Windows Analysis Report
r4xiHKy8aM.exe

Overview

General Information

Sample name: r4xiHKy8aM.exe
renamed because original name is a hash value
Original sample name: ad6450fa3a0cba712b6f880ceeaf4c44.exe
Analysis ID: 1579764
MD5: ad6450fa3a0cba712b6f880ceeaf4c44
SHA1: 29cd179c9844e0e17286489cc4a2c4f82641f59c
SHA256: 73e2561cb0af3c016accbec37e4b406b2caafed7a12f3177dcc52eecd0d1fcc4
Tags: exeuser-abuse_ch
Infos:

Detection

Socks5Systemz
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Socks5Systemz
AI detected suspicious sample
Contains functionality to infect the boot sector
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Uses known network protocols on non-standard ports
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\DivXConverter\DivXConverter.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe ReversingLabs: Detection: 52%
Multi AV Scanner detection for submitted file
Source: r4xiHKy8aM.exe Virustotal: Detection: 31% Perma Link
Source: r4xiHKy8aM.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Joe Sandbox ML: detected
Source: C:\ProgramData\DivXConverter\DivXConverter.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0045D188 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion, 1_2_0045D188
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0045D254 ArcFourCrypt, 1_2_0045D254
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0045D23C ArcFourCrypt, 1_2_0045D23C
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_10001000 ISCryptGetVersion, 1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_10001130 ArcFourCrypt, 1_2_10001130

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Unpacked PE file: 3.2.megasoftdivxconverter.exe.400000.0.unpack
Uses 32bit PE files
Source: r4xiHKy8aM.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DivX Converter_is1 Jump to behavior
Source: unknown HTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.6:49849 version: TLS 1.2
Source: Binary string: msvcp71.pdbx# source: is-AMIHI.tmp.1.dr
Source: Binary string: msvcr71.pdb< source: is-39UBV.tmp.1.dr
Source: Binary string: msvcp71.pdb source: is-AMIHI.tmp.1.dr
Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-GBC9B.tmp.1.dr
Source: Binary string: msvcr71.pdb source: is-39UBV.tmp.1.dr
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00452A60 FindFirstFileA,GetLastError, 1_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose, 1_2_00474F88
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_004980A4
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00464158
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose, 1_2_00462750
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00463CDC

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 2024 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 49992 -> 2024
Source: unknown Network traffic detected: HTTP traffic on port 2024 -> 50039
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 2024
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49862 -> 46.8.225.74:2024
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 46.8.225.74 46.8.225.74
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View IP Address: 188.119.66.185 188.119.66.185
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49856 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49849 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49869 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49899 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49882 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49890 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49918 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49923 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49910 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49931 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49954 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49948 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49961 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49904 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49995 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50001 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50032 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50040 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49943 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49987 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49981 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50008 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50014 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49875 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49975 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49937 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50020 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49969 