Source: jZBSswQjhQ.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: jZBSswQjhQ.exe |
Static PE information: certificate valid |
Source: |
Binary string: C:\TenProtect\thunk\output\Release\tpsvc.pdb source: jZBSswQjhQ.exe |
Source: unknown |
DNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3) |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0 |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://ocsp.thawte.com0 |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://s.symcb.com/universal-root.crl0 |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://s.symcd.com06 |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0 |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://s2.symcb.com0 |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://sf.symcb.com/sf.crl0a |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://sf.symcb.com/sf.crt0 |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://sf.symcd.com0& |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://sv.symcb.com/sv.crl0a |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://sv.symcb.com/sv.crt0 |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://sv.symcd.com0& |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0( |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0 |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0( |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://ts-ocsp.ws.symantec.com07 |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://ts-ocsp.ws.symantec.com0; |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://www.symauth.com/cps0( |
Source: jZBSswQjhQ.exe |
String found in binary or memory: http://www.symauth.com/rpa00 |
Source: jZBSswQjhQ.exe |
String found in binary or memory: https://d.symcb.com/cps0% |
Source: jZBSswQjhQ.exe |
String found in binary or memory: https://d.symcb.com/rpa0 |
Source: jZBSswQjhQ.exe |
String found in binary or memory: https://d.symcb.com/rpa0. |
Source: jZBSswQjhQ.exe |
Binary or memory string: OriginalFilename vs jZBSswQjhQ.exe |
Source: jZBSswQjhQ.exe, 00000000.00000000.2110969864.000000000040C000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameTPSVC.EXE vs jZBSswQjhQ.exe |
Source: jZBSswQjhQ.exe |
Binary or memory string: OriginalFilenameTPSVC.EXE vs jZBSswQjhQ.exe |
Source: jZBSswQjhQ.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: clean3.winEXE@1/0@1/0 |
Source: C:\Users\user\Desktop\jZBSswQjhQ.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\jZBSswQjhQ.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\jZBSswQjhQ.exe |
Section loaded: tpsvcbase.dll |
Jump to behavior |
Source: jZBSswQjhQ.exe |
Static PE information: certificate valid |
Source: jZBSswQjhQ.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\TenProtect\thunk\output\Release\tpsvc.pdb source: jZBSswQjhQ.exe |
Source: initial sample |
Static PE information: section where entry point is pointing to: .tp3 |
Source: jZBSswQjhQ.exe |
Static PE information: section name: .tp3 |
Source: jZBSswQjhQ.exe |
Static PE information: section name: .tp3 |
Source: jZBSswQjhQ.exe |
Static PE information: section name: .tp3 |
Source: jZBSswQjhQ.exe |
Static PE information: section name: .tp3 |
Source: jZBSswQjhQ.exe |
Static PE information: section name: .tp3 |
Source: C:\Users\user\Desktop\jZBSswQjhQ.exe |
Code function: 0_2_0040ED17 push ss; retf |
0_2_00410323 |
Source: jZBSswQjhQ.exe |
Static PE information: section name: .tp3 entropy: 7.869411093870724 |
Source: jZBSswQjhQ.exe |
Static PE information: section name: .tp3 entropy: 7.560376174712344 |