Play interactive tour

Edit tour

Windows Analysis Report yRqHWQ91dT

Overview

General Information

Sample Name:	yRqHWQ91dT (renamed file extension from none to exe)
Analysis ID:	508840
MD5:	b50ffa06eca2b3a4d92562561fc6b2d1
SHA1:	4cdbdb338a22fd11f0fcc973598e25ba54529db3
SHA256:	a181b562122fb3752137474073f22e1b2b1b4cc82a5269e73847a0e2e212cd56
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Detected unpacking (overwrites its own PE header)

Yara detected Ursnif

Detected unpacking (changes PE section rights)

PE file has a writeable .text section

Writes or reads registry keys via WMI

Machine Learning detection for dropped file

Writes registry values via WMI

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains long sleeps (>= 3 min)

Drops files with a non-matching file extension (content does not match file extension)

Installs a raw input device (often for capturing keystrokes)

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Installs a global mouse hook

Binary contains a suspicious time stamp

Launches processes in debugging mode, may be used to hinder debugging

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

yRqHWQ91dT.exe (PID: 5776 cmdline: 'C:\Users\user\Desktop\yRqHWQ91dT.exe' MD5: B50FFA06ECA2B3A4D92562561FC6B2D1)

msiexec.exe (PID: 3428 cmdline: msiexec /i 'C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi' /qn /norestart MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

msiexec.exe (PID: 2952 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 640 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7A8FDEF089EF820D04B2E0639E42DA17 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

audiodent.exe (PID: 5656 cmdline: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe MD5: A0052D6EAC0D6D4296DE89213447416D)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: audiodent.exe PID: 5656	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
9.2.audiodent.exe.7f70000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
9.2.audiodent.exe.83b94a0.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
9.2.audiodent.exe.83b94a0.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 9.2.audiodent.exe.7f70000.1.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: yRqHWQ91dT.exe

Virustotal: Detection: 13%

Perma Link

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Joe Sandbox ML: detected

Source: 9.2.audiodent.exe.980000.0.unpack

Avira: Label: TR/Crypt.XPACK.Gen7

Source: audiodent.exe, 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJJidwS/uILMBSO5DLGsBFknIXWWjQJe2kfdfEk3G/j66w4KkhZ1V61Rt4zLaMVCYpDun7FLwRjkMDSepO1q2DcCAwEAAQ==-----END PUBLIC KEY-----

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Unpacked PE file: 9.2.audiodent.exe.980000.0.unpack

Source: yRqHWQ91dT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\License.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\ReadMe.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\LICENSE.electron.txt	Jump to behavior

Source: yRqHWQ91dT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256 source: SQLitePCLRaw.core.dll.4.dr
Source:	Binary string: C:\pdb\pdb\AppData\Service\dkdockhost\WPF\Data\ExpressAuthentication\Csv.pdb source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp, audiodent.exe.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: SQLitePCLRaw.core.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.e_sqlcipher.most\obj\Release\netstandard2.0\SQLitePCLRaw.provider.e_sqlcipher.pdbSHA256y source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.e_sqlcipher.most\obj\Release\netstandard2.0\SQLitePCLRaw.provider.e_sqlcipher.pdb source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlcipher.dllimport\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdbSHA256 source: SQLitePCLRaw.batteries_v2.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: 530d7c.msi.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlcipher.dllimport\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdb source: SQLitePCLRaw.batteries_v2.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 530d7c.msi.4.dr
Source:	Binary string: C:\pdb\pdb\AppData\Service\dkdockhost\WPF\Data\ExpressAuthentication\Csv.pdb,88 source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp, audiodent.exe.4.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_0040646B FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_004027A1 FindFirstFileA,
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,

Source: Joe Sandbox View

ASN Name: VM-HOSTINGRU VM-HOSTINGRU

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443

Source: audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4
Source: audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
Source: audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML
Source: 530d7c.msi.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 530d7c.msi.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 530d7c.msi.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 530d7c.msi.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: yRqHWQ91dT.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: yRqHWQ91dT.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 530d7c.msi.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 530d7c.msi.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 530d7c.msi.4.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://t2.symcb.com0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://tl.symcd.com0&
Source: 530d7c.msi.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ReadMe.txt.4.dr	String found in binary or memory: http://www.grsoftware.net/downloads/grbackpro/grbakpro.pdf
Source: ReadMe.txt.4.dr	String found in binary or memory: http://www.grsoftware.net/home/buynow.html
Source: audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: http://www.mega-nerd.com/libsndfile/
Source: audiodent.exe.4.dr	String found in binary or memory: https://bitbucket.org/Coin3D/
Source: audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: https://bitbucket.org/Coin3D/error
Source: audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp	String found in binary or memory: https://get.updates.avast.cn/
Source: audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp	String found in binary or memory: https://get.updates.avast.cn/I
Source: audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp	String found in binary or memory: https://get.updates.avast.cn/sreamble/L9cG8Vo2GQztGm0qovd/ps29AL3_2BtYxlbeUwyhe0/qJy1kBhZdmLJX/23gke
Source: SQLitePCLRaw.core.dll.4.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.raw
Source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.rawF
Source: SQLitePCLRaw.core.dll.4.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.rawX
Source: audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: https://groups.google.com/forum/#
Source: audiodent.exe, 00000009.00000002.523718501.0000000007BD4000.00000004.00000001.sdmp	String found in binary or memory: https://huyasos.in/
Source: audiodent.exe, 00000009.00000002.523890285.0000000007F5B000.00000004.00000010.sdmp	String found in binary or memory: https://huyasos.in/sreamble/1Cy_2BOoNkPfZNI/cBFrvY8_2BuNL_2FRI/EvMKECOy8/d_2Bs3isSO
Source: audiodent.exe, 00000009.00000002.523791607.0000000007C02000.00000004.00000001.sdmp	String found in binary or memory: https://huyasos.in/sreamble/1Cy_2BOoNkPfZNI/cBFrvY8_2BuNL_2FRI/EvMKECOy8/d_2Bs3isSO64yzYzMTFW/VpmMJy
Source: 530d7c.msi.4.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: 530d7c.msi.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ReadMe.txt.4.dr	String found in binary or memory: https://www.grsoftware.net
Source: 530d7c.msi.4.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: 530d7c.msi.4.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown

