Windows Analysis Report DevInstallerBeta.exe

Overview

General Information

Sample Name: DevInstallerBeta.exe
Analysis ID: 511970
MD5: b864cefdeac3d2c58de4d14bab8265f1
SHA1: a9e0a49eb09498a97a9b55bf01952e3050b5f777
SHA256: 7489f7e92e2ece51c3a05fc381efe352210d16f02326e280ffd4c52821987fa0
Infos:

Most interesting Screenshot:

Detection

Score: 45
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Self deletion via cmd delete
Sample or dropped binary is a compiled AutoHotkey binary
Contains functionality to detect sleep reduction / modifications
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to launch a program with higher privileges
Potential key logger detected (key state polling based)
Contains functionality to retrieve information about pressed keystrokes
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality for read data from the clipboard

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: DevInstallerBeta.exe Avira: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.DevInstallerBeta.exe.140000000.0.unpack Avira: Label: TR/Agent.pwc
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.7:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.217.132.145:443 -> 192.168.2.7:49762 version: TLS 1.2
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: DevInstallerBeta.exe Static PE information: certificate valid
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400ACC40 FindFirstFileW,FindClose,FindFirstFileW,FindClose, 0_2_00000001400ACC40
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014003C320 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose, 0_2_000000014003C320
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400667A0 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_00000001400667A0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140080A40 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,wcsncpy,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError, 0_2_0000000140080A40
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140066AE0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,malloc, 0_2_0000000140066AE0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400ACB40 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00000001400ACB40

