Windows Analysis Report
7jBzTH9FXQ.exe

Overview

General Information

Sample name: 7jBzTH9FXQ.exe
renamed because original name is a hash value
Original sample name: 69b5fb28619acb8877a7fc604a55c8af.exe
Analysis ID: 1561756
MD5: 69b5fb28619acb8877a7fc604a55c8af
SHA1: 0a7fbf6482135103c953b1ed2712b3abf1c7dbaa
SHA256: 567df74b2713a64a19517af8ef5da5c6a6b347f3afad16d8ee57d404778d74e5
Tags: exeuser-abuse_ch
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to delay execution (extensive OutputDebugStringW loop)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Drops PE files
Drops certificate files (DER)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 7jBzTH9FXQ.exe ReversingLabs: Detection: 23%
Uses 32bit PE files
Source: 7jBzTH9FXQ.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.18.166.46:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.166.46:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.166.46:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.166.46:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: 7jBzTH9FXQ.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic UDP traffic: 192.168.2.4:59856 -> 139.144.40.39:554
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.4:49746 -> 82.102.22.78:53
Source: global traffic TCP traffic: 192.168.2.4:49748 -> 216.250.122.156:53
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: instem-documedia-datos.psiphon3.netUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6 Safari/605.1.15Content-Length: 123Content-Type: video/mp4Cookie: E=/r9rcqm/Xk2jCNjJKl7Ha+mvfWRxkDkYIkes/MIc6HRD1AZYMvBGnMMheDB9MvHDdH6gM6k7DIZPF8XcEvHemVlkYN3KAq01rqPLSALHKkQJPJcO+2aNZYJ9Zrxa1KlUVqMRBi/+r9LhRVcVQ5ca/icWMpmW8i+R0lZiZZUAgVasorADkzB4aV0t/EuPT3epwhz13w5OGsb8Bwn1e9vUXFcOUI6FuMcTCC2abMD3H9PVhHg6CbeKQKQ05Vo2x/AtcDwOiXFlhQga5VShDP+y9DZd4YUHKhWOjE3FWVsHYn69c4gmG+omkUhxS6wp+JKfDmCWnHbzmhNcu8/LtyNyltvtjUoy0C7M33P+8BuQgApQ3lR6EDaj7DB9VcmLamAAEEeBjlzezVdmDkb1JeV1N8U=Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: instem-documedia-datos.psiphon3.netUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6 Safari/605.1.15Content-Length: 1567Content-Type: video/mp4Cookie: E=vvxalosSYe3LFQuNtOdgi2X8ZCYpquXYxsuO+HYXT3WYyf1RiUdm6A+nYdiBigmm0H9RFYwZE5JZYhREsAdfNPFcqndiYKIaIajXbWUDfGxZwgO2YiM24i1AZcNgwgQPDp1LEIxiq+fsYbZ8hVfDTMZce5yaD35bXMy4h5M9fN+Ri7lygkugT+70nFdSRe8AaRhZu1mwdvbLRT/Wl6DIKjgqjYCbbNa+rFaB6ZFj0F+BDQMKs+HqWJ2Bcxge2eJuAaab3m1hyOQhGNdQzpAYLNOXpgBZy3+B2zB9e09bHRlVP4nJTw0xrodj6eH6EO5RoRy7tdtBUL3b7F7x33f7/jWRso08ewtEUbHtBEoxoNcJ4pP9OoI9qvVuxnjYi19DUIMy22kIcKSnI3mKfh/3Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: www.scopelifeeg.netUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36Content-Length: 0Content-Type: application/javascriptCookie: C=/mWzM/oXOjfLZLzTxiR3n9m2ersQAkuDjtfYNZn+kvgXgvAQ7EWsKI2NhrGYW2O5WrzBX491Jzyf2WUgBJHcGo/1o+uTpuyFSfk50L+WdK01vJ0+DnVpOImXOYxOoPdmF9hAkeJDol/dyFDwZnZJn5YbjfPRxWN6s5A30uAEY+uMMsIgwjK1QwqqvnHuMhPqz9bp8CHCoH/q4pV28u5GdunyZxP+9VLrNCr0FQ3zxdj905d/tsFCBlpJ2C4Xg6gGpysIijuUJtBOPkwtWnTjwq06mred1QUsa9CxbWB06I+t5+0Vb9XJK2zN+N1JJJoYMqITWbWA57SSxYQNcNOroqNdRIdqtGTrukMU+W1I4UkjidX9yRaUP7sDG3yc1ZK5dKRNd29OoftAx096Zx6mQ6zZw8lFnlbwQaRVZMrTuaL5Ea/F3q2wSmdJAccept-Encoding: gzip
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 193.29.107.181
Source: unknown TCP traffic detected without corresponding DNS query: 193.29.107.181
Source: unknown TCP traffic detected without corresponding DNS query: 193.29.107.181
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 192.46.237.70
Source: unknown TCP traffic detected without corresponding DNS query: 82.102.22.78
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.117.21
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.122.156
Source: unknown TCP traffic detected without corresponding DNS query: 104.18.166.46
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.117.21
Source: unknown TCP traffic detected without corresponding DNS query: 192.46.237.70
Source: unknown TCP traffic detected without corresponding DNS query: 82.102.22.78
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.122.156
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.117.21
Source: unknown TCP traffic detected without corresponding DNS query: 194.99.105.212
Source: unknown TCP traffic detected without corresponding DNS query: 82.102.22.78
Source: unknown TCP traffic detected without corresponding DNS query: 82.102.22.78
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.122.156
Source: unknown TCP traffic detected without corresponding DNS query: 216.250.122.156
Source: unknown TCP traffic detected without corresponding DNS query: 74.208.177.192
Source: unknown TCP traffic detected without corresponding DNS query: 74.208.177.192
Source: unknown TCP traffic detected without corresponding DNS query: 192.46.237.70
Source: unknown TCP traffic detected without corresponding DNS query: 74.208.177.192
Source: unknown TCP traffic detected without corresponding DNS query: 192.46.237.70
Source: unknown TCP traffic detected without corresponding DNS query: 192.46.237.70
Source: unknown TCP traffic detected without corresponding DNS query: 192.46.237.70
Source: unknown TCP traffic detected without corresponding DNS query: 192.46.237.70
Source: unknown TCP traffic detected without corresponding DNS query: 194.99.105.212
Source: unknown TCP traffic detected without corresponding DNS query: 194.99.105.212
Source: unknown HTTP traffic detected: POST / HTTP/1.1Host: instem-documedia-datos.psiphon3.netUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6 Safari/605.1.15Content-Length: 123Content-Type: video/mp4Cookie: E=/r9rcqm/Xk2jCNjJKl7Ha+mvfWRxkDkYIkes/MIc6HRD1AZYMvBGnMMheDB9MvHDdH6gM6k7DIZPF8XcEvHemVlkYN3KAq01rqPLSALHKkQJPJcO+2aNZYJ9Zrxa1KlUVqMRBi/+r9LhRVcVQ5ca/icWMpmW8i+R0lZiZZUAgVasorADkzB4aV0t/EuPT3epwhz13w5OGsb8Bwn1e9vUXFcOUI6FuMcTCC2abMD3H9PVhHg6CbeKQKQ05Vo2x/AtcDwOiXFlhQga5VShDP+y9DZd4YUHKhWOjE3FWVsHYn69c4gmG+omkUhxS6wp+JKfDmCWnHbzmhNcu8/LtyNyltvtjUoy0C7M33P+8BuQgApQ3lR6EDaj7DB9VcmLamAAEEeBjlzezVdmDkb1JeV1N8U=Accept-Encoding: gzip
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890042477.000000000295F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890042477.000000000295F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2016667696.000000000B770000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://c.pki.goog/we1/Un79Lm4-K_s.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2885032944.000000000288A000.00000004.00000020.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 00000003.00000002.2985381431.0000000002881000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/root.crl0Q
Source: psiphon-tunnel-core.exe, 00000003.00000003.2885032944.000000000288A000.00000004.00000020.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 00000003.00000002.2985381431.0000000002881000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000003.1962766624.000000000B588000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/ca/gsatlasr3dvtlsca2024q4.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890042477.000000000295F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000002.2989822996.000000000B6AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000002.2989822996.000000000B6AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890449444.0000000002954000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000002.2989822996.000000000B6AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: psiphon-tunnel-core.exe, 00000003.00000002.2985381431.0000000002881000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en0F