DNS traffic detected: queries for: get.updates.avast.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY

Source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp

Binary or memory string: GetRawInputData

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Windows user hook set: 0 mouse low level C:\Windows\System32\dinput8.dll

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Code function: 1_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY

System Summary:

PE file has a writeable .text section

Show sources

Source: audiodent.exe.4.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Writes or reads registry keys via WMI

Show sources

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: yRqHWQ91dT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI14BC.tmp

Jump to behavior

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Code function: 1_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\530d79.msi

Jump to behavior

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_00406945
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_0040711C
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EA5C160
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7AFC0
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F77FBE
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7836E

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_00981C90 GetProcAddress,NtCreateSection,memset,
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_00981703 NtMapViewOfSection,
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_009819A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F79A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7B1E5 NtQueryVirtualMemory,

Source: yRqHWQ91dT.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: audiodent.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Section loaded: libtrg2.dll

Source: yRqHWQ91dT.exe

Virustotal: Detection: 13%

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

File read: C:\Users\user\Desktop\yRqHWQ91dT.exe

Jump to behavior

Source: yRqHWQ91dT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\yRqHWQ91dT.exe 'C:\Users\user\Desktop\yRqHWQ91dT.exe'
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /i 'C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi' /qn /norestart
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7A8FDEF089EF820D04B2E0639E42DA17
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /i 'C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi' /qn /norestart
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7A8FDEF089EF820D04B2E0639E42DA17
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Hemoco bvba

Jump to behavior

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

File created: C:\Users\user\AppData\Local\Temp\nsz2BB.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/22@3/1

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Code function: 1_2_0040216B CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Code function: 1_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_07F78F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

Source: yRqHWQ91dT

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Mutant created: \Sessions\1\BaseNamedObjects\COIN_LIBRARY_PROCESS_5656

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: yRqHWQ91dT.exe

Static file information: File size 7580858 > 1048576

Source: yRqHWQ91dT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256 source: SQLitePCLRaw.core.dll.4.dr
Source:	Binary string: C:\pdb\pdb\AppData\Service\dkdockhost\WPF\Data\ExpressAuthentication\Csv.pdb source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp, audiodent.exe.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: SQLitePCLRaw.core.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.e_sqlcipher.most\obj\Release\netstandard2.0\SQLitePCLRaw.provider.e_sqlcipher.pdbSHA256y source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.e_sqlcipher.most\obj\Release\netstandard2.0\SQLitePCLRaw.provider.e_sqlcipher.pdb source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlcipher.dllimport\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdbSHA256 source: SQLitePCLRaw.batteries_v2.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: 530d7c.msi.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlcipher.dllimport\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdb source: SQLitePCLRaw.batteries_v2.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 530d7c.msi.4.dr
Source:	Binary string: C:\pdb\pdb\AppData\Service\dkdockhost\WPF\Data\ExpressAuthentication\Csv.pdb,88 source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp, audiodent.exe.4.dr

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Unpacked PE file: 9.2.audiodent.exe.980000.0.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Unpacked PE file: 9.2.audiodent.exe.980000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7AFAF push ecx; ret
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7E9AC push 0B565A71h; ret
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7E62F push edi; retf
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7AC00 push ecx; ret

Source: libEGL.dll.4.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.4.dr	Static PE information: section name: .voltbl

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_00981264 LoadLibraryA,GetProcAddress,

Source: yRqHWQ91dT.exe	Static PE information: real checksum: 0x0 should be: 0x742c54
Source: libEGL.dll.4.dr	Static PE information: real checksum: 0x0 should be: 0x1b503
Source: audiodent.exe.4.dr	Static PE information: real checksum: 0xa095fa should be:
Source: qclp2.dll.4.dr	Static PE information: real checksum: 0x403d8b should be: 0x4105cf
Source: Typography.GlyphLayout.dll.4.dr	Static PE information: real checksum: 0x0 should be: 0x73e6

Source: SQLitePCLRaw.batteries_v2.dll.4.dr

Static PE information: 0xA466DFED [Sun May 27 16:10:21 2057 UTC]

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\zmq

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\Typography.GlyphLayout.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.batteries_v2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\qclp2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.e_sqlcipher.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17DA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI14BC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.dynamic_cdecl.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17DA.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI14BC.tmp			Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\License.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\ReadMe.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\LICENSE.electron.txt	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\msiexec.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe TID: 2200

Thread sleep time: -240000s >= -30000s

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\Typography.GlyphLayout.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.batteries_v2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.e_sqlcipher.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI17DA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.dynamic_cdecl.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Thread delayed: delay time: 240000

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_0040646B FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_004027A1 FindFirstFileA,
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Thread delayed: delay time: 240000

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_6EA60A70 LoadLibraryW,GetProcAddress,SetThreadDescription,GetCurrentThread,SetThreadDescription,IsDebuggerPresent,RaiseException,

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_00981264 LoadLibraryA,GetProcAddress,

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EB36EF7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EB33A55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EB36F7F mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EB25F3D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EB16501 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\msiexec.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_07F77A2E cpuid