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.159.136
Source: DevInstallerBeta.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: DevInstallerBeta.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: DevInstallerBeta.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: DevInstallerBeta.exe String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: DevInstallerBeta.exe, 00000000.00000003.315059789.0000000000977000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.302318746.0000027FF6780000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: DevInstallerBeta.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: DevInstallerBeta.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DevInstallerBeta.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DevInstallerBeta.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000002.00000002.300507130.0000027F90215000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: DevInstallerBeta.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: DevInstallerBeta.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: DevInstallerBeta.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000002.00000002.289498256.0000027F80210000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.289722709.0000027F80394000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.289161712.0000027F80001000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.289722709.0000027F80394000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.289498256.0000027F80210000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: DevInstallerBeta.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: 4790d452-39a3-4e21-ae55-809d3cf28b04.tmp.16.dr, ff75510d-dab4-48d1-bc45-991de50f5062.tmp.16.dr String found in binary or memory: https://accounts.google.com
Source: 4790d452-39a3-4e21-ae55-809d3cf28b04.tmp.16.dr, ff75510d-dab4-48d1-bc45-991de50f5062.tmp.16.dr String found in binary or memory: https://apis.google.com
Source: DevInstallerBeta.exe String found in binary or memory: https://autohotkey.com
Source: DevInstallerBeta.exe String found in binary or memory: https://autohotkey.comCould
Source: DevInstallerBeta.exe, 00000000.00000002.317583250.00000000009BD000.00000004.00000001.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: DevInstallerBeta.exe, 00000000.00000003.249832606.0000000005EDB000.00000004.00000001.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/6ba4c15f-1d12-46cc-bdb7-164bb91831c3/downloads/c1a12c2d-18ce-
Source: DevInstallerBeta.exe, 00000000.00000002.317583250.00000000009BD000.00000004.00000001.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/E%)
Source: DevInstallerBeta.exe, 00000000.00000003.249803846.00000000009BD000.00000004.00000001.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/g%
Source: powershell.exe, 00000002.00000002.292178884.0000027F80BDD000.00000004.00000001.sdmp, manifest.json.2.dr String found in binary or memory: https://betapowertools.com
Source: powershell.exe, 00000002.00000002.290670859.0000027F80995000.00000004.00000001.sdmp, background.js.2.dr String found in binary or memory: https://betapowertools.com/s/
Source: powershell.exe, 00000002.00000002.290670859.0000027F80995000.00000004.00000001.sdmp, background.js.2.dr String found in binary or memory: https://betapowertools.com/s/?nx=
Source: powershell.exe, 00000002.00000002.290670859.0000027F80995000.00000004.00000001.sdmp, background.js.2.dr String found in binary or memory: https://betapowertools.com/thankyou/
Source: powershell.exe, 00000002.00000002.290670859.0000027F80995000.00000004.00000001.sdmp, background.js.2.dr String found in binary or memory: https://betapowertools.com/uninstalled/
Source: DevInstallerBeta.exe, 00000000.00000002.316994560.0000000000911000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/
Source: DevInstallerBeta.exe String found in binary or memory: https://bitbucket.org/betadevmode/devmode/downloads/block-floc.zip
Source: DevInstallerBeta.exe, 00000000.00000002.316994560.0000000000911000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/betadevmode/devmode/downloads/block-floc.zip7
Source: DevInstallerBeta.exe, 00000000.00000002.315660019.0000000000880000.00000004.00000040.sdmp String found in binary or memory: https://bitbucket.org/betadevmode/devmode/downloads/block-floc.zipamW6432=C:
Source: 4790d452-39a3-4e21-ae55-809d3cf28b04.tmp.16.dr, ff75510d-dab4-48d1-bc45-991de50f5062.tmp.16.dr String found in binary or memory: https://clients2.google.com
Source: powershell.exe, 00000002.00000002.292178884.0000027F80BDD000.00000004.00000001.sdmp, manifest.json.15.dr, manifest.json.2.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 4790d452-39a3-4e21-ae55-809d3cf28b04.tmp.16.dr, ff75510d-dab4-48d1-bc45-991de50f5062.tmp.16.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: powershell.exe, 00000002.00000002.299663339.0000027F90060000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.299663339.0000027F90060000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.299663339.0000027F90060000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: 70782fb6-d23b-401a-a1b5-fd012c3722c9.tmp.16.dr, 4790d452-39a3-4e21-ae55-809d3cf28b04.tmp.16.dr, ff75510d-dab4-48d1-bc45-991de50f5062.tmp.16.dr, 6e07f54f-4a10-47ee-98ee-c5157d23df23.tmp.16.dr String found in binary or memory: https://dns.google
