret |
10_2_00409D6C |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00409DAB push 00409DF9h; ret |
10_2_00409DF1 |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_00409DAC push 00409DF9h; ret |
10_2_00409DF1 |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_0040C5B6 push 0040C66Bh; ret |
10_2_0040C663 |
Source: C:\Windows\mbrmqqboi.exe |
Code function: 10_2_0040C5B8 push 0040C66Bh; ret |
10_2_0040C663 |
Source: C:\tcls\Cyber.exe |
Memory written: PID: 6992 base: 1070005 value: E9 2B BA E5 75 |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Memory written: PID: 6992 base: 76ECBA30 value: E9 DA 45 1A 8A |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Memory written: PID: 6992 base: 1090008 value: E9 8B 8E E8 75 |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Memory written: PID: 6992 base: 76F18E90 value: E9 80 71 17 8A |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Memory written: PID: 6992 base: 10A0005 value: E9 8B 4D B5 74 |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Memory written: PID: 6992 base: 75BF4D90 value: E9 7A B2 4A 8B |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Memory written: PID: 6992 base: 10C0005 value: E9 EB EB B4 74 |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Memory written: PID: 6992 base: 75C0EBF0 value: E9 1A 14 4B 8B |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Memory written: PID: 6992 base: 10D0005 value: E9 8B 8A F0 73 |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Memory written: PID: 6992 base: 74FD8A90 value: E9 7A 75 0F 8C |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Memory written: PID: 6992 base: 10F0005 value: E9 2B 02 F1 73 |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Memory written: PID: 6992 base: 75000230 value: E9 DA FD 0E 8C |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Memory written: PID: 6992 base: 2CA0005 value: E9 8B 2F 26 74 |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Memory written: PID: 6992 base: 76F02F90 value: E9 7A D0 D9 8B |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Memory written: PID: 6992 base: 2CB0007 value: E9 EB DF 28 74 |
Jump to behavior |
Source: C:\tcls\Cyber.exe |
Memory written: PID: 6992 base: 76F3DFF0 value: E9 1E 20 D7 8B |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B329F7 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, |
0_2_00B329F7 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop9.4697.30323.11244.exe |
Code function: 0_2_00B3CD67 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, |
0_2_00B3CD67 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_103E4517 FindFirstFileW,GetLastError,__invoke_watson, |
1_2_103E4517 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032CD203 sqlite3_transfer_bindings, |
1_2_032CD203 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032CD185 sqlite3_bind_parameter_index, |
1_2_032CD185 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032CD078 sqlite3_bind_text16, |
1_2_032CD078 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032CD040 sqlite3_bind_null, |
1_2_032CD040 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032CD055 sqlite3_bind_text, |
1_2_032CD055 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032CD0A8 sqlite3_bind_parameter_count, |
1_2_032CD0A8 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032CD0D3 sqlite3_bind_parameter_name, |
1_2_032CD0D3 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032CCF89 sqlite3_bind_double, |
1_2_032CCF89 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032CCFF2 sqlite3_bind_int64, |
1_2_032CCFF2 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032CCFD7 sqlite3_bind_int, |
1_2_032CCFD7 |
Source: C:\tcls\Cyber.exe |
Code function: 1_2_032CCDFB sqlite3_bind_blob, |
1_2_032CCDFB |