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_00981E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_07F77A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	Input Capture21	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Access Token Manipulation1	Obfuscated Files or Information1	LSASS Memory	Peripheral Device Discovery11	Remote Desktop Protocol	Input Capture21	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection2	Software Packing21	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Timestomp1	NTDS	File and Directory Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	System Information Discovery25	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	File Deletion1	Cached Domain Credentials	Query Registry1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading31	DCSync	Security Software Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion21	Proc Filesystem	Virtualization/Sandbox Evasion21	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation1	/etc/passwd and /etc/shadow	Process Discovery3	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection2	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	Remote System Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
yRqHWQ91dT.exe	13%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.batteries_v2.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.batteries_v2.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.core.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.core.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.dynamic_cdecl.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.dynamic_cdecl.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.e_sqlcipher.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.e_sqlcipher.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\Typography.GlyphLayout.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\Typography.GlyphLayout.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\libEGL.dll	3%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\libEGL.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.yRqHWQ91dT.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
9.2.audiodent.exe.7f70000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
1.0.yRqHWQ91dT.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
9.2.audiodent.exe.980000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://get.updates.avast.cn/I	0%	Avira URL Cloud	safe
https://huyasos.in/sreamble/1Cy_2BOoNkPfZNI/cBFrvY8_2BuNL_2FRI/EvMKECOy8/d_2Bs3isSO64yzYzMTFW/VpmMJy	0%	Avira URL Cloud	safe
http://www.grsoftware.net/downloads/grbackpro/grbakpro.pdf	0%	Avira URL Cloud	safe
https://www.grsoftware.net	0%	Avira URL Cloud	safe
https://huyasos.in/	0%	Avira URL Cloud	safe
http://www.grsoftware.net/home/buynow.html	0%	Avira URL Cloud	safe
https://huyasos.in/sreamble/1Cy_2BOoNkPfZNI/cBFrvY8_2BuNL_2FRI/EvMKECOy8/d_2Bs3isSO	0%	Avira URL Cloud	safe
https://get.updates.avast.cn/	0%	Avira URL Cloud	safe
https://get.updates.avast.cn/sreamble/L9cG8Vo2GQztGm0qovd/ps29AL3_2BtYxlbeUwyhe0/qJy1kBhZdmLJX/23gke	0%	Avira URL Cloud	safe
http://www.mega-nerd.com/libsndfile/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
huyasos.in	185.98.87.196	true	true		unknown
get.updates.avast.cn	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://bitbucket.org/Coin3D/	audiodent.exe.4.dr	false		high
https://get.updates.avast.cn/I	audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://huyasos.in/sreamble/1Cy_2BOoNkPfZNI/cBFrvY8_2BuNL_2FRI/EvMKECOy8/d_2Bs3isSO64yzYzMTFW/VpmMJy	audiodent.exe, 00000009.00000002.523791607.0000000007C02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	yRqHWQ91dT.exe	false		high
http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4	audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr	false		high
https://bitbucket.org/Coin3D/error	audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr	false		high
https://www.thawte.com/cps0/	530d7c.msi.4.dr	false		high
http://www.grsoftware.net/downloads/grbackpro/grbakpro.pdf	ReadMe.txt.4.dr	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/repository0W	530d7c.msi.4.dr	false		high
https://github.com/ericsink/SQLitePCL.rawX	SQLitePCLRaw.core.dll.4.dr	false		high
http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI	audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr	false		high
https://www.advancedinstaller.com	530d7c.msi.4.dr	false		high
https://www.grsoftware.net	ReadMe.txt.4.dr	false	Avira URL Cloud: safe	unknown
https://huyasos.in/	audiodent.exe, 00000009.00000002.523718501.0000000007BD4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/ericsink/SQLitePCL.raw	SQLitePCLRaw.core.dll.4.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	yRqHWQ91dT.exe	false		high
https://github.com/ericsink/SQLitePCL.rawF	SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr	false		high
http://www.grsoftware.net/home/buynow.html	ReadMe.txt.4.dr	false	Avira URL Cloud: safe	unknown
https://huyasos.in/sreamble/1Cy_2BOoNkPfZNI/cBFrvY8_2BuNL_2FRI/EvMKECOy8/d_2Bs3isSO	audiodent.exe, 00000009.00000002.523890285.0000000007F5B000.00000004.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://get.updates.avast.cn/	audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://get.updates.avast.cn/sreamble/L9cG8Vo2GQztGm0qovd/ps29AL3_2BtYxlbeUwyhe0/qJy1kBhZdmLJX/23gke	audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML	audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr	false		high
https://groups.google.com/forum/#	audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr	false		high
http://www.mega-nerd.com/libsndfile/	audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.98.87.196	huyasos.in	Russian Federation		205840	VM-HOSTINGRU	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	508840
Start date:	25.10.2021
Start time:	17:05:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 24s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	yRqHWQ91dT (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/22@3/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 38.5% (good quality ratio 37.4%) Quality average: 80.1% Quality standard deviation: 25.8%
HCA Information:	Successful, ratio: 55% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 13.107.42.16, 13.107.5.88, 20.82.210.154, 40.112.88.60, 80.67.82.211, 80.67.82.235, 23.203.78.112 Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, e12564.dspb.akamaiedge.net, config-edge-skype.l-0007.l-msedge.net, wildcard.weather.microsoft.com.edgekey.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, l-0007.l-msedge.net, config.edge.skype.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, l-0007.config.skype.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:06:47	API Interceptor	2x Sleep call for process: audiodent.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
huyasos.in	OfsNSr9oYp.exe	Get hash	malicious	Browse	95.181.178.82
huyasos.in	W1qNIM5mQL.exe	Get hash	malicious	Browse	95.181.178.82

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VM-HOSTINGRU	installer.exe	Get hash	malicious	Browse	185.98.87.179
	0Xe1Rmpae5.exe	Get hash	malicious	Browse	185.98.87.65
	MtYLiiai45.exe	Get hash	malicious	Browse	185.98.87.65
	wVVTcS6zyZ.exe	Get hash	malicious	Browse	185.98.87.149
	_00541_Purchase Order_.xlsx	Get hash	malicious	Browse	185.98.87.149
	Hlxj8nfBay.exe	Get hash	malicious	Browse	92.242.40.244
	cpMHTTwNC1.exe	Get hash	malicious	Browse	92.242.40.244
	report_11.20.doc	Get hash	malicious	Browse	92.242.40.104
	report_11.20.doc	Get hash	malicious	Browse	92.242.40.104
	report_11.20.doc	Get hash	malicious	Browse	92.242.40.104
	New Price Quotation.exe	Get hash	malicious	Browse	92.242.40.195
	Canon Invoice - SG191009 & SG191008-pdf.exe	Get hash	malicious	Browse	92.242.40.195
	BANK_TT_PDF.exe	Get hash	malicious	Browse	92.242.40.195
	SWIFT MT103 MIDLGB31.exe	Get hash	malicious	Browse	92.242.40.195
	P117_881_pdf.exe	Get hash	malicious	Browse	92.242.40.195
	T8823_pdf.exe	Get hash	malicious	Browse	92.242.40.195
	SC-08453.exe	Get hash	malicious	Browse	92.242.40.195
	Revised PO 106622.exe	Get hash	malicious	Browse	92.242.40.195
	6FmrsohIP6g8w7i.exe	Get hash	malicious	Browse	92.242.40.195
	jkZKRSpFycGYr28.exe	Get hash	malicious	Browse	92.242.40.195