Source: psiphon-tunnel-core.exe, 00000003.00000003.2885032944.000000000288A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en0G
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890295896.000000000295A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890295896.000000000295A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2016667696.000000000B770000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://i.pki.goog/we1.crt0
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1716469809.0000000004F99000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1752145668.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1753322270.000000000388B000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1753214719.00000000060B5000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1752731175.00000000060AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jqueryui.com
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1716469809.0000000004F99000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730728403.000000000667E000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1722978467.000000000DC27000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1728440952.0000000006540000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000065ED000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730213693.00000000065D2000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1724143966.000000000DE29000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1723263943.000000000DFF6000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1729706863.0000000006541000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://momentjs.com/guides/#/warnings/add-inverted-param/
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1716469809.0000000004F99000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730728403.000000000667E000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1722978467.000000000DC27000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1728440952.0000000006540000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000065ED000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730213693.00000000065D2000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1724143966.000000000DE29000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1723263943.000000000DFF6000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1729706863.0000000006541000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://momentjs.com/guides/#/warnings/define-locale/
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1716469809.0000000004F99000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730728403.000000000667E000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1722978467.000000000DC27000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1723899024.000000000CBF8000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1728440952.0000000006540000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000065ED000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730213693.00000000065D2000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1724143966.000000000DE29000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1723263943.000000000DFF6000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1729706863.0000000006541000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://momentjs.com/guides/#/warnings/dst-shifted/
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1716469809.0000000004F99000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730728403.000000000667E000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1722978467.000000000DC27000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1723899024.000000000CBF8000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1728440952.0000000006540000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000065ED000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730213693.00000000065D2000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1724143966.000000000DE29000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1723263943.000000000DFF6000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1729706863.0000000006541000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://momentjs.com/guides/#/warnings/js-date/
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1729706863.0000000006541000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://momentjs.com/guides/#/warnings/min-max/
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1716469809.0000000004F99000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730728403.000000000667E000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1722978467.000000000DC27000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1723899024.000000000CBF8000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1728440952.0000000006540000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000065ED000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730213693.00000000065D2000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1724143966.000000000DE29000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1723263943.000000000DFF6000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1729706863.0000000006541000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://momentjs.com/guides/#/warnings/zone/
Source: psiphon-tunnel-core.exe, 00000003.00000003.2016667696.000000000B770000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://o.pki.goog/s/we1/-fc0%
Source: psiphon-tunnel-core.exe, 00000003.00000002.2989822996.000000000B6AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://o.ss2.us/0
Source: psiphon-tunnel-core.exe, 00000003.00000003.1962766624.000000000B588000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/ca/gsatlasr3dvtlsca2024q40J
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890295896.000000000295A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: psiphon-tunnel-core.exe, 00000003.00000002.2989822996.000000000B6AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: psiphon-tunnel-core.exe, 00000003.00000003.2885759700.0000000002876000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.starfieldtech.com
Source: psiphon-tunnel-core.exe, 00000003.00000003.2885032944.000000000288A000.00000004.00000020.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 00000003.00000002.2985381431.0000000002881000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.starfieldtech.com0J
Source: psiphon-tunnel-core.exe, 00000003.00000003.2885759700.0000000002876000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.starfieldtech.coml