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50026 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49882 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49869 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49849 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49918 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49899 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49923 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49931 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49890 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49981 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49961 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49987 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49943 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49937 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49995 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49904 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:50001 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:50026 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:50032 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:50020 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:50014 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:50008 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49875 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49969 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49954 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49856 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49910 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49948 -> 188.119.66.185:443
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49975 -> 188.119.66.185:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15dd05633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a2710db378b HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15dd05633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a2710db378b HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ISteamUser/GetFriendList/v1/?key=3B57534F2CE5FB590C19846A67E8B286&steamid=76561197992591303 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36host: api.steampowered.comaccept-encoding: gzip, deflateConnection: close
Source: global traffic HTTP traffic detected: GET /ISteamUser/GetFriendList/v1/?key=3B57534F2CE5FB590C19846A67E8B286&steamid=76561197992591303 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36host: api.steampowered.comaccept-encoding: gzip, deflateConnection: close
Source: global traffic HTTP traffic detected: GET /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36host: api.steampowered.comaccept-encoding: gzip, deflateConnection: close
Source: global traffic HTTP traffic detected: GET /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36host: api.steampowered.comaccept-encoding: gzip, deflateConnection: close
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.225.74
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.225.74
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.225.74
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.225.74
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.225.74
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.225.74
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.225.74
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.225.74
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.225.74
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.225.74
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.66.185
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02CDEA5C InternetReadFile, 3_2_02CDEA5C
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxContent-Type: application/json; charset=UTF-8Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 441Expires: Mon, 23 Dec 2024 07:45:24 GMTDate: Mon, 23 Dec 2024 07:45:24 GMTConnection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 00 ad 96 c9 6a e4 50 0c 45 ff c5 eb 2c 24 3d 8d f5 2b 21 84 90 54 d3 86 74 75 13 d7 ae a8 7f cf 35 a1 77 f5 c0 e6 19 0c 1e b0 0f 1a ae ae 7c 9b 7e 7d cd e7 cb c7 f2 39 2f d7 e9 74 fb 7f 3b 9d 9e 6f d3 72 3d bf fd 99 3f a6 d3 14 6e ce 5c 51 6e 4d 29 c8 a6 a7 e9 eb fc f9 76 9d ff 5e 96 df f3 3f bc f2 f3 21 9e ff 5c bc 2e f3 e5 fd 3c 9d e8 fe f4 18 94 9c 6a e6 c3 a0 10 b1 a4 1a 8f 28 9c 38 9d c7 23 4a 6e a5 25 b5 19 c4 cd 03 5f 4b 5a 97 18 41 8d 72 3c b4 26 54 de e8 08 90 38 19 1f 00 8a 58 d3 1b 07 29 9a 67 7a 40 8d dc ac 88 b7 b7 af 0b 0a b4 f4 90 ae c5 9a da 0e 41 75 41 d9 aa dc f5 00 50 b4 c4 69 1c 54 24 e8 5c 3b 00 24 2e 5e b2 7d e8 e0 1b 0e f1 11 77 89 4e 69 3e 6e 2c 25 c6 d9 f4 08 50 09 f4 34 5e ac 6a 44 28 d8 ae 62 39 13 06 de bb 44 4e d6 b6 dd 3c 59 d0 75 85 88 a2 4b 2c 66 e5 03 92 c5 34 27 f3 76 87 81 1d 1b 0e d2 ec 11 3d 90 6a 8c 9b 1f 96 17 33 db 68 8e 49 c4 ec 62 c3 2e 9a c4 92 65 54 db 17 04 8b 91 ad 63 fc 78 8c 92 90 21 ad 6e b1 a3 fc d6 a4 a5 48 eb 10 55 45 9d 63 47 8c e8 a6 c0 3f ed f1 7e 4d 32 41 37 55 76 a8 77 25 6a 84 f6 ea e8 e8 ac 71 db 2e 91 35 6b 25 d4 52 3b c4 2c b6 82 57 ee fb ab 80 f0 a5 13 23 96 a5 22 ca dc 91 b5 c2 c7 a0 35 7d 3c b3 58 e3 92 eb 9f dd 76 a7 43 d1 57 1f 26 eb 11 b1 68 24 85 b6 4f 08 88 d9 20 8e d0 fb cb fd fe 0d d1 90 fd b1 df 0a 00 00 Data Ascii: jPE,$=+!Ttu5w|~}9/t;or=?n\QnM)v^?!\.<j(8#Jn%_KZAr<&T8X)gz@AuAPiT$\;$.^}wNi>n,%P4^jD(b9DN<YuK,f4'v=j3hIb.eTcx!nHUEcG?~M2A7Uvw%jq.5k%R;,W#"5}<XvCW&h$O