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Windows\Installer\MSI14BC.tmp	o4c8AUtX1g.exe	Get hash	malicious	Browse
C:\Windows\Installer\MSI14BC.tmp	farcry6_repack.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Config.Msi\530d7b.rbs Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	11078
Entropy (8bit):	5.746451563704331
Encrypted:	false
SSDEEP:	192:XYW1elYlxwrGBkmAnQZorAWax08RkpzTX344OL4B0eqsfn8cEYHsfn8cEY4nRS6J:XYUeljAWax08RkpzTX344OL4BnfnihfY
MD5:	1B30CF4F480C59E05A5C1540289760CA
SHA1:	37786DEA0D2A951B5DFAE6E02652EDF272AD9C19
SHA-256:	94BC18376E4915500F830DEBC436AA330A44346526D28634BA250794286B2FF3
SHA-512:	9D5D00651E068DAF9551F60BDB301C7D3A7CDFBD55574A1E81805A7CF532166CC3486623E99D789ECE10439BA72DF3B7041B4566646BF3B6A4DD742CA0638AC9
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@.YS.@.....@.....@.....@.....@.....@......&.{8C4E8105-89CF-42DC-B547-B756AB6C9EC5}..CSS Validator..CssValidator.msi.@.....@.. ..@.....@........&.{2E68BFCA-136D-489B-99E7-02370AE416AC}.....@.....@.....@.....@.......@.....@.....@.......@......CSS Validator......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{BACEFD7C-2242-4BDA-88CA-278EA0FBAC71}&.{8C4E8105-89CF-42DC-B547-B756AB6C9EC5}.@......&.{E1F4536E-7D2A-4F44-81EE-727B5F105E80}&.{8C4E8105-89CF-42DC-B547-B756AB6C9EC5}.@......&.{834EA0BB-8035-4ACB-9366-174CC245FFAC}&.{8C4E8105-89CF-42DC-B547-B756AB6C9EC5}.@......&.{F40562C3-E5CF-4975-B128-0CB43DBE0174}&.{8C4E8105-89CF-42DC-B547-B756AB6C9EC5}.@......&.{C321E67B-035D-49DD-B4D5-4B5285D7B97D}&.{8C4E8105-89CF-42DC-B547-B756AB6C9EC5}.@......&.{7F85F72B-E3A4-4884-A6D2-F057681DC710}&.{8C4E8105-89CF-42DC-B547-B756AB6C9EC5}.@......&.{572BD592-23BE-4219-874A-9F3CC4AB9FEC}&.{8C4E8105-89CF-

C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi Download File
Process:	C:\Users\user\Desktop\yRqHWQ91dT.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2E68BFCA-136D-489B-99E7-02370AE416AC}, Number of Words: 10, Subject: CSS Validator, Author: Hemoco bvba, Name of Creating Application: Advanced Installer 18.7 build 0a7fdead, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	7775232
Entropy (8bit):	7.95100555954072
Encrypted:	false
SSDEEP:	196608:rY7cfmLhGlwa2wQiXAytyTCpj59zHpmzSTnUT4R+:rY7cfmLYwMQiXAytJ55gzSTw
MD5:	4C0F425E456ED7904F1B207FAD617EBE
SHA1:	56304F5446B7DB91314E252143E59353072A6F28
SHA-256:	A14D402C30E55AC43A83596A1D2832A730A7EB3A056E9420AC725B0EF02A176A
SHA-512:	C9AD2C0B0EBF21F7D683026689429DEF5BC5AA8DE2B3778CB1B84259CF920BF8506A55080BF7B292BE9D37C0B37398802F438C183046C0ECF6CF70D3BF396D35
Malicious:	false
Reputation:	low
Preview:	......................>...................w...................................C.......~...............................q...................................................................................................................................................................................................................................................................................................................................................................................................................;...............#...2........................................................................................... ...!..."...,...$...%...&...'...(...)...*...+...0...-......./...3...1...:...>...4...5...6...7...8...9.......<.......=...f...?...@...A...B...........E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\LICENSE.electron.txt Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1060
Entropy (8bit):	5.127745905239685
Encrypted:	false
SSDEEP:	24:lDiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:lDiJzfPvGt7ICQH+sfIte36AFD
MD5:	F8436F54558748146EC7EBD61CA6AC38
SHA1:	EF226E5B023D458EFCDC59DC653694D89802F81C
SHA-256:	34F6F27C26D1BB8682EBB42AE401F558228FD608455BD7C6561D5FD500B7D05B
SHA-512:	5B310B48BBEE286F03E645E4BFAD0EC870A7C68C445D54F46F3EAAA9C427F9DE6CD0561D451838BD53C78A5289E9F0BDA19CDA4257A4657580AFA6C357913050
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Copyright (c) 2013-2019 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION.WITH

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\License.txt Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	3319
Entropy (8bit):	4.74915258074069
Encrypted:	false
SSDEEP:	96:mFc2eAg2pZGQlvzRCyLiqxt2X3I8Si0mebrSv:zfAgmrRhL4I8SiWbrSv
MD5:	CBD32695674DCFBA5C4609DEFCAFDF55
SHA1:	6F5C934CB49845AF6B59683544A95A7E4B515DCE
SHA-256:	2568688DD3418B21FD0D4CD416C1A759DE9DAE759E192BCCF834D3EC2E1E7F2C
SHA-512:	AE430B2FEE5864BB4130C44C26A90A2053B098C4E783AD0AD9C587B3E4FD1A38E7AD5D87C5AF6E598ED7D1A6A766F104B4C07599FCD282248E655FFBAC2C2668
Malicious:	false
Reputation:	low
Preview:	END-USER LICENSE AGREEMENT FOR GRSOFTWARE SOFTWARE GRBackPro.....IMPORTANT - READ CAREFULLY: This GRSoftware End-User License Agreement is a legal agreement between you (either an individual or a single entity) and GRSoftware for the GRSoftware product identified above, which includes computer software and may include associated media, printed materials, and "online" or electronic documentation ("SOFTWARE PRODUCT"). By installing, copying, or otherwise using the SOFTWARE PRODUCT, you agree to be bound by the terms of this End-User License Agreement, do not install or use the SOFTWARE PRODUCT; you may however, return it to your place of purchase for a full refund.....SOFTWARE PRODUCT LICENSE....The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. The SOFTWARE PRODUCT is licensed, not sold. You may not rent, lease, or lend the SOFTWARE PRODUCT. You may permanently transfer all your rights under