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890042477.000000000295F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: psiphon-tunnel-core.exe, 00000003.00000002.2989822996.000000000B6AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://s.ss2.us/r.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000003.1962766624.000000000B588000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gsatlasr3dvtlsca2024q4.crt0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890295896.000000000295A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890295896.000000000295A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: psiphon-tunnel-core.exe, 00000003.00000002.2985908333.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 00000003.00000003.2890295896.000000000295A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890295896.000000000295A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890042477.000000000295F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890042477.000000000295F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 00000003.00000003.2890042477.000000000295F000.00000004.00000020.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 00000003.00000003.2890295896.000000000295A000.00000004.00000020.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 00000003.00000003.2890449444.000000000295D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1753239172.0000000005577000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1739673471.0000000006139000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1716469809.0000000004F99000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1728440952.00000000060DA000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1728440952.0000000006135000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: psiphon-tunnel-core.exe, 00000003.00000002.2985381431.0000000002881000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: psiphon-tunnel-core.exe, 00000003.00000002.2985381431.0000000002881000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890042477.000000000295F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000002.2986145517.00000000028E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.chambersign.org1
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890295896.000000000295A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.comsign.co.il/cps0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890449444.0000000002954000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.defence.gov.au/pki0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.disig.sk/ca0f
Source: psiphon-tunnel-core.exe, 00000003.00000003.2898513794.000000000293C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-me.lv/repository0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 00000003.00000003.2890042477.000000000295F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.globaltrust.info0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.globaltrust.info0=
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2900929327.00000000028C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1716469809.0000000004F99000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1753853065.0000000003ABE000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1751699044.00000000060CA000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731979138.00000000060C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.satzansatz.de/cssd/onhavinglayout.html
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ssc.lt/cps03
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1716191155.0000000005C97000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1716030294.0000000005C97000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1715936304.0000000005C97000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1715882181.0000000005C98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1715792986.0000000005C98000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1715882181.0000000005C98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com#H
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1715792986.0000000005C98000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1715882181.0000000005C98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comNH
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890295896.000000000295A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890042477.000000000295F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2890042477.000000000295F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: psiphon-tunnel-core.exe, 00000003.00000003.2885032944.000000000288A000.00000004.00000020.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 00000003.00000002.2985381431.0000000002881000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valicert.com/1
Source: psiphon-tunnel-core.exe, 00000003.00000003.2885759700.0000000002876000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x.ss2.us/x.cer
Source: psiphon-tunnel-core.exe, 00000003.00000002.2989822996.000000000B6AC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://x.ss2.us/x.cer0&
Source: psiphon-tunnel-core.exe, 00000003.00000003.1910643866.000000000B5DA000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 00000003.00000003.1934003047.000000000B5DA000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 00000003.00000003.1937937198.000000000B5DA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://instem-documedia-datos.psiphon3.net/
Source: psiphon-tunnel-core.exe, 00000003.00000003.1910643866.000000000B5DA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://instem-documedia-datos.psiphon3.net/cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP
Source: psiphon-tunnel-core.exe, 00000003.00000003.1934003047.000000000B5DA000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 00000003.00000003.1937937198.000000000B5DA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://instem-documedia-datos.psiphon3.net/instem-documedia-datos.psiphon3.net:443
Source: psiphon-tunnel-core.exe, 00000003.00000003.1910643866.000000000B5DA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://instem-documedia-datos.psiphon3.net/instem-documedia-datos.psiphon3.net:443psiphon.tcpDial#2
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1716469809.0000000004F99000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1729660028.000000000EF99000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1728346717.000000000D24E000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1728133340.000000000CBF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://my.psi.cash/?etc
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1716469809.0000000004F99000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1729660028.000000000EF99000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1728346717.000000000D24E000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1728133340.000000000CBF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://my.psi.cash/forgot?etc
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1809437172.000000000DE41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://my.psi.cash/forgot?utm_source=Psiphon-PsiCash-Windows&locale=en-Latn-CH#
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1809437172.000000000DE41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://my.psi.cash/signup?utm_source=Psiphon-PsiCash-Windows&locale=en-Latn-CH#