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxContent-Type: application/json; charset=UTF-8Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 441Expires: Mon, 23 Dec 2024 07:45:24 GMTDate: Mon, 23 Dec 2024 07:45:24 GMTConnection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 00 ad 96 c9 6a e4 50 0c 45 ff c5 eb 2c 24 3d 8d f5 2b 21 84 90 54 d3 86 74 75 13 d7 ae a8 7f cf 35 a1 77 f5 c0 e6 19 0c 1e b0 0f 1a ae ae 7c 9b 7e 7d cd e7 cb c7 f2 39 2f d7 e9 74 fb 7f 3b 9d 9e 6f d3 72 3d bf fd 99 3f a6 d3 14 6e ce 5c 51 6e 4d 29 c8 a6 a7 e9 eb fc f9 76 9d ff 5e 96 df f3 3f bc f2 f3 21 9e ff 5c bc 2e f3 e5 fd 3c 9d e8 fe f4 18 94 9c 6a e6 c3 a0 10 b1 a4 1a 8f 28 9c 38 9d c7 23 4a 6e a5 25 b5 19 c4 cd 03 5f 4b 5a 97 18 41 8d 72 3c b4 26 54 de e8 08 90 38 19 1f 00 8a 58 d3 1b 07 29 9a 67 7a 40 8d dc ac 88 b7 b7 af 0b 0a b4 f4 90 ae c5 9a da 0e 41 75 41 d9 aa dc f5 00 50 b4 c4 69 1c 54 24 e8 5c 3b 00 24 2e 5e b2 7d e8 e0 1b 0e f1 11 77 89 4e 69 3e 6e 2c 25 c6 d9 f4 08 50 09 f4 34 5e ac 6a 44 28 d8 ae 62 39 13 06 de bb 44 4e d6 b6 dd 3c 59 d0 75 85 88 a2 4b 2c 66 e5 03 92 c5 34 27 f3 76 87 81 1d 1b 0e d2 ec 11 3d 90 6a 8c 9b 1f 96 17 33 db 68 8e 49 c4 ec 62 c3 2e 9a c4 92 65 54 db 17 04 8b 91 ad 63 fc 78 8c 92 90 21 ad 6e b1 a3 fc d6 a4 a5 48 eb 10 55 45 9d 63 47 8c e8 a6 c0 3f ed f1 7e 4d 32 41 37 55 76 a8 77 25 6a 84 f6 ea e8 e8 ac 71 db 2e 91 35 6b 25 d4 52 3b c4 2c b6 82 57 ee fb ab 80 f0 a5 13 23 96 a5 22 ca dc 91 b5 c2 c7 a0 35 7d 3c b3 58 e3 92 eb 9f dd 76 a7 43 d1 57 1f 26 eb 11 b1 68 24 85 b6 4f 08 88 d9 20 8e d0 fb cb fd fe 0d d1 90 fd b1 df 0a 00 00 Data Ascii: jPE,$=+!Ttu5w|~}9/t;or=?n\QnM)v^?!\.<j(8#Jn%_KZAr<&T8X)gz@AuAPiT$\;$.^}wNi>n,%P4^jD(b9DN<YuK,f4'v=j3hIb.eTcx!nHUEcG?~M2A7Uvw%jq.5k%R;,W#"5}<XvCW&h$O
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxContent-Type: application/json; charset=UTF-8Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 598Expires: Mon, 23 Dec 2024 07:45:40 GMTDate: Mon, 23 Dec 2024 07:45:40 GMTConnection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 00 95 96 cb 4e 94 51 10 84 df e5 5f b3 e8 fb 85 57 31 c6 18 c1 38 09 a2 61 d8 11 de dd fa 05 77 74 62 67 42 06 e6 f2 51 e7 74 75 75 bf 1c df 9f 2e f7 8f 77 d7 87 cb f5 f9 b8 7d f9 f7 e7 71 fb e9 e5 b8 3e df 7f fd 79 b9 3b 6e 8f 0c 0f e6 2e 22 0a c9 6a 3f 6e 8e a7 fb 87 af cf 97 5f 8f d7 1f 97 df f8 c8 db 17 f1 fa db 2f 5f ae 97 c7 6f f7 c7 2d 3b be 43 a2 92 af 37 1f 12 39 c5 db ad fe 9f 68 0d 01 11 a4 03 51 52 23 55 63 a5 51 14 4a 26 8d 96 51 05 e6 82 a8 59 46 4d 13 d1 8d 94 da 17 a7 fe 7b 8f c4 4c 03 11 0a cd da 68 77 8f 96 49 35 10 cb 9c 84 ab 37 c4 b6 22 b5 18 89 e9 ac 64 2b a2 b0 72 4d b5 ae 96 94 de d4 fa af 46 95 1e 34 32 dc d8 0c 95 ab ca 18 8b f8 44 84 fc 0e 95 05 11 1a 83 25 46 a2 37 6a 9d b5 23 6a eb 58 19 0e c7 93 51 ee 7a 46 10 08 83 7b 38 e1 03 6f 93 15 91 91 2e de 1f 13 85 d8 2a 39 16 7e 3c 89 09 bf f9 40 c4 fb e9 d9 ab 9e 39 85 c4 a8 d1 4f 99 54 0b e2 79 8f 16 ca 32 11 1b e9 c8 be eb 19 0f fc f0 40 0c 13 f7 e2 dd a9 15 32 7b ba c7 ac 40 ec d6 62 2a bc fb d1 87 7c c4 75 c0 e1 6e 3b 3f 52 b3 fa 90 8f aa 4c 8e 07 ef 92 22 92 cb 06 a2 05 72 a2 36 ee 81 46 84 81 d9 50 6b 10 0b b5 e6 e5 e4 12 ce 1a ba 50 0d e5 c6 ff 5c f6 4c 50 c9 e0 70 f5 c6 e4 d2 de 55 86 43 7d 4a 33 4d 0b c1 78 dd b9 27 30 4a 26 87 6b a6 21 76 73 e9 f0 33 1f a7 53 67 25 45 6c b2 e7 d4 88 b5 26 a6 ca a0 b3 83 4c 76 f7 78 46 6a 4d a7 2e 57 8e 92 45 e2 9e 49 e1 6a d3 54 d0 0a c3 5c d8 76 61 99 ca a4 b1 cf cd a7 72 79 6a b5 ec a9 67 d0 f3 6d 9e 8b 7c 7c 4f 0a 99 4e dd 8c aa 19 ed 76 5c 46 00 ea 94 14 6d 2d b5 ec 99 a4 4c 98 78 22 16 1b 96 c1 05 11 b5 4e 13 1b 13 f7 8c 48 a5 e5 96 a2 48 98 99 d8 68 1b da f8 f1 dd e1 d3 6e 66 58 b4 02 7b fa 32 29 3c 5c 87 c9 65 a7 13 6a 4b 4c 31 8a 21 29 12 8b 1e c6 c6 66 03 00 b1 19 e1 23 af 9f 5f 5f ff 00 b1 e9 ef a5 91 0d 00 00 Data Ascii: NQ_W18awtbgBQtuu.w}q>y;n."j?n_/_o-;C79hQR#UcQJ&QYFM{LhwI57"d+rMF42D%F7j#jXQzF{8o.*9~<@9OTy2@2{@b*|un;?RL"r6FPkP\LPpUC}J3Mx'0J&k!vs3Sg%El&LvxFjM.WEIjT\varyjgm||ONv\Fm-Lx"NHHhnfX{2)<\ejKL1!)f#__
