Reads data out of its own binary image Show sources
| api_process_name | process: 15f206847ed96baff20511d16acfd9b73c4e8b5a.exe, pid: 2660, offset: 0x00000000, length: 0x018e62ab |
| api_process_name | process: 15f206847ed96baff20511d16acfd9b73c4e8b5a.exe, pid: 2660, offset: 0x0003821c, length: 0x018ae093 |
Attempts to connect to a dead IP:Port (3 unique times) Show sources
| network_host_ip | 23.50.75.27:80 (United States) |
| network_host_ip | 184.26.44.97:80 (United States) |
| network_host_ip | 172.229.236.163:80 (United States) |
Performs some HTTP requests Show sources
| network_url | http://apnmedia.ask.com/media/toolbar/stub/1.0.0.0/ApnIC.dll?tb=CWM&version=1.0.0.0 |
| network_url | http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18%2BP0%3D |
| network_url | http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D |
| network_url | http://websearch.ask.com/installed?client=ic&tb=CWM&dtid=&id=640d86e3-8272-4206-9fa5-9aae06f41cfb&ipid=&iev=8.0.7601.17514&iedis=0&ielu=-2&fflu=-2&iv=&nv=&clientv=9.9.9.9&said=30ad9bc9-eb3a-4d85-9e5a-2eb1602005be&browser-lang=en&apn_dbr=ff_46.0.1&cr=1 |
| network_url | http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=eichk&p2=^AFI^YYYYYY^YY^CA&encb=&chk=sucof&ts=tAzDK&guid=640d86e3-8272-4206-9fa5-9aae06f41cfb&dt=2700&wft=remote&inst=200&tb=CWM&hos=6.1.1.sp1.x64&harch=64&hloc=en-US&iv=8.0.7601.17514&fv=46.0.1%20(x86%20en-US)&dbr=2&vb=&msi=&dot=6 |
| network_url | http://crl.globalsign.net/primobject.crl |
Network activity contains more than one unique useragent. Show sources
| Process | ApnStub.exe |
| User-Agent | ic Windows NT 6.1 MSIE 8.0 Firefox/46.0.1 WOW64 Def2 SLCC2 .NET CLR 2.0.50727 .NET CLR 3.5.30729 .NET CLR 3.0.30729 Media Center PC 6.0 .NET4.0C .NET4.0E |
| Process | ApnStub.exe |
| User-Agent | InstallChecker |
At least one IP Address, Domain, or File Name was found in a crypto call Show sources
| ioc | nc.1705 |
| ioc | sk.com1 |
| ioc | sk.com0 |
| ioc | https://d.symcb.com/cps0 |
| ioc | https://d.symcb.com/rpa0 |
Steals private information from local Internet browsers Show sources
| file_read | C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\prefs.js |
| file_read | C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini |
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
Drops a binary and executes it Show sources
| file_dropped | C:\Users\user\AppData\Local\Temp\nsr301B.tmp\ApnStub.exe |
Possible date expiration check, exits too soon after checking local time Show sources
| api_process_name | ApnStub.exe, PID 1840 |
Creates a hidden or system file Show sources
| file_write | C:\Users\user\AppData\Local\Temp\BIT6216.tmp |