Source: psiphon-tunnel-core.exe, 00000003.00000003.2900929327.00000000028C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1733011509.0000000006A9D000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1734107956.0000000006976000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000066FB000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1752307334.0000000006BFE000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1734201804.0000000006AA7000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730978759.0000000006847000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1733011509.000000000696C000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731513751.0000000006934000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731417072.000000000695D000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1732618713.000000000696B000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1733011509.0000000006938000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon.ca/faq.html#psicash
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1751519050.0000000006B0B000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1736794217.0000000006B15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon.ca/faq.html#psicash-account
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1733668772.0000000006B71000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1736484063.0000000006B7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon.ca/faq.html#psicash.$
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000066FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon.ca/faq.html#psicash7
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000066FB000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730978759.0000000006847000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731513751.0000000006934000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1733011509.0000000006938000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon.ca/faq.html#psicashU
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000066FB000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730978759.0000000006847000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon.ca/faq.html#psicasha
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000066FB000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731468659.000000000682F000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731823446.0000000006842000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon.ca/faq.html#psicashbo-label
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1752655118.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1751883569.0000000006C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon.ca/faq.html#psicashf
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1733668772.0000000006B71000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1752191352.0000000006B83000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1736484063.0000000006B7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon.ca/faq.html#psicashor
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1738162585.0000000010210000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1716469809.0000000004F99000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1725368088.000000000E7E8000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000066FB000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1727329562.000000000CCC1000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1727732504.000000000FE7D000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1724695519.000000000E4E5000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730978759.0000000006847000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1727931592.000000000E9A2000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1724941219.000000000E5BA000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731513751.0000000006934000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1733011509.0000000006938000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon.ca/fr/license.html
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1738162585.0000000010210000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1733668772.0000000006B71000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1716469809.0000000004F99000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1725368088.000000000E7E8000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1752191352.0000000006B83000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000066FB000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1727329562.000000000CCC1000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1727732504.000000000FE7D000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1732740303.0000000006854000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1724695519.000000000E4E5000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730978759.0000000006847000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1736942170.0000000006855000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1727931592.000000000E9A2000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1724941219.000000000E5BA000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1736484063.0000000006B7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon.ca/fr/privacy.html
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1736639471.0000000006B45000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731417072.000000000695D000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1732618713.000000000696B000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1736594573.0000000006922000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1727663655.000000000CC06000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1734807202.0000000006A9D000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1734807202.0000000006A7F000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1751519050.0000000006B0B000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1729706863.0000000006541000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon.ca/license.html
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1736594573.0000000006922000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1727663655.000000000CC06000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1734807202.0000000006A9D000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1734807202.0000000006A7F000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1751519050.0000000006B0B000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1729706863.0000000006541000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon.ca/privacy.html
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1753322270.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon.ca/privacy.htmlo
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1730978759.0000000006847000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1733011509.000000000696C000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1736942170.0000000006855000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1752759036.0000000006C06000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1736484063.0000000006B7C000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1751883569.0000000006C3A000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731417072.000000000695D000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1732618713.000000000696B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon3.com/faq.html#clear