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxContent-Type: application/json; charset=UTF-8Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 598Expires: Mon, 23 Dec 2024 07:45:40 GMTDate: Mon, 23 Dec 2024 07:45:40 GMTConnection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 00 95 96 cb 4e 94 51 10 84 df e5 5f b3 e8 fb 85 57 31 c6 18 c1 38 09 a2 61 d8 11 de dd fa 05 77 74 62 67 42 06 e6 f2 51 e7 74 75 75 bf 1c df 9f 2e f7 8f 77 d7 87 cb f5 f9 b8 7d f9 f7 e7 71 fb e9 e5 b8 3e df 7f fd 79 b9 3b 6e 8f 0c 0f e6 2e 22 0a c9 6a 3f 6e 8e a7 fb 87 af cf 97 5f 8f d7 1f 97 df f8 c8 db 17 f1 fa db 2f 5f ae 97 c7 6f f7 c7 2d 3b be 43 a2 92 af 37 1f 12 39 c5 db ad fe 9f 68 0d 01 11 a4 03 51 52 23 55 63 a5 51 14 4a 26 8d 96 51 05 e6 82 a8 59 46 4d 13 d1 8d 94 da 17 a7 fe 7b 8f c4 4c 03 11 0a cd da 68 77 8f 96 49 35 10 cb 9c 84 ab 37 c4 b6 22 b5 18 89 e9 ac 64 2b a2 b0 72 4d b5 ae 96 94 de d4 fa af 46 95 1e 34 32 dc d8 0c 95 ab ca 18 8b f8 44 84 fc 0e 95 05 11 1a 83 25 46 a2 37 6a 9d b5 23 6a eb 58 19 0e c7 93 51 ee 7a 46 10 08 83 7b 38 e1 03 6f 93 15 91 91 2e de 1f 13 85 d8 2a 39 16 7e 3c 89 09 bf f9 40 c4 fb e9 d9 ab 9e 39 85 c4 a8 d1 4f 99 54 0b e2 79 8f 16 ca 32 11 1b e9 c8 be eb 19 0f fc f0 40 0c 13 f7 e2 dd a9 15 32 7b ba c7 ac 40 ec d6 62 2a bc fb d1 87 7c c4 75 c0 e1 6e 3b 3f 52 b3 fa 90 8f aa 4c 8e 07 ef 92 22 92 cb 06 a2 05 72 a2 36 ee 81 46 84 81 d9 50 6b 10 0b b5 e6 e5 e4 12 ce 1a ba 50 0d e5 c6 ff 5c f6 4c 50 c9 e0 70 f5 c6 e4 d2 de 55 86 43 7d 4a 33 4d 0b c1 78 dd b9 27 30 4a 26 87 6b a6 21 76 73 e9 f0 33 1f a7 53 67 25 45 6c b2 e7 d4 88 b5 26 a6 ca a0 b3 83 4c 76 f7 78 46 6a 4d a7 2e 57 8e 92 45 e2 9e 49 e1 6a d3 54 d0 0a c3 5c d8 76 61 99 ca a4 b1 cf cd a7 72 79 6a b5 ec a9 67 d0 f3 6d 9e 8b 7c 7c 4f 0a 99 4e dd 8c aa 19 ed 76 5c 46 00 ea 94 14 6d 2d b5 ec 99 a4 4c 98 78 22 16 1b 96 c1 05 11 b5 4e 13 1b 13 f7 8c 48 a5 e5 96 a2 48 98 99 d8 68 1b da f8 f1 dd e1 d3 6e 66 58 b4 02 7b fa 32 29 3c 5c 87 c9 65 a7 13 6a 4b 4c 31 8a 21 29 12 8b 1e c6 c6 66 03 00 b1 19 e1 23 af 9f 5f 5f ff 00 b1 e9 ef a5 91 0d 00 00 Data Ascii: NQ_W18awtbgBQtuu.w}q>y;n."j?n_/_o-;C79hQR#UcQJ&QYFM{LhwI57"d+rMF42D%F7j#jXQzF{8o.*9~<@9OTy2@2{@b*|un;?RL"r6FPkP\LPpUC}J3Mx'0J&k!vs3Sg%El&LvxFjM.WEIjT\varyjgm||ONv\Fm-Lx"NHHhnfX{2)<\ejKL1!)f#__
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15dd05633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a2710db378b HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15dd05633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a2710db378b HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
Source: global traffic HTTP traffic detected: GET /ISteamUser/GetFriendList/v1/?key=3B57534F2CE5FB590C19846A67E8B286&steamid=76561197992591303 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36host: api.steampowered.comaccept-encoding: gzip, deflateConnection: close
Source: global traffic HTTP traffic detected: GET /ISteamUser/GetFriendList/v1/?key=3B57534F2CE5FB590C19846A67E8B286&steamid=76561197992591303 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36host: api.steampowered.comaccept-encoding: gzip, deflateConnection: close
Source: global traffic HTTP traffic detected: GET /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36host: api.steampowered.comaccept-encoding: gzip, deflateConnection: close
Source: global traffic HTTP traffic detected: GET /ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36host: api.steampowered.comaccept-encoding: gzip, deflateConnection: close
Source: global traffic DNS traffic detected: DNS query: api.steampowered.com
Source: r4xiHKy8aM.tmp, r4xiHKy8aM.tmp, 00000001.00000000.2135167670.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-NES4A.tmp.1.dr, r4xiHKy8aM.tmp.0.dr String found in binary or memory: http://www.innosetup.com/
Source: r4xiHKy8aM.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: r4xiHKy8aM.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: r4xiHKy8aM.exe, 00000000.00000003.2134745784.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, r4xiHKy8aM.exe, 00000000.00000003.2134559409.0000000002350000.00000004.00001000.00020000.00000000.sdmp, r4xiHKy8aM.tmp, r4xiHKy8aM.tmp, 00000001.00000000.2135167670.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-NES4A.tmp.1.dr, r4xiHKy8aM.tmp.0.dr String found in binary or memory: http://www.remobjects.com/ps
Source: r4xiHKy8aM.exe, 00000000.00000003.2134745784.00000000020B8000.00000004.00001000.00020000.00000000.sdmp, r4xiHKy8aM.exe, 00000000.00000003.2134559409.0000000002350000.00000004.00001000.00020000.00000000.sdmp, r4xiHKy8aM.tmp, 00000001.00000000.2135167670.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-NES4A.tmp.1.dr, r4xiHKy8aM.tmp.0.dr String found in binary or memory: http://www.remobjects.com/psU
Source: megasoftdivxconverter.exe, 00000003.00000002.3383991626.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp, megasoftdivxconverter.exe, 00000003.00000002.3385587926.0000000003357000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://188.119.66.185/
Source: megasoftdivxconverter.exe, 00000003.00000002.3383991626.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://188.119.66.185/.