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\ReadMe.txt Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	ISO-8859 text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	20212
Entropy (8bit):	4.793794798262899
Encrypted:	false
SSDEEP:	384:DtfgszUGxVnoOxazTGExOrDDDuUMOT4SsWv:xLxVnoVzTG3kk4E
MD5:	8EB0D56C86DA3080CFE2F9BAB6D6318C
SHA1:	A63256C40D34B844D2DB2F2DFB2A6C068F2F1E19
SHA-256:	091CBA047A79B4BE6A10FF265153D44C8474CC24FBC0B9C17775F481738AE8DD
SHA-512:	12E15DE204C2EDF2AB4D57E2A35D96DC2D6296079EC1C86CEAAA7510336F9C57CC833C10EE50F592797C700DD729D3076065523FFB83B0DEBA5B872BD4EED249
Malicious:	false
Reputation:	low
Preview:	Distribution Summary..~~~~~~~~~~~~~~~~~~~~~....GRBackPro: Professional backup for Windows 10/8.1/8/7/Vista/XP ans Windows Server 2019/2016/2012/2008/2003 v9.3.x..Release Date: 19 October 2021..Categories: backup utility, file utility, system utility..Supported Platforms: Win10, Win8.1, Win2019, Win2016, Win2012, Win8, Win7, Win2008, Vista, Win2003, WinXP....Description..~~~~~~~..GRBackPro is a professional Windows backup program that helps you maintain your..vital computer data. It can re-create your source folder tree onto the..destination drive (or a single compressed archive) and for every folder it can..copy your files or create a PKZIP. compatible compressed archive with long file..name support and password protection. You can run a full, incremental or..differential backup of your files. You can synchronize your backup..files/directories with your sources. You can easily restore all or just some..files to either the original source or to a new location. You can define..multiple b

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.batteries_v2.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.288309221167179
Encrypted:	false
SSDEEP:	48:64+lYpBBasD07Nf4yBrl/KckU1N4zOuS0GiWekJWC27fSMBBhAA+vnaOLhWLsnO/:yOalx/lCcXYz1S0Gx7i7zHAA+CO/I
MD5:	E3DDBE5680FAD01D0E5B7B963181BC06
SHA1:	BECCE75CDA9222511E9F8D480B145CE6C24A6CCF
SHA-256:	07A2736DF9434B0FBBC5C441A76726CA66EB21554622B5F09D797EA01DF9F0C7
SHA-512:	055E2AE9079B2CB8DE58F01CA19C8561C21349406186A1E884765AA074C57740E7E6C4A43C3E4A939F1316F4D8114671032D76F61DEB9B0C7BEB9C1D10076579
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f..........." ..0..............)... ...@....... ..............................j.....`..................................)..O....@..`....................`......\(..T............................................ ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......d ..x....................'.......................................(.....s....(.....BSJB............v4.0.30319......l.......#~..L.......#Strings............#US.........#GUID.......`...#Blob...........G..........3................................................6.m.....m...s.Z...............q...........V.............................Y...........8.1.....1.....1.....(...............1.9...........1.9.....P ............W ..............T.....T.....T...).T...1.T...9.T...A.T...

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.core.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50688
Entropy (8bit):	5.803306723899389
Encrypted:	false
SSDEEP:	768:DQPUEF4XAR8QTqUp6H1Y1wDUmydr8wqlUUUUaeoJdFUUUUUUjIM5UUUV/NLF44vQ:HXAR8QTqUpC91ydLJdr8dbhi1FLsu
MD5:	358BF09045A59A1B85ACD9BC0A592904
SHA1:	53CF59D7B192F570D528B4D5C72DFA7AC25E1D7B
SHA-256:	6BE5D612830990F4185DEA66B4BAABE191D641A3A97E081A2F62FBADF2AF5B0F
SHA-512:	8E99956FAEDD57E83FB46CC2DE6D241BE9ED6B0A6967B00F7518FF461D28DBB67A3B00CB8ED22981A635E0688B53C79A507F4D92AF88F9F290980AA0BEF5B555
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{..........." ..0.............N.... ........... ....................... ............`.....................................O.......0...............................T............................................ ............... ..H............text...T.... ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B................-.......H.......0@......................p.........................................(......(......(...........Z~....,..oA...&.............b~....-.r...ps....z~.....(#...o7....0..........(#......o8.....(....Q6.(.....(%....0..........(#........o9.....(....QR.(.......(....('...:(#......o>...N.(.....(.....()...2(#....o:...2(#....o;.....o......o....2(#....o<...2(#....o=...6(#.....o.......0..........s ......}"....{"...-...+....!...s.......(1...6(#.....o....6..(....(3..

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.dynamic_cdecl.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	5.551074874821588
Encrypted:	false
SSDEEP:	1536:/RzZVISfvupRJ5d82N40duRlYy33r7HfrmYs0c6mRFgDJ8pYeFU6yTaM/eT72VmH:Zc5wAJlMq
MD5:	6A5E8F425D04F3BC66360F2BF07688A4
SHA1:	E7627232FD39730D90F11D979F1DAC6356A5244A
SHA-256:	2A45581E2ED65CAE497A199A56F311FA08B3D8C1B777E936F15D04D0B96923D1
SHA-512:	06FC1C49B40EDD398AB81505E906065D3C9B52782F7E310A71CB17FF27E5521249A6CA81E18E1A546186308CC872EB4A28ACB120D055A04B31850BEC1642D8E6
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0.............Z.... ... ....... .......................`.......n....`.....................................O.... .......................@..........T............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................9.......H.......4E..$...................X.......................................6.......(.....~....F~H......o\|......N........s....o...+..0............(........~......o.....0............(........~I.....o.....0..%.........(..........(........~J.......o........0..H.........(..........(........~K....o.............(....(.........{........o....2~#....o....2~"....o....2~F....ot...6~G.....ox...:~H......o\|...2~$....o....2~%....o....>.(.......o.......0..N........,........s.....