Source: 4790d452-39a3-4e21-ae55-809d3cf28b04.tmp.16.dr, ff75510d-dab4-48d1-bc45-991de50f5062.tmp.16.dr String found in binary or memory: https://fonts.googleapis.com
Source: 4790d452-39a3-4e21-ae55-809d3cf28b04.tmp.16.dr, ff75510d-dab4-48d1-bc45-991de50f5062.tmp.16.dr String found in binary or memory: https://fonts.gstatic.com
Source: powershell.exe, 00000002.00000002.289498256.0000027F80210000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000003.262223355.0000027F81C85000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.299663339.0000027F90060000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: 4790d452-39a3-4e21-ae55-809d3cf28b04.tmp.16.dr, ff75510d-dab4-48d1-bc45-991de50f5062.tmp.16.dr String found in binary or memory: https://ogs.google.com
Source: manifest.json.15.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: ff75510d-dab4-48d1-bc45-991de50f5062.tmp.16.dr String found in binary or memory: https://r6---sn-5hne6n7e.gvt1.com
Source: ff75510d-dab4-48d1-bc45-991de50f5062.tmp.16.dr String found in binary or memory: https://redirector.gvt1.com
Source: manifest.json.15.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: DevInstallerBeta.exe String found in binary or memory: https://sectigo.com/CPS0
Source: DevInstallerBeta.exe String found in binary or memory: https://secure.comodo.com/CPS0L
Source: 4790d452-39a3-4e21-ae55-809d3cf28b04.tmp.16.dr, ff75510d-dab4-48d1-bc45-991de50f5062.tmp.16.dr String found in binary or memory: https://ssl.gstatic.com
Source: DevInstallerBeta.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: 4790d452-39a3-4e21-ae55-809d3cf28b04.tmp.16.dr, ff75510d-dab4-48d1-bc45-991de50f5062.tmp.16.dr String found in binary or memory: https://www.google.com
Source: manifest.json.15.dr String found in binary or memory: https://www.google.com/
Source: 4790d452-39a3-4e21-ae55-809d3cf28b04.tmp.16.dr, ff75510d-dab4-48d1-bc45-991de50f5062.tmp.16.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json.15.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json.15.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.15.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json.15.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.15.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: 4790d452-39a3-4e21-ae55-809d3cf28b04.tmp.16.dr, ff75510d-dab4-48d1-bc45-991de50f5062.tmp.16.dr String found in binary or memory: https://www.gstatic.com
Source: unknown HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.27716.00; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: unknown DNS traffic detected: queries for: bitbucket.org
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014007D8A0 _wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,fclose,DeleteFileW, 0_2_000000014007D8A0
Source: global traffic HTTP traffic detected: GET /fwlink/?linkid=859524 HTTP/1.0Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.27716.00; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Host: go.microsoft.com
Source: global traffic HTTP traffic detected: GET /wlidsvcconfig.xml HTTP/1.0Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.27716.00; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Host: clientconfig.passport.net
Source: global traffic HTTP traffic detected: GET /betadevmode/devmode/downloads/block-floc.zip HTTP/1.1User-Agent: AutoHotkeyHost: bitbucket.orgCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /6ba4c15f-1d12-46cc-bdb7-164bb91831c3/downloads/c1a12c2d-18ce-4f35-a9f8-0f34887a6a66/block-floc.zip?Signature=CjK3WR8rymSfPNfxoAPzlRQmEEk%3D&Expires=1635534446&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=zFGtrXtow4d6C.OKSOXQeDtE.l2UtMcx&response-content-disposition=attachment%3B%20filename%3D%22block-floc.zip%22 HTTP/1.1User-Agent: AutoHotkeyCache-Control: no-cacheHost: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:1 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.7:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.217.132.145:443 -> 192.168.2.7:49762 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400063F0 GetClipboardFormatNameW,GetClipboardData, 0_2_00000001400063F0
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140054730 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetSystemMetrics,GetSystemMetrics,wcsncpy,GetDC,DestroyIcon,DeleteObject,GetIconInfo,CreateCompatibleDC,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,malloc,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,malloc, 0_2_0000000140054730
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140001B0C GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,PostMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,SetCurrentDirectoryW,KillTimer, 0_2_0000000140001B0C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140016300 GetTickCount,PeekMessageW,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState, 0_2_0000000140016300
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140006510 GetTickCount,OpenClipboard,GetTickCount,OpenClipboard, 0_2_0000000140006510