Source: megasoftdivxconverter.exe, 00000003.00000002.3385587926.0000000003357000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://188.119.66.185/A
Source: megasoftdivxconverter.exe, 00000003.00000002.3383991626.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://188.119.66.185/C
Source: megasoftdivxconverter.exe, 00000003.00000002.3383991626.0000000000AE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b82a8dcd6c946851e3008888325
Source: megasoftdivxconverter.exe, 00000003.00000002.3383991626.0000000000AE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4
Source: megasoftdivxconverter.exe, 00000003.00000002.3383991626.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://188.119.66.185/allowedCert_OS_1
Source: megasoftdivxconverter.exe, 00000003.00000002.3383991626.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://188.119.66.185/mCerti
Source: megasoftdivxconverter.exe, 00000003.00000002.3383991626.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://188.119.66.185/rosoft
Source: megasoftdivxconverter.exe, 00000003.00000002.3385587926.0000000003357000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://188.119.66.185/w
Source: r4xiHKy8aM.exe, 00000000.00000002.3383602081.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, r4xiHKy8aM.exe, 00000000.00000003.2134141142.0000000002350000.00000004.00001000.00020000.00000000.sdmp, r4xiHKy8aM.exe, 00000000.00000003.2134213841.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, r4xiHKy8aM.tmp, 00000001.00000002.3383847362.0000000000555000.00000004.00000020.00020000.00000000.sdmp, r4xiHKy8aM.tmp, 00000001.00000003.2136939065.0000000001FE8000.00000004.00001000.00020000.00000000.sdmp, r4xiHKy8aM.tmp, 00000001.00000003.2136845961.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, r4xiHKy8aM.tmp, 00000001.00000002.3384199471.0000000001FE8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.easycutstudio.com/support.html
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown HTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.6:49849 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: is-GBC9B.tmp.1.dr Binary or memory string: DirectDrawCreateEx memstr_ed707d44-5
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0042F520 NtdllDefWindowProc_A, 1_2_0042F520
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00423B84 NtdllDefWindowProc_A, 1_2_00423B84
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004125D8 NtdllDefWindowProc_A, 1_2_004125D8
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00478AC0 NtdllDefWindowProc_A, 1_2_00478AC0
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 1_2_00457594
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError, 1_2_0042E934
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_004555E4
Detected potential crypto function
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: 0_2_0040840C 0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004706A8 1_2_004706A8
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004809F7 1_2_004809F7
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004352C8 1_2_004352C8
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004673A4 1_2_004673A4
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0043DD50 1_2_0043DD50
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0043035C 1_2_0043035C
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004444C8 1_2_004444C8
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004345C4 1_2_004345C4
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00444A70 1_2_00444A70
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00486BD0 1_2_00486BD0
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00430EE8 1_2_00430EE8
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0045F0C4 1_2_0045F0C4
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00445168 1_2_00445168
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0045B174 1_2_0045B174
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00469404 1_2_00469404
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00445574 1_2_00445574
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004519BC 1_2_004519BC
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00487B30 1_2_00487B30
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0048DF54 1_2_0048DF54
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_00401000 3_2_00401000
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_004067B7 3_2_004067B7
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_609660FA 3_2_609660FA
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6092114F 3_2_6092114F
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6091F2C9 3_2_6091F2C9
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6096923E 3_2_6096923E
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6093323D 3_2_6093323D
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6095C314 3_2_6095C314
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60950312 3_2_60950312
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6094D33B 3_2_6094D33B
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6093B368 3_2_6093B368
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6096748C 3_2_6096748C
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6093F42E 3_2_6093F42E
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60954470 3_2_60954470
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_609615FA 3_2_609615FA
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6096A5EE 3_2_6096A5EE
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6096D6A4 3_2_6096D6A4
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_609606A8 3_2_609606A8
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60932654 3_2_60932654
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60955665 3_2_60955665
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6094B7DB 3_2_6094B7DB
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6092F74D 3_2_6092F74D
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60964807 3_2_60964807
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6094E9BC 3_2_6094E9BC
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60937929 3_2_60937929
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6093FAD6 3_2_6093FAD6
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6096DAE8 3_2_6096DAE8
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6094DA3A 3_2_6094DA3A
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60936B27 3_2_60936B27
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60954CF6 3_2_60954CF6
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60950C6B 3_2_60950C6B
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60966DF1 3_2_60966DF1
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60963D35 3_2_60963D35
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60909E9C 3_2_60909E9C
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60951E86 3_2_60951E86
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60912E0B 3_2_60912E0B
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60954FF8 3_2_60954FF8
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C894B3 3_2_02C894B3
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C6BAED 3_2_02C6BAED
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C72A70 3_2_02C72A70
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C6D31F 3_2_02C6D31F
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C670B0 3_2_02C670B0
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C5E079 3_2_02C5E079
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C7266D 3_2_02C7266D
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C6BF05 3_2_02C6BF05
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C6873A 3_2_02C6873A
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C6B5F9 3_2_02C6B5F9
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C70DA4 3_2_02C70DA4
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\DivXConverter\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: String function: 02C67750 appears 32 times
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: String function: 02C72A00 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: String function: 00408C0C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: String function: 00406AC4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: String function: 0040595C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: String function: 00457F1C appears 73 times
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: String function: 00445DD4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: String function: 00457D10 appears 96 times