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.e_sqlcipher.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	5.68164166116722
Encrypted:	false
SSDEEP:	768:nL++D20WXYjIzkPkPhh55Rru026caYscRZyQ5yuyc8VqaVYDRY1YXojnKLkI+lIG:a+S0WXYjIzkPkPhh55Rru026caYscRZK
MD5:	B7102F54D13AF5F4B66B12692DDE2D51
SHA1:	8A5619C2AA731AACF9D83EAFF3133FE0C63659DB
SHA-256:	C6CB095CEA1A39307A0579E9EC7C7D7161D04E88A245476417FE0C7D12A9B85E
SHA-512:	3577B57CA1656D0D939BF7A03F0D7D0A86C8797B57900F42690F83704681C7FDDA0919158011C29EBEA1AA66E53A28252CEFA15C84A8E32DF9E2EC41C128C433
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.4..........." ..0.............2.... ........... ....................................`....................................O.......................................T............................................ ............... ..H............text...8.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........2...w..................0........................................r...p2...(.......N........s....o...+....0............(........(........0............(.........(...........(.......0..>.........(.........(........(...........(....(.........{.......o5.....(......(......(...."..(....&...(......(......(....>.(.......o........0..I........,........sl.......s.....+......s.......(................(.........o........0............(.......(....2.(....(........0..

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\Typography.GlyphLayout.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	5.565938052019052
Encrypted:	false
SSDEEP:	768:W8cd6x5pyqNfNbttXqLYIA69kP2ulg4Q:WAx5p7fdXqLYIv9kPK4Q
MD5:	3301FD842AC418CF18BC96FA52D2D497
SHA1:	80B32039DF1C2439046DFCB30120D7BE8FACEAAB
SHA-256:	91CA98A59CE9B3347F6F23A0C52C714C4E56AE862956D9465E12E6D07EF87CD6
SHA-512:	051F218D9120F2E3D3E19301B73BF3D4FA0582456C032D6A3C2A05435754907092C41352B3EA9B2228A599081EFD87BF7D32633D87ADFEBB197D5A1B265BC15F
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.........." ..0..b............... ........... ....................................@....................................O.................................................................................... ............... ..H............text...$a... ...b.................. ..`.rsrc................d..............@..@.reloc...............j..............@..B........................H........>...@............................................................(....^.(.......5...%...}....:.(......}....:.(......}....>..}......}....~..,..(....+..}......(....}....R.{....-..{........F..2.. ..../........0..L........(....-..o.........o....%..(.....%..(.....%..(.......(........b...b`..b`.`.0...........(......( ...(!.......io"...2.{....(....2.{....(......o#...,...{.....{....s~....(......{....o$.....}.....{....o%....{....o&...*..0..B........{.....o'...

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\assets\goal_achieved.png Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 889 x 886, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	104621
Entropy (8bit):	7.961279215007163
Encrypted:	false
SSDEEP:	1536:aEdO/Zg43pJQup/9SUe/73fYcBHLV1fqlABxM2urRCGYnf0qYtWZX2ywtgV2/ug1:aEOW4jI5/7AcBHLV9qgxc3chb424H1
MD5:	A2B879334ED0DED12343695E26E30554
SHA1:	581DCF49F959F35B13A71705B917A61658BD7836
SHA-256:	ECDBDF4A3A32936E79327FD7CA276340E89960CCB6CAA665A27BBB8EA774C83D
SHA-512:	2050065D7D4EADEBD7814E76A18039FECF6C93AE5D145777761CAA452CBE3C7C4D7122EC709F60990254D2A4F4CFF3DD0774A9FDCA08C5AA8BD4C40D7A087FF0
Malicious:	false
Preview:	.PNG........IHDR...y...v.....D.@.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.w..gv.....0. '.....,w.AKz.[.kI..jW.K.....H..$9.....)..RI.l..OZ..#......4...L.ynN.....h.. .wnx~U/.owc.N...y..-!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!.e.R.!...7n.m?q..!KYY.d2Y_RR......W....q...nA.V"..Vj...z....e...X,.~Nb...Sh..>..4..,....t.]...+`..sU.!.0...B...1...o....j;V+.lh. ..,.X..-G[.V...<.nn...?.......S.a..VLP...R"..."...X...`}..o....]v....g.Z..z.m..SW.o.p......B.).yB.Q$@X.d._{.eh..n.9.8...4+.y......h%..o\.A...Z.W`..v..D.B`x..`.~..... K.t......b.m..n.B../..<........].q.X.l6.......m.g?...={......B.!..u.B.Q`.....s..5h.r.:...F.....Hk@s....B.Q........TD..#s.lc:&....%...;.D..{..,%....8.2.!..6.cX..h\g..4..........Ha..a...3X.).....&!.{..y...B.....B.<.....f$.\5x..W...E.S.q<..b..-.L!GqF!g..%._..]X.".....3.G.g.@X,..V.c.A.M...6K../8..[F.iL.c...........0..!.e........E.4......E.1a..\..h~S..x..q.[......B......B.......N.........i.*.....).,h.p.X.

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\assets\goal_progress.png Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 1024 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	66444
Entropy (8bit):	7.695795199213902
Encrypted:	false
SSDEEP:	1536:/og6riWZ+mPCTR4dEWsEbr22JCziI9fWvWBkAXQqj0DgUB62rBcUWD/:l6pHKT+Nm2kDfW0jgI08UU2ru9D/
MD5:	3559215A74E795F065A0EBA888FAB63E
SHA1:	78834C228B2BCEF9A2D22D8B407BFF1901955043
SHA-256:	8EB9852560A3E6ED0790A8B40CEDEEEFF8A39D6F2985738EC81DFE9445F61D8A
SHA-512:	9E5FD39BB5E420F2172B25E15B75ED988FBA1343925AD019D8636932DDA9B20090E2F14BA48F3E1B003EB499910E43FD5870CD122188FC8EB39684E3253A8F2B
Malicious:	false
Preview:	.PNG........IHDR...............+... .IDATx^.....YY...Tw..LfI....df....&..Q..l.V......(..+......WTT.....-...P.M...YTHv....f.d..L6..u?..YY.....Su~...'{.:.y...f..Sb. .... .@b..*./.......~S...7Q.].off..?OLL\.....+..g..s..+...'....g.....?.FU.^c.%c.....1fEU..s..W...{..........b.........Z.. ..E.^..U.. .....x...qb.L.... ...._......... .....x!...1..k.X,.....yY.h.r.???/......MM......o....H..E..Xo...l6...r...^[[..m..ApO>..guu5..p1.`.....@.......J%.....@.'.....^...m....p..233....\.w.">...N.^\\\|.1..;=?..T..c..@..:..........b.8366voR.1/.. .......p.:.... .S......Z..DQ$g..v..%q.....O.O...TU/..ic.)U=-"..s..&A.\...VO.`p..@........`Q.....@.;..w.~bb.>.....}wd.YXXx....[.i......c.6.\i..Z...".;...'''....".... ....v.8....@.i.#G....r.u..X,..B!..r..{.b...h.OU.D..c..V..\.w...i.!hG.c.@...\....je.....@.!.\.woQ.....m.............B.#r".. ...}....'h.A....hO`.{......e...~{~..E..]....7....8...._.bC..8....@...4...... .....x..}{...\Z.4..V..._%P..........Q...[.L.... ..........