System Summary:

barindex
Sample or dropped binary is a compiled AutoHotkey binary
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Window found: window name: AutoHotkey Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014001E310 0_2_000000014001E310
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140088360 0_2_0000000140088360
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140048490 0_2_0000000140048490
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140018A20 0_2_0000000140018A20
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014001EB30 0_2_000000014001EB30
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140014BA0 0_2_0000000140014BA0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400B0CD0 0_2_00000001400B0CD0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140016D90 0_2_0000000140016D90
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014000CF50 0_2_000000014000CF50
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140005230 0_2_0000000140005230
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014001F300 0_2_000000014001F300
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140085530 0_2_0000000140085530
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400415D0 0_2_00000001400415D0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400D1724 0_2_00000001400D1724
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400D57CC 0_2_00000001400D57CC
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014007D8A0 0_2_000000014007D8A0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014001F919 0_2_000000014001F919
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140055950 0_2_0000000140055950
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140001B0C 0_2_0000000140001B0C
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140059D20 0_2_0000000140059D20
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014001FD1E 0_2_000000014001FD1E
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140124000 0_2_0000000140124000
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014007C03F 0_2_000000014007C03F
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140070060 0_2_0000000140070060
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400D8074 0_2_00000001400D8074
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140028120 0_2_0000000140028120
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014000A120 0_2_000000014000A120
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140050135 0_2_0000000140050135
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014005C140 0_2_000000014005C140
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014004C160 0_2_000000014004C160
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400581A0 0_2_00000001400581A0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400741C0 0_2_00000001400741C0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140076200 0_2_0000000140076200
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140080230 0_2_0000000140080230
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014005E250 0_2_000000014005E250
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014009825C 0_2_000000014009825C
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014002A2C0 0_2_000000014002A2C0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400A82F0 0_2_00000001400A82F0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014006E380 0_2_000000014006E380
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400503A4 0_2_00000001400503A4
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400523B0 0_2_00000001400523B0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140040410 0_2_0000000140040410
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400BA53B 0_2_00000001400BA53B
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014000A540 0_2_000000014000A540
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014007A570 0_2_000000014007A570
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400CE59C 0_2_00000001400CE59C
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014008E5B0 0_2_000000014008E5B0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400605B9 0_2_00000001400605B9
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400DC5FC 0_2_00000001400DC5FC
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140058660 0_2_0000000140058660
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400BC670 0_2_00000001400BC670
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140074680 0_2_0000000140074680
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140020680 0_2_0000000140020680
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140032681 0_2_0000000140032681
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400986A1 0_2_00000001400986A1
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400466C0 0_2_00000001400466C0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014008C6C3 0_2_000000014008C6C3
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140054730 0_2_0000000140054730
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014004A740 0_2_000000014004A740
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400BA760 0_2_00000001400BA760
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400D07B0 0_2_00000001400D07B0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400027BB 0_2_00000001400027BB
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400507D0 0_2_00000001400507D0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014007E830 0_2_000000014007E830
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400448D0 0_2_00000001400448D0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014007A8E0 0_2_000000014007A8E0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014006C8F0 0_2_000000014006C8F0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400A2900 0_2_00000001400A2900
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140064950 0_2_0000000140064950
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400989AD 0_2_00000001400989AD
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400929C0 0_2_00000001400929C0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140034A15 0_2_0000000140034A15
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014008EA20 0_2_000000014008EA20
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140062A60 0_2_0000000140062A60
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140012A90 0_2_0000000140012A90