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: String function: 004344DC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: String function: 004078F4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: String function: 00403494 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: String function: 00403684 appears 225 times
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: String function: 00453344 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: String function: 004460A4 appears 59 times
PE file contains executable resources (Code or Archives)
Source: r4xiHKy8aM.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: r4xiHKy8aM.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: r4xiHKy8aM.tmp.0.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: megasoftdivxconverter.exe.1.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: is-NES4A.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-NES4A.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-NES4A.tmp.1.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: DivXConverter.exe.3.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
PE file contains more sections than normal
Source: sqlite3.dll.3.dr Static PE information: Number of sections : 19 > 10
Source: is-VAN72.tmp.1.dr Static PE information: Number of sections : 19 > 10
Sample file is different than original file name gathered from version info
Source: r4xiHKy8aM.exe, 00000000.00000003.2134745784.00000000020B8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs r4xiHKy8aM.exe
Source: r4xiHKy8aM.exe, 00000000.00000003.2134559409.0000000002350000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs r4xiHKy8aM.exe
Uses 32bit PE files
Source: r4xiHKy8aM.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/26@1/3
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C5F8C0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError, 3_2_02C5F8C0
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_004555E4
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA, 1_2_00455E0C
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: CreateServiceA, 3_2_0040D8AA
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0046E0E4 GetVersion,CoCreateInstance, 1_2_0046E0E4
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource, 0_2_00409C34
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_0040D1E5 StartServiceCtrlDispatcherA, 3_2_0040D1E5
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_0040D1E5 StartServiceCtrlDispatcherA, 3_2_0040D1E5
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe File created: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp Jump to behavior
Source: Yara match File source: 3.0.megasoftdivxconverter.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.2151776565.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\DivXConverter\DivXConverter.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\is-OD00T.tmp, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe, type: DROPPED
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: megasoftdivxconverter.exe, megasoftdivxconverter.exe, 00000003.00000002.3386475756.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, megasoftdivxconverter.exe, 00000003.00000003.2157496220.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-VAN72.tmp.1.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: megasoftdivxconverter.exe, 00000003.00000002.3386475756.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, megasoftdivxconverter.exe, 00000003.00000003.2157496220.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-VAN72.tmp.1.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: megasoftdivxconverter.exe, megasoftdivxconverter.exe, 00000003.00000002.3386475756.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, megasoftdivxconverter.exe, 00000003.00000003.2157496220.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-VAN72.tmp.1.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: megasoftdivxconverter.exe, 00000003.00000002.3386475756.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, megasoftdivxconverter.exe, 00000003.00000003.2157496220.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-VAN72.tmp.1.dr Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: megasoftdivxconverter.exe, 00000003.00000002.3386475756.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, megasoftdivxconverter.exe, 00000003.00000003.2157496220.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-VAN72.tmp.1.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: megasoftdivxconverter.exe, 00000003.00000002.3386475756.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, megasoftdivxconverter.exe, 00000003.00000003.2157496220.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-VAN72.tmp.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: megasoftdivxconverter.exe, 00000003.00000002.3386475756.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, megasoftdivxconverter.exe, 00000003.00000003.2157496220.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-VAN72.tmp.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: megasoftdivxconverter.exe, 00000003.00000002.3386475756.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, megasoftdivxconverter.exe, 00000003.00000003.2157496220.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-VAN72.tmp.1.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: megasoftdivxconverter.exe, 00000003.00000002.3386475756.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, megasoftdivxconverter.exe, 00000003.00000003.2157496220.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-VAN72.tmp.1.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: megasoftdivxconverter.exe, 00000003.00000002.3386475756.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, megasoftdivxconverter.exe, 00000003.00000003.2157496220.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-VAN72.tmp.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: megasoftdivxconverter.exe, 00000003.00000002.3386475756.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, megasoftdivxconverter.exe, 00000003.00000003.2157496220.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-VAN72.tmp.1.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: megasoftdivxconverter.exe, megasoftdivxconverter.exe, 00000003.00000002.3386475756.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, megasoftdivxconverter.exe, 00000003.00000003.2157496220.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.3.dr, is-VAN72.tmp.1.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: r4xiHKy8aM.exe Virustotal: Detection: 31%
Source: r4xiHKy8aM.exe ReversingLabs: Detection: 42%
Source: r4xiHKy8aM.exe String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: r4xiHKy8aM.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe File read: C:\Users\user\Desktop\r4xiHKy8aM.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\r4xiHKy8aM.exe "C:\Users\user\Desktop\r4xiHKy8aM.exe"
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Process created: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp "C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp" /SL5="$10404,3284048,56832,C:\Users\user\Desktop\r4xiHKy8aM.exe"
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Process created: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe "C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe" -i
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Process created: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp "C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp" /SL5="$10404,3284048,56832,C:\Users\user\Desktop\r4xiHKy8aM.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Process created: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe "C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe" -i Jump to behavior
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DivX Converter_is1 Jump to behavior
Source: r4xiHKy8aM.exe Static file information: File size 3533028 > 1048576
Source: Binary string: msvcp71.pdbx# source: is-AMIHI.tmp.1.dr
Source: Binary string: msvcr71.pdb< source: is-39UBV.tmp.1.dr
Source: Binary string: msvcp71.pdb source: is-AMIHI.tmp.1.dr
Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-GBC9B.tmp.1.dr
Source: Binary string: msvcr71.pdb source: is-39UBV.tmp.1.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Unpacked PE file: 3.2.megasoftdivxconverter.exe.400000.0.unpack .amtt2:ER;.antt2:R;.aott2:W;.rsrc:R;.aptt2:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Unpacked PE file: 3.2.megasoftdivxconverter.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_004502C0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .amtt2
PE file contains sections with non-standard names
Source: megasoftdivxconverter.exe.1.dr Static PE information: section name: .amtt2