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10532352
Entropy (8bit):	6.6035389772335265
Encrypted:	false
SSDEEP:	98304:zihKeDg7JMqrr43ls1WcIiy36CpnNZ6zk9zYAl3P43N4tGqFbd3HuLeLunGrfSTT:IRBqnE50ytnNUAl/40RHZMEfWtR
MD5:	A0052D6EAC0D6D4296DE89213447416D
SHA1:	2F3ED143855A0490D8E3EC564FE27A3F72FA4916
SHA-256:	C57A1C9570FF6CEFF0A08770A142C348B5B3E5B2C03417C03C0FBFFB7707069F
SHA-512:	0352C179F4D2F6E5CEAA116B885203E613662F6D93D9AE7B2FC8FC0FAF89DD4889A66C5D4DA9D12CC8D38D7BB4E38A116E9A0E4F629E51979D07EA7EB4996D61
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.........1:.._i.._i.._i..i.._i&(.i.._i&(.i.._i..\h.._i..[h.._i..Zh.._i..^h.._ia.^h.._i..^i.._i..Zh.._iN.Vh.._iN.Zh.._iN.[h.._iN._h.._iN..i.._i...i.._iN.]h.._iRich.._i....7...6...7.......7...Rich6...........PE..L...-6ua.................hl..J4.......c.......l...@.......................................@............................................0h......................H~...i..T....................j.......i..@.............l..............................text...-fl......hl................. ....rdata...\|$...l..~$..ll.............@..@.data...P..........................@....rsrc...0h.......j.................@..@.reloc..H~...........6..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\libEGL.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	109056
Entropy (8bit):	6.49594862756501
Encrypted:	false
SSDEEP:	3072:cM7DNjsmbZIwfTCR7GrVXFb5Q3jaZRUjF0rQDGYoM:XX7CRwVh5QsRKDGxM
MD5:	E4B0061BFC552111AA9F6A63AC61B1B9
SHA1:	2F4F9A0E179EB17FF077C3BBA30C09E1EA0E0C0F
SHA-256:	17C8685F54EFD76AE5C3171F146910772B49A3D733CDA66E2FBC5C64CE800214
SHA-512:	978D41141967FDBD509D081F1FB107F13C61EABB4E13712D7D4FEF51997AD0273F211901AD46E0A352770FD849F15B878AFF1B02B3600880160D1213DC9B53A4
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...PC.^.........."!.................'....................................................@....................................(....... .......................l....~...............................(...............................................text............................... ..`.rdata...t... ...v..................@..@.data...............................@....00cfg..............................@..@.voltbl.d................................rsrc... ...........................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\qclp2.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4254720
Entropy (8bit):	6.929231407239177
Encrypted:	false
SSDEEP:	49152:nJ6Wv9ViKjOpvDNXbqgf5gHUkphV7DkzigZAIcn2vjkMcRc/s+kobXnz/q/xnd/s:nJ6Wv9VBS9DJxzIV7Dkms5ZVQa
MD5:	7FC7D8096392A3887F53F85A570137C6
SHA1:	18822D95CDB79D25ACFCFFED8395CC208AA03D04
SHA-256:	F6B6D5C0EA15112F428A83B923B879EC43AA54D7677AD29E763532881509DEED
SHA-512:	CAC312C0700EACFF4A2FFAAB844275AC9D0093C64AA1C74D4A94822D02117E3A55BA1310500B4D1024DCB075720B9FFB2DCD0FDBCF8748C72A4890E24D53E7C0
Malicious:	false
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.........1:.._i.._i.._i..i.._i&(.i.._i&(.i.._i..\h.._i..[h.._i..Zh.._i..^h.._ia.^h.._i..^i.._i..Zh.._iN.Vh.._iN.Zh.._iN.[h.._iN._h.._iN..i.._i...i.._iN.]h.._iRich.._i'y......'y......Rich....................PE..L...18ua...........!................)b....... ................................A......=@...@...........................;.H.....;.T.....>..k....................?.....p.:.......................:.......:.@............ ...............................text............................... ..`.rdata....... ......................@..@.data........ <..`....<.............@....rsrc....k....>..l...j=.............@..@.reloc........?.......>.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\zmq Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PDF document, version 1.5
Category:	dropped
Size (bytes):	442111
Entropy (8bit):	7.994446353856369
Encrypted:	true
SSDEEP:	6144:aorUBWkDwzCvAmehaITUjbhl+jG8xgGS21gdIjuFFuybeBq//GvucNIrbRQ873vS:ahWgFomnll+ABHILycq3GGcNIrbfev
MD5:	DCED29FE7B0769AF598BE6684DD85677
SHA1:	DF5808C075F7AD586A858D1B71449C954C648A37
SHA-256:	84855FF6E0BB4BB79E4CC13B600C26633340CAA3FDEC16504E7006777213C0F4
SHA-512:	2408B866FA00EC9342BAC2223BF3092FAFFB8481BB8B0D4BBBEF4305739497211619A01DB2E8AC18563888E4755D2E36AF208459013D6BA781F4F06C00654F6E
Malicious:	false
Preview:	%PDF-1.5.%.....1 0 obj <<./Length 587 ./Filter /FlateDecode.>>.stream.x.mTM..@...+z.&...?.tBL.$..d4.......<.._...f..W._w..r..c;...`G.U.O.V.&..........[v...6.W.7..T..vb...uYt/N....5......=..S.<b...G...I(vEwv+OR8$.....6mQ.oB.J)........3.q..X.ysO'.H.)-."...}......[...<V^...[l..F.x.M..(Ob..q..Z.g..Bz.......<../V......[m..Xq.Y...g..'.R.D.....?k3.q8~.J.....#........8.}.RC.g..%.P...)..{.4..".a/.. .C..^.@..8YC..%Md_b.g..4..L.0^.O....\.......p..g...\...8~.s..3.....{M...Nq7.,j.6..f-.S.A.'..A.!.:.O...L.0...x/i.dB.n..^.ySS.W.+%={.I.b.......o..k.....c.6\|f...3.4.{...p.Y.d.r...K.+H..........WA..........4nfh.i0.Ei..ZW5v.&...@.I....6..endstream.endobj.2 0 obj <<./Length 598 ./Filter /FlateDecode.>>.stream.x.mTM..@...+z.&...?.tBL.0..d4.......<..~U..f..W._u...v..c;Z..........MfG..}...I.]/....m..o.....0^'..^.x]f.kn{..EK{*..u.pg..6;..$4..;..gZ8,.....M[T.P.RJG.e.W.xm......E.7......."/....7......j;{Y..."1.t.m.\|...o.ir...I..c..>[T...En.n#....b.....