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140070AD0 0_2_0000000140070AD0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014005AB70 0_2_000000014005AB70
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140060B80 0_2_0000000140060B80
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014003EBC0 0_2_000000014003EBC0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400DCBE0 0_2_00000001400DCBE0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140084C00 0_2_0000000140084C00
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400D4C18 0_2_00000001400D4C18
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014009CC50 0_2_000000014009CC50
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140006C60 0_2_0000000140006C60
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014008CC90 0_2_000000014008CC90
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014005CC90 0_2_000000014005CC90
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140034CA5 0_2_0000000140034CA5
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014004ECD0 0_2_000000014004ECD0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140056CE0 0_2_0000000140056CE0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140010CF0 0_2_0000000140010CF0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014009ED00 0_2_000000014009ED00
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014005ED30 0_2_000000014005ED30
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140058D70 0_2_0000000140058D70
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014004ADC0 0_2_000000014004ADC0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400AEE30 0_2_00000001400AEE30
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140038E2C 0_2_0000000140038E2C
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014007CE48 0_2_000000014007CE48
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140050E90 0_2_0000000140050E90
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140070EA1 0_2_0000000140070EA1
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140062ED0 0_2_0000000140062ED0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: String function: 0000000140040160 appears 242 times
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: String function: 00000001400C8EEC appears 155 times
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014005EF30: CreateFileW,DeviceIoControl,CloseHandle, 0_2_000000014005EF30
Sample file is different than original file name gathered from version info
Source: DevInstallerBeta.exe Binary or memory string: OriginalFilename vs DevInstallerBeta.exe
Source: DevInstallerBeta.exe, 00000000.00000000.246715137.0000000140127000.00000002.00020000.sdmp Binary or memory string: OriginalFilename vs DevInstallerBeta.exe
Source: DevInstallerBeta.exe Binary or memory string: OriginalFilename vs DevInstallerBeta.exe
PE file contains strange resources
Source: DevInstallerBeta.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DevInstallerBeta.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DevInstallerBeta.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DevInstallerBeta.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DevInstallerBeta.exe 'C:\Users\user\Desktop\DevInstallerBeta.exe'
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -Command Expand-Archive -LiteralPath 'C:\Users\user\AppData\Roaming\chromeext.zip' -DestinationPath 'C:\Users\user\AppData\Roaming\Chrome'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1516,4577200323270436935,7797503231216249977,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1928 /prefetch:8
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c del 'C:\Users\user\Desktop\DevInstallerBeta.exe'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell.exe -Command Expand-Archive -LiteralPath 'C:\Users\user\AppData\Roaming\chromeext.zip' -DestinationPath 'C:\Users\user\AppData\Roaming\Chrome' Jump to behavior
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized Jump to behavior
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c del 'C:\Users\user\Desktop\DevInstallerBeta.exe' Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1516,4577200323270436935,7797503231216249977,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1928 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DevInstallerBeta.exe File created: C:\Users\user\AppData\Roaming\chromeext.zip Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hvdtogo4.20v.ps1 Jump to behavior
Source: classification engine Classification label: mal45.evad.winEXE@30/84@6/9
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014007E830 CoInitialize,CoCreateInstance,malloc,malloc,malloc,malloc,malloc,malloc,CoUninitialize, 0_2_000000014007E830
Source: C:\Users\user\Desktop\DevInstallerBeta.exe File read: C:\Program Files\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400605B9 wcsncpy,GetDiskFreeSpaceW,GetLastError,malloc, 0_2_00000001400605B9
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400415D0 CreateProcessW,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,CloseHandle,GetLastError,FormatMessageW, 0_2_00000001400415D0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: DevInstallerBeta.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Mutant created: \Sessions\1\BaseNamedObjects\AHK Mouse
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Mutant created: \Sessions\1\BaseNamedObjects\AHK Keybd
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_01
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400203C0 FindResourceW,FindResourceW,SizeofResource,LoadResource,LockResource, 0_2_00000001400203C0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: DevInstallerBeta.exe String found in binary or memory: exe"){ WinClose, ahk_exe chrome.exe Sleep 100 } Run, chrome.exe --start-maximized Sleep 100 st = ahk_class Chrome_WidgetWin_1 WinWait, %st% IfWinNotActive, %st%,, WinActivate, %st% WinGet, WinStatus, MinMax, %st% if (WinStatus != 0) WinRestore, ahk_exe chrome.
Source: DevInstallerBeta.exe String found in binary or memory: Run, chrome.exe --start-maximized
Source: C:\Users\user\Desktop\DevInstallerBeta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DevInstallerBeta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DevInstallerBeta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: DevInstallerBeta.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: DevInstallerBeta.exe Static file information: File size 1217816 > 1048576
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: DevInstallerBeta.exe Static PE information: certificate valid