Source: megasoftdivxconverter.exe.1.dr Static PE information: section name: .antt2
Source: megasoftdivxconverter.exe.1.dr Static PE information: section name: .aott2
Source: megasoftdivxconverter.exe.1.dr Static PE information: section name: .aptt2
Source: is-GBC9B.tmp.1.dr Static PE information: section name: Shared
Source: is-VAN72.tmp.1.dr Static PE information: section name: /4
Source: is-VAN72.tmp.1.dr Static PE information: section name: /19
Source: is-VAN72.tmp.1.dr Static PE information: section name: /35
Source: is-VAN72.tmp.1.dr Static PE information: section name: /51
Source: is-VAN72.tmp.1.dr Static PE information: section name: /63
Source: is-VAN72.tmp.1.dr Static PE information: section name: /77
Source: is-VAN72.tmp.1.dr Static PE information: section name: /89
Source: is-VAN72.tmp.1.dr Static PE information: section name: /102
Source: is-VAN72.tmp.1.dr Static PE information: section name: /113
Source: is-VAN72.tmp.1.dr Static PE information: section name: /124
Source: DivXConverter.exe.3.dr Static PE information: section name: .amtt2
Source: DivXConverter.exe.3.dr Static PE information: section name: .antt2
Source: DivXConverter.exe.3.dr Static PE information: section name: .aott2
Source: DivXConverter.exe.3.dr Static PE information: section name: .aptt2
Source: sqlite3.dll.3.dr Static PE information: section name: /4
Source: sqlite3.dll.3.dr Static PE information: section name: /19
Source: sqlite3.dll.3.dr Static PE information: section name: /35
Source: sqlite3.dll.3.dr Static PE information: section name: /51
Source: sqlite3.dll.3.dr Static PE information: section name: /63
Source: sqlite3.dll.3.dr Static PE information: section name: /77
Source: sqlite3.dll.3.dr Static PE information: section name: /89
Source: sqlite3.dll.3.dr Static PE information: section name: /102
Source: sqlite3.dll.3.dr Static PE information: section name: /113
Source: sqlite3.dll.3.dr Static PE information: section name: /124
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: 0_2_004040B5 push eax; ret 0_2_004040F1
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax 0_2_00408109
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: 0_2_00404185 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: 0_2_00404206 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: 0_2_0040C218 push eax; ret 0_2_0040C219
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: 0_2_00404283 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0040994C push 00409989h; ret 1_2_00409981
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00483F88 push 00484096h; ret 1_2_0048408E
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax 1_2_004062B5
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx 1_2_004104E5
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00412928 push 0041298Bh; ret 1_2_00412983
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00494CAC push ecx; mov dword ptr [esp], ecx 1_2_00494CB1
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx 1_2_0040CE3A
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004592D0 push 00459314h; ret 1_2_0045930C
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx 1_2_0040F39A
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx 1_2_00443444
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0040546D push eax; ret 1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0040553D push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004055BE push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00485678 push ecx; mov dword ptr [esp], ecx 1_2_0048567D
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0040563B push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004517F8 push 0045182Bh; ret 1_2_00451823
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004519BC push ecx; mov dword ptr [esp], eax 1_2_004519C1
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00477B08 push ecx; mov dword ptr [esp], edx 1_2_00477B09
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00419C28 push ecx; mov dword ptr [esp], ecx 1_2_00419C2D
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0045FD1C push ecx; mov dword ptr [esp], ecx 1_2_0045FD20
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00499D30 pushad ; retf 1_2_00499D3F
Source: megasoftdivxconverter.exe.1.dr Static PE information: section name: .amtt2 entropy: 7.752066202875672
Source: DivXConverter.exe.3.dr Static PE information: section name: .amtt2 entropy: 7.752066202875672

Persistence and Installation Behavior
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0 3_2_02C5E8A2
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\uninstall\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\is-VAN72.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe File created: C:\ProgramData\DivXConverter\DivXConverter.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\is-39UBV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Temp\is-3I6GN.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\gdiplus.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\sqlite3.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\msvcp71.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\is-BMNQE.tmp Jump to dropped file
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe File created: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\uninstall\is-NES4A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\is-AMIHI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe File created: C:\ProgramData\DivXConverter\sqlite3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Temp\is-3I6GN.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\is-GBC9B.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Temp\is-3I6GN.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\msvcr71.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp File created: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.dll (copy) Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe File created: C:\ProgramData\DivXConverter\DivXConverter.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe File created: C:\ProgramData\DivXConverter\sqlite3.dll Jump to dropped file

Boot Survival
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0 3_2_02C5E8A2
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_0040D1E5 StartServiceCtrlDispatcherA, 3_2_0040D1E5

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 2024 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 49992 -> 2024
Source: unknown Network traffic detected: HTTP traffic on port 2024 -> 50039
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 2024
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus, 1_2_004241DC
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00424194 IsIconic,SetActiveWindow, 1_2_00424194
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_00418384
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 1_2_0042285C
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00417598 IsIconic,GetCapture, 1_2_00417598
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 1_2_0048393C
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00417CCE IsIconic,SetWindowPos, 1_2_00417CCE
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 1_2_00417CD0
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 1_2_0041F118
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Contains functionality to query network adapater information
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary, 3_2_02C5E9A6
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Window / User API: threadDelayed 9713 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\uninstall\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\is-VAN72.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\is-39UBV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3I6GN.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\gdiplus.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\msvcp71.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\is-BMNQE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\uninstall\is-NES4A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\is-AMIHI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3I6GN.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\is-GBC9B.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3I6GN.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\msvcr71.dll (copy) Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Evasive API call chain: GetSystemTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe API coverage: 5.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe TID: 716 Thread sleep count: 211 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe TID: 716 Thread sleep time: -422000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe TID: 5716 Thread sleep time: -1320000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe TID: 716 Thread sleep count: 9713 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe TID: 716 Thread sleep time: -19426000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00452A60 FindFirstFileA,GetLastError, 1_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose, 1_2_00474F88