C:\Windows\Installer\530d79.msi Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2E68BFCA-136D-489B-99E7-02370AE416AC}, Number of Words: 10, Subject: CSS Validator, Author: Hemoco bvba, Name of Creating Application: Advanced Installer 18.7 build 0a7fdead, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	7775232
Entropy (8bit):	7.95100555954072
Encrypted:	false
SSDEEP:	196608:rY7cfmLhGlwa2wQiXAytyTCpj59zHpmzSTnUT4R+:rY7cfmLYwMQiXAytJ55gzSTw
MD5:	4C0F425E456ED7904F1B207FAD617EBE
SHA1:	56304F5446B7DB91314E252143E59353072A6F28
SHA-256:	A14D402C30E55AC43A83596A1D2832A730A7EB3A056E9420AC725B0EF02A176A
SHA-512:	C9AD2C0B0EBF21F7D683026689429DEF5BC5AA8DE2B3778CB1B84259CF920BF8506A55080BF7B292BE9D37C0B37398802F438C183046C0ECF6CF70D3BF396D35
Malicious:	false
Preview:	......................>...................w...................................C.......~...............................q...................................................................................................................................................................................................................................................................................................................................................................................................................;...............#...2........................................................................................... ...!..."...,...$...%...&...'...(...)...*...+...0...-......./...3...1...:...>...4...5...6...7...8...9.......<.......=...f...?...@...A...B...........E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\530d7c.msi Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2E68BFCA-136D-489B-99E7-02370AE416AC}, Number of Words: 10, Subject: CSS Validator, Author: Hemoco bvba, Name of Creating Application: Advanced Installer 18.7 build 0a7fdead, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	7775232
Entropy (8bit):	7.95100555954072
Encrypted:	false
SSDEEP:	196608:rY7cfmLhGlwa2wQiXAytyTCpj59zHpmzSTnUT4R+:rY7cfmLYwMQiXAytJ55gzSTw
MD5:	4C0F425E456ED7904F1B207FAD617EBE
SHA1:	56304F5446B7DB91314E252143E59353072A6F28
SHA-256:	A14D402C30E55AC43A83596A1D2832A730A7EB3A056E9420AC725B0EF02A176A
SHA-512:	C9AD2C0B0EBF21F7D683026689429DEF5BC5AA8DE2B3778CB1B84259CF920BF8506A55080BF7B292BE9D37C0B37398802F438C183046C0ECF6CF70D3BF396D35
Malicious:	false
Preview:	......................>...................w...................................C.......~...............................q...................................................................................................................................................................................................................................................................................................................................................................................................................;...............#...2........................................................................................... ...!..."...,...$...%...&...'...(...)...*...+...0...-......./...3...1...:...>...4...5...6...7...8...9.......<.......=...f...?...@...A...B...........E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI14BC.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402912
Entropy (8bit):	6.383799484265228
Encrypted:	false
SSDEEP:	6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
MD5:	3D24A2AF1FB93F9960A17D6394484802
SHA1:	EE74A6CEEA0853C47E12802961A7A8869F7F0D69
SHA-256:	8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
SHA-512:	F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
Malicious:	false
Joe Sandbox View:	Filename: o4c8AUtX1g.exe, Detection: malicious, Browse Filename: farcry6_repack.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6\|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI17DA.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402912
Entropy (8bit):	6.383799484265228
Encrypted:	false
SSDEEP:	6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
MD5:	3D24A2AF1FB93F9960A17D6394484802
SHA1:	EE74A6CEEA0853C47E12802961A7A8869F7F0D69
SHA-256:	8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
SHA-512:	F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6\|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1C62.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	5958
Entropy (8bit):	5.682448959061152
Encrypted:	false
SSDEEP:	96:VYW1elER4Nkqt1Cpz339yBst52zKvi2tKfrz5z5zYTO166GyD9iD04c0eXIYYXlH:VYW1elER4Nkqt1Ch39+st52WvztkD14J
MD5:	77E5D1C2DBBFE347BA7AD0E9804631A7
SHA1:	C5EE351655A1F9A078EBA531A0FD492D9FC91F7A
SHA-256:	BC0A8B364763524A9FEDBDBF089D57881E0EE0DB6F3ADF132E062347B22F1C5C
SHA-512:	36A36D58A17DE1357C2D616EFF08A7C73C5B4121AC8730A37837829A080C9FA414F522BA2E2ABC5C844B777AFB35E87A9E75F41E4A10774EDE85A2DF240A2D0C
Malicious:	false
Preview:	...@IXOS.@.....@.YS.@.....@.....@.....@.....@.....@......&.{8C4E8105-89CF-42DC-B547-B756AB6C9EC5}..CSS Validator..CssValidator.msi.@.....@.. ..@.....@........&.{2E68BFCA-136D-489B-99E7-02370AE416AC}.....@.....@.....@.....@.......@.....@.....@.......@......CSS Validator......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{BACEFD7