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFF2C5256B2 push E95D96C4h; iretd 2_2_00007FFF2C5256B9
PE file contains sections with non-standard names
Source: DevInstallerBeta.exe Static PE information: section name: text
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014009E010 SendMessageW,SendMessageW,SendMessageW,LoadLibraryW,GetProcAddress,SendMessageW,SendMessageW,SendMessageW, 0_2_000000014009E010

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Process created: C:\Windows\system32\cmd.exe /c del 'C:\Users\user\Desktop\DevInstallerBeta.exe'
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Process created: C:\Windows\system32\cmd.exe /c del 'C:\Users\user\Desktop\DevInstallerBeta.exe' Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400B0AF0 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow, 0_2_00000001400B0AF0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400B0CD0 GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,BringWindowToTop, 0_2_00000001400B0CD0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140050076 IsZoomed,IsIconic, 0_2_0000000140050076
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140058660 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,GetClassNameW,EnumChildWindows,malloc, 0_2_0000000140058660
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140054730 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetSystemMetrics,GetSystemMetrics,wcsncpy,GetDC,DestroyIcon,DeleteObject,GetIconInfo,CreateCompatibleDC,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,malloc,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,malloc, 0_2_0000000140054730
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140096770 SetWindowTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowLongW,GetWindowRect,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus, 0_2_0000000140096770
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140096770 SetWindowTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowLongW,GetWindowRect,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus, 0_2_0000000140096770
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014009085D GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW, 0_2_000000014009085D
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014009086D MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW, 0_2_000000014009086D
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140090865 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW, 0_2_0000000140090865
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014009087B MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW, 0_2_000000014009087B
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014009689B ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow, 0_2_000000014009689B
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140096891 ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow, 0_2_0000000140096891
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400908BF MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW, 0_2_00000001400908BF
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400448D0 IsWindow,DestroyWindow,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetWindowRect,GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,IsWindow,CreateWindowExW,SendMessageW,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetWindowRect,SendMessageW,SendMessageW, 0_2_00000001400448D0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400968C6 ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow, 0_2_00000001400968C6
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400968F8 ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow, 0_2_00000001400968F8
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400908F7 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW, 0_2_00000001400908F7
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140090906 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW, 0_2_0000000140090906
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014009694A ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow, 0_2_000000014009694A
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014009699C ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow, 0_2_000000014009699C
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400569B0 SendMessageW,IsWindowVisible,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW, 0_2_00000001400569B0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400929C0 GetWindowLongW,GetWindowLongW,SetWindowPos,EnableWindow,GetWindowRect,GetClientRect,MulDiv,MulDiv,GetWindowRect,GetClientRect,MulDiv,MulDiv,_wcstoi64,IsWindow,SetParent,SetWindowLongPtrW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect, 0_2_00000001400929C0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400969C7 MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow, 0_2_00000001400969C7
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014008EA20 SendMessageW,MulDiv,MulDiv,COMRefPtr,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,SelectObject,ReleaseDC,SendMessageW,SendMessageW,GetClientRect,SetWindowLongW,SendMessageW,SetWindowLongW,MoveWindow,GetWindowRect,SendMessageW,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,MapWindowPoints, 0_2_000000014008EA20
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014009CC50 SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,SetFocus,SendMessageW,ShowWindow,SetFocus,InvalidateRect,MapWindowPoints,InvalidateRect, 0_2_000000014009CC50
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140018A20 0_2_0000000140018A20
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6228 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140058D70 GetLocalTime followed by cmp: cmp word ptr [rbx], cx and CTI: je 00000001400590A3h 0_2_0000000140058D70
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140058D70 GetLocalTime followed by cmp: cmp dx, ax and CTI: je 0000000140058F63h 0_2_0000000140058D70
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140014BA0 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jl 0000000140014F02h country: Spanish (es) 0_2_0000000140014BA0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014001A400 GetKeyboardLayout followed by cmp: cmp dl, 00000019h and CTI: ja 000000014001A57Dh country: Russian (ru) 0_2_000000014001A400
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400226B7 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228E9h country: Urdu (ur) 0_2_00000001400226B7
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400226B7 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228E9h country: Inuktitut (iu) 0_2_00000001400226B7
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400226BF GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228E9h country: Urdu (ur) 0_2_00000001400226BF
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400226BF GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228E9h country: Inuktitut (iu) 0_2_00000001400226BF
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400226C6 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228E9h country: Urdu (ur) 0_2_00000001400226C6
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400226C6 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228E9h country: Inuktitut (iu) 0_2_00000001400226C6
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400226ED GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228E9h country: Urdu (ur) 0_2_00000001400226ED
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400226ED GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228E9h country: Inuktitut (iu) 0_2_00000001400226ED
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140022711 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228E9h country: Urdu (ur) 0_2_0000000140022711
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140022711 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228E9h country: Inuktitut (iu) 0_2_0000000140022711
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140022735 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400228E9h country: Urdu (ur) 0_2_0000000140022735
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140022735 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 00000001400228E9h country: Inuktitut (iu) 0_2_0000000140022735
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4737 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4073 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\DevInstallerBeta.exe API coverage: 5.4 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140018A20 0_2_0000000140018A20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400ACC40 FindFirstFileW,FindClose,FindFirstFileW,FindClose, 0_2_00000001400ACC40
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014003C320 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose, 0_2_000000014003C320
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400667A0 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_00000001400667A0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140080A40 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,wcsncpy,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError, 0_2_0000000140080A40
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140066AE0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,malloc, 0_2_0000000140066AE0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400ACB40 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00000001400ACB40
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: DevInstallerBeta.exe, 00000000.00000003.315059789.0000000000977000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400D0790 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00000001400D0790
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014009E010 SendMessageW,SendMessageW,SendMessageW,LoadLibraryW,GetProcAddress,SendMessageW,SendMessageW,SendMessageW, 0_2_000000014009E010
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400D6D5C GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError, 0_2_00000001400D6D5C
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140014BA0 CloseHandle,CreateMutexW,GetLastError,CloseHandle,GetWindowThreadProcessId,AttachThreadInput,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetKeyboardLayout,GetProcAddress,FreeLibrary,GetTickCount,BlockInput,GetTickCount,PeekMessageW,GetTickCount,PostMessageW,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetTickCount,GetForegroundWindow,GetWindowThreadProcessId, 0_2_0000000140014BA0
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400D2224 SetUnhandledExceptionFilter, 0_2_00000001400D2224
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400D0790 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00000001400D0790

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140016D90 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,BlockInput,GetForegroundWindow,GetAsyncKeyState,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,BlockInput, 0_2_0000000140016D90
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400415D0 CreateProcessW,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,CloseHandle,GetLastError,FormatMessageW, 0_2_00000001400415D0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized Jump to behavior
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400185A0 mouse_event, 0_2_00000001400185A0
Source: DevInstallerBeta.exe Binary or memory string: Program Manager
Source: DevInstallerBeta.exe Binary or memory string: Shell_TrayWnd
Source: DevInstallerBeta.exe Binary or memory string: Progman
Source: DevInstallerBeta.exe Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014001FD1E SetCurrentDirectoryW,malloc,GetSystemTimeAsFileTime, 0_2_000000014001FD1E
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_00000001400CD9B4 HeapCreate,GetVersion,HeapSetInformation, 0_2_00000001400CD9B4
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140068C10 GetComputerNameW,GetUserNameW, 0_2_0000000140068C10