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1751519050.0000000006B0B000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1752358727.0000000006B7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon3.com/faq.html#clear-windows-data
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000066FB000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730978759.0000000006847000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731513751.0000000006934000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1733011509.0000000006938000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon3.com/faq.html#clear2
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1728440952.0000000006540000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731073092.00000000065B2000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1729706863.0000000006541000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon3.com/faq.html#clear:
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1752307334.0000000006BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon3.com/faq.html#clearF
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1752307334.0000000006BFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon3.com/faq.html#clearc
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1737227129.0000000006B56000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1753025090.0000000006B57000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1734201804.0000000006B51000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1736639471.0000000006B51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon3.com/faq.html#clearl
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000066FB000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1732647324.00000000067FB000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731767827.00000000067E3000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731538629.00000000067CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon3.com/faq.html#clearodaltran
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000066FB000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730978759.0000000006847000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon3.com/faq.html#clears
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1734107956.0000000006976000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000066FB000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730978759.0000000006847000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1733011509.000000000696C000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731417072.000000000695D000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1732618713.000000000696B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon3.com/faq.html#cleart
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000066FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon3.com/faq.html#clearv#comy
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1733668772.0000000006B71000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1736484063.0000000006B7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon3.com/faq.html#clearz%w
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1738162585.0000000010210000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1752655118.0000000006C72000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1716469809.0000000004F99000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1725368088.000000000E7E8000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730468703.00000000066FB000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1727329562.000000000CCC1000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1727732504.000000000FE7D000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1751883569.0000000006C72000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1730978759.0000000006847000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1733011509.000000000696C000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1727931592.000000000E9A2000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1724941219.000000000E5BA000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731417072.000000000695D000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1732618713.000000000696B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://psiphon3.com/fr/faq.html#clear-windows-data
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://repository.luxtrust.lu0
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1728440952.0000000006135000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/download.html#direct
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1728440952.0000000006135000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/faq.html
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1753025090.0000000006B57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/faq.htmlI
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1753025090.0000000006B57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/faq.htmlL
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1753025090.0000000006B57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/faq.htmlng
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1728440952.0000000006135000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/index.html
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1753025090.0000000006B57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/index.htmlo
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1728440952.0000000006135000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/psiphon/web/mjr4-p23r-puwl/privacy.html#information-collected
Source: psiphon-tunnel-core.exe, 00000003.00000003.1787826598.000000000B5DA000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 00000003.00000003.1892107001.000000000B548000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/psiupload/
Source: psiphon-tunnel-core.exe, 00000003.00000003.1787826598.000000000B5DA000.00000004.00001000.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 00000003.00000003.1892107001.000000000B548000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.com/web/mjr4-p23r-puwl/osl
Source: psiphon-tunnel-core.exe, 00000003.00000003.1787826598.000000000B5DA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://s3.amazonaws.comhttps://s3.amazonaws.com2024-11-24T07:39:56.894Z2024-11-24T07:39:56.894Z2024
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1716469809.0000000004F99000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1753853065.0000000003ABE000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1751699044.00000000060CA000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731979138.00000000060C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/a/17622706/729729
Source: 7jBzTH9FXQ.exe, 00000000.00000003.1716469809.0000000004F99000.00000004.00000800.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1753853065.0000000003ABE000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1751699044.00000000060CA000.00000004.00000020.00020000.00000000.sdmp, 7jBzTH9FXQ.exe, 00000000.00000003.1731979138.00000000060C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/questions/24431054/float-right-and-float-left-in-absolute-container-ie7-ex