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_004980A4
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00464158
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose, 1_2_00462750
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00463CDC
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 0_2_00409B78
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Thread delayed: delay time: 60000 Jump to behavior
Source: megasoftdivxconverter.exe, 00000003.00000002.3383991626.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, megasoftdivxconverter.exe, 00000003.00000002.3385587926.0000000003340000.00000004.00000020.00020000.00000000.sdmp, megasoftdivxconverter.exe, 00000003.00000002.3383991626.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C680F0 IsDebuggerPresent, 3_2_02C680F0
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C6E6AE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 3_2_02C6E6AE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_004502C0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C55E59 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection, 3_2_02C55E59
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C680DA SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_02C680DA
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle, 1_2_00478504
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid, 1_2_0042E09C
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_02C5E85A cpuid 3_2_02C5E85A
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: GetLocaleInfoA, 0_2_0040520C
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: GetLocaleInfoA, 0_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: GetLocaleInfoA, 1_2_00408568
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: GetLocaleInfoA, 1_2_004085B4
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle, 1_2_004585C8
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: 0_2_004026C4 GetSystemTime, 0_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-7L21N.tmp\r4xiHKy8aM.tmp Code function: 1_2_0045559C GetUserNameA, 1_2_0045559C
Source: C:\Users\user\Desktop\r4xiHKy8aM.exe Code function: 0_2_00405CF4 GetVersionExA, 0_2_00405CF4

Stealing of Sensitive Information
barindex
Yara detected Socks5Systemz
Source: Yara match File source: 00000003.00000002.3384869199.0000000002BA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3385060019.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: megasoftdivxconverter.exe PID: 6536, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Socks5Systemz
Source: Yara match File source: 00000003.00000002.3384869199.0000000002BA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3385060019.0000000002C51000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: megasoftdivxconverter.exe PID: 6536, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value, 3_2_609660FA
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave, 3_2_6090C1D6
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave, 3_2_60963143
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset, 3_2_6096A2BD
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free, 3_2_6096923E
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset, 3_2_6096A38C
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free, 3_2_6096748C
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave, 3_2_609254B1
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 3_2_6094B407
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6090F435 sqlite3_bind_parameter_index, 3_2_6090F435
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16, 3_2_609255D4
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_609255FF sqlite3_bind_text, 3_2_609255FF
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free, 3_2_6096A5EE
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove, 3_2_6094B54C
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave, 3_2_60925686
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free, 3_2_6094A6C5
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64, 3_2_609256E5
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step, 3_2_6094B6ED
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6092562A sqlite3_bind_blob, 3_2_6092562A
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave, 3_2_60925655
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free, 3_2_6094C64A
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free, 3_2_609687A7
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 3_2_6095F7F7
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave, 3_2_6092570B
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset, 3_2_6095F772
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob, 3_2_60925778
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6090577D sqlite3_bind_parameter_name, 3_2_6090577D
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step, 3_2_6094B764
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6090576B sqlite3_bind_parameter_count, 3_2_6090576B
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset, 3_2_6094A894
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset, 3_2_6095F883
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset, 3_2_6094C8C2
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free, 3_2_6096281E
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset, 3_2_6096583A
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset, 3_2_6095F9AD
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset, 3_2_6094A92B
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6090EAE5 sqlite3_transfer_bindings, 3_2_6090EAE5
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 3_2_6095FB98
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value, 3_2_6095ECA6
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset, 3_2_6095FCCE
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free, 3_2_6095FDAE
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob, 3_2_60966DF1
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset, 3_2_60969D75
Source: C:\Users\user\AppData\Local\Megasoft DivX Converter 7.1.11\megasoftdivxconverter.exe Code function: 3_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code, 3_2_6095FFB2
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579764 Sample: r4xiHKy8aM.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 100 32 api.steampowered.com 2->32 40 Multi AV Scanner detection for dropped file 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Detected unpacking (changes PE section rights) 2->44 46 7 other signatures 2->46 8 r4xiHKy8aM.exe 2 2->8         started        signatures3 process4 file5 18 C:\Users\user\AppData\...\r4xiHKy8aM.tmp, PE32 8->18 dropped 11 r4xiHKy8aM.tmp 18 23 8->11         started        process6 file7 20 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 11->20 dropped 22 C:\Users\user\AppData\...\unins000.exe (copy), PE32 11->22 dropped 24 C:\Users\user\AppData\Local\...\is-NES4A.tmp, PE32 11->24 dropped 26 13 other files (5 malicious) 11->26 dropped 14 megasoftdivxconverter.exe 1 19 11->14         started        process8 dnsIp9 34 188.119.66.185, 443, 49849, 49856 FLYNETRU Russian Federation 14->34 36 46.8.225.74, 2024, 49862, 49881 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 14->36 38 api.steampowered.com 104.102.49.254, 49990, 50038, 80 AKAMAI-ASUS United States 14->38 28 C:\ProgramData\DivXConverter\sqlite3.dll, PE32 14->28 dropped 30 C:\ProgramData\...\DivXConverter.exe, PE32 14->30 dropped file10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
46.8.225.74
 unknown Russian Federation
28917 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics false
104.102.49.254
 api.steampowered.com United States
16625 AKAMAI-ASUS false
188.119.66.185
 unknown Russian Federation
209499 FLYNETRU false

Contacted Domains

Name IP Active
api.steampowered.com 104.102.49.254 true
ax-0001.ax-msedge.net 150.171.28.10 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://188.119.66.185/ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15dd05633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a2710db378b false
    		unknown
    https://188.119.66.185/ai/?key=8f3f2b3ae14615677411efa3231e72eee7c4db7e40b92a8dcd6c946d47b842819e7c4ce718c34f7f6323f3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7398fddda935a false
      		unknown