Stealing of Sensitive Information:

barindex
OS version to string mapping found (often used in BOTs)
Source: DevInstallerBeta.exe Binary or memory string: WIN_XP
Source: DevInstallerBeta.exe Binary or memory string: ?*A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingle1.1.33.06\AutoHotkey.exeWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003%04hX0x%Ix*pPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkpcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfo
Source: DevInstallerBeta.exe Binary or memory string: WIN_VISTA
Source: DevInstallerBeta.exe Binary or memory string: WIN_7
Source: DevInstallerBeta.exe Binary or memory string: WIN_8
Source: DevInstallerBeta.exe Binary or memory string: WIN_8.1

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_000000014001E310 PostThreadMessageW,Sleep,GetTickCount,GetExitCodeThread,GetTickCount,Sleep,CloseHandle,CreateMutexW,CloseHandle,CreateMutexW,CloseHandle,Shell_NotifyIconW,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize, 0_2_000000014001E310
Source: C:\Users\user\Desktop\DevInstallerBeta.exe Code function: 0_2_0000000140072DC0 RemoveClipboardFormatListener,ChangeClipboardChain, 0_2_0000000140072DC0
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 511970 Sample: DevInstallerBeta.exe Startdate: 29/10/2021 Architecture: WINDOWS Score: 45 41 Antivirus / Scanner detection for submitted sample 2->41 7 DevInstallerBeta.exe 14 2->7         started        process3 dnsIp4 31 bitbucket.org 104.192.141.1, 443, 49757 AMAZON-02US United States 7->31 33 s3-w.us-east-1.amazonaws.com 52.217.132.145, 443, 49762 AMAZON-02US United States 7->33 35 2 other IPs or domains 7->35 43 Self deletion via cmd delete 7->43 45 Sample or dropped binary is a compiled AutoHotkey binary 7->45 47 Contains functionality to detect sleep reduction / modifications 7->47 11 chrome.exe 12 62 7->11         started        14 powershell.exe 30 7->14         started        16 cmd.exe 1 7->16         started        signatures5 process6 dnsIp7 37 192.168.2.1 unknown unknown 11->37 39 239.255.255.250 unknown Reserved 11->39 18 chrome.exe 16 11->18         started        21 conhost.exe 14->21         started        23 conhost.exe 16->23         started        process8 dnsIp9 25 clients.l.google.com 142.250.203.110, 443, 49782, 60428 GOOGLEUS United States 18->25 27 googlehosted.l.googleusercontent.com 142.250.203.97, 443, 49791 GOOGLEUS United States 18->27 29 5 other IPs or domains 18->29
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.203.110
 clients.l.google.com United States
15169 GOOGLEUS false
172.217.168.68
 www.google.com United States
15169 GOOGLEUS false
172.217.168.45
 accounts.google.com United States
15169 GOOGLEUS false
52.217.132.145
 s3-w.us-east-1.amazonaws.com United States
16509 AMAZON-02US false
104.192.141.1
 bitbucket.org United States
16509 AMAZON-02US false
142.250.203.97
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false

Private
IP
192.168.2.1
192.168.2.7

Contacted Domains

Name IP Active
s3-w.us-east-1.amazonaws.com 52.217.132.145 true
bitbucket.org 104.192.141.1 true
accounts.google.com 172.217.168.45 true
www.google.com 172.217.168.68 true
clients.l.google.com 142.250.203.110 true
googlehosted.l.googleusercontent.com 142.250.203.97 true
clients2.googleusercontent.com unknown unknown
bbuseruploads.s3.amazonaws.com unknown unknown
clients2.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bitbucket.org/betadevmode/devmode/downloads/block-floc.zip false
    		high
    https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 false
      		high
      https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard false
        		high
        https://www.google.com/async/newtab_promos false
          		high
          https://clients2.googleusercontent.com/crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx false
            		high
            https://www.google.com/async/ddljson?async=ntp:1 false
              		high
              https://clientconfig.passport.net/wlidsvcconfig.xml false
              • URL Reputation: safe
              		 unknown
              https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
                		high