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: psiphon-tunnel-core.exe, 00000003.00000003.1962766624.000000000B588000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.netlock.hu/docs/
Source: psiphon-tunnel-core.exe, 00000003.00000003.1914263844.000000000B83A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.scopelifeeg.net/
Source: psiphon-tunnel-core.exe, 00000003.00000003.1914263844.000000000B83A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.scopelifeeg.net/Sun
Source: psiphon-tunnel-core.exe, 00000003.00000003.2887670913.0000000002993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown HTTPS traffic detected: 104.18.166.46:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.166.46:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.166.46:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.166.46:443 -> 192.168.2.4:49754 version: TLS 1.2
Drops certificate files (DER)
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416 Jump to dropped file

System Summary
barindex
PE file has nameless sections
Source: 7jBzTH9FXQ.exe Static PE information: section name:
Source: 7jBzTH9FXQ.exe Static PE information: section name:
PE / OLE file has an invalid certificate
Source: 7jBzTH9FXQ.exe Static PE information: invalid certificate
Searches for the Microsoft Outlook file path
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Uses 32bit PE files
Source: 7jBzTH9FXQ.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal56.evad.winEXE@4/31@0/10
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\main[1] Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Mutant created: NULL
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\ServerListMutex-VPN
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{B88F6262-9CC8-44EF-887D-FB77DC89BB8C}
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\ServerListMutex-CoreTransport
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe File created: C:\Users\user\AppData\Local\Temp\dat8355.tmp Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 7jBzTH9FXQ.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe File read: C:\Users\user\Desktop\7jBzTH9FXQ.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\7jBzTH9FXQ.exe "C:\Users\user\Desktop\7jBzTH9FXQ.exe"
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process created: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\user\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\user\AppData\Local\Psiphon3\server_list.dat"
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process created: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\user\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\user\AppData\Local\Psiphon3\server_list.dat" Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: t2embed.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32 Jump to behavior
Source: 7jBzTH9FXQ.exe Static file information: File size 8060336 > 1048576
Source: 7jBzTH9FXQ.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x794c00
Source: 7jBzTH9FXQ.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: 7jBzTH9FXQ.exe Static PE information: section name:
Source: 7jBzTH9FXQ.exe Static PE information: section name:
Source: psiphon-tunnel-core.exe.0.dr Static PE information: section name: .symtab
Drops PE files
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe File created: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Jump to dropped file
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Section loaded: OutputDebugStringW count: 405
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 4D90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 5DB0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 5F30000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 5F50000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 70D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 71E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 74A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 7610000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 7670000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 7690000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 76B0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: B120000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: B160000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 4FD0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 5010000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 5090000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 50B0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 5130000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 51F0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 5210000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 5230000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 5250000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 5270000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: B180000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: B1B0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: CE30000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: CE70000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: CE90000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: CED0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: CF00000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: CF60000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: D0A0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: D1F0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: D210000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: D340000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: D360000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: D380000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: D3A0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: D8A0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: D150000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: D190000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: D1B0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DBC0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DBE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DC00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DCC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DCE0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DD10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DC20000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DC60000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E120000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E190000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DFF0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E210000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E2E0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E230000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E250000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E320000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E340000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E380000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E3A0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E3C0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DE20000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E3E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DBE0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E6E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DE40000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E4E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E7E0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10210000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DC40000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DE60000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DE90000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DBE0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DC00000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DC20000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DEB0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DED0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E900000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: D300000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: D320000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: DE60000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E600000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E620000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: EA10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E640000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E660000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E680000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E6A0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E6C0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E7E0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E820000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E840000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E860000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E880000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E8C0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: E8E0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: EB20000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: EB40000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: EB60000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: EB80000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: FE70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: EBC0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: EBE0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: EC00000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: FF80000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: FFC0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: FFE0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10100000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 108C0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10360000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10A20000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10A40000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10A60000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10A80000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10AA0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10AC0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10AE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10BF0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10C10000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10C30000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10C50000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10C70000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10C90000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10CD0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10CF0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10D10000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10E70000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10E90000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10EB0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: 10ED0000 memory commit | memory reserve | memory write watch Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Window / User API: threadDelayed 4458 Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Window / User API: threadDelayed 1201 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe TID: 7172 Thread sleep time: -445800s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe TID: 7172 Thread sleep time: -120100s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe TID: 8060 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Last function: Thread delayed
Source: psiphon-tunnel-core.exe, 00000003.00000003.2885032944.000000000288A000.00000004.00000020.00020000.00000000.sdmp, psiphon-tunnel-core.exe, 00000003.00000002.2985381431.0000000002881000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Process created: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\user\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\user\AppData\Local\Psiphon3\server_list.dat" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7jBzTH9FXQ.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Queries volume information: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Queries volume information: C:\Users\user\AppData\Local\Psiphon3\psiphon.config VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\datastore\psiphon.boltdb VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\upgrade.184.part VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\upgrade.184.part VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Queries volume information: C:\Users\user\AppData\Local\Psiphon3\ca.psiphon.PsiphonTunnel.tunnel-core\upgrade.184.part.etag VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Adds / modifies Windows certificates
Source: C:\Users\user\AppData\Local\Temp\psiphon-tunnel-core.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD Blob Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1561756 Sample: 7jBzTH9FXQ.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 56 24 Multi AV Scanner detection for submitted file 2->24 26 PE file has nameless sections 2->26 7 7jBzTH9FXQ.exe 20 53 2->7         started        process3 file4 16 C:\Users\user\...\psiphon-tunnel-core.exe, PE32 7->16 dropped 28 Tries to delay execution (extensive OutputDebugStringW loop) 7->28 11 psiphon-tunnel-core.exe 10 7->11         started        signatures5 process6 dnsIp7 18 74.208.177.192, 443, 49751 ONEANDONE-ASBrauerstrasse48DE United States 11->18 20 77.68.55.150 ONEANDONE-ASBrauerstrasse48DE United Kingdom 11->20 22 8 other IPs or domains 11->22 14 conhost.exe 11->14         started        process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
139.144.40.39
 unknown United States
8968 BT-ITALIAIT false
192.46.237.70
 unknown United States
5501 FRAUNHOFER-CLUSTER-BWResearchInstitutesspreadalloverGe false
194.99.105.212
 unknown Romania
9009 M247GB false
77.68.55.150
 unknown United Kingdom
8560 ONEANDONE-ASBrauerstrasse48DE false
193.29.107.181
 unknown Romania
9009 M247GB false
82.223.55.128
 unknown Spain
8560 ONEANDONE-ASBrauerstrasse48DE false
104.18.166.46
 unknown United States
13335 CLOUDFLARENETUS false
37.46.117.21
 unknown Sweden
51430 ALTUSNL false
74.208.177.192
 unknown United States
8560 ONEANDONE-ASBrauerstrasse48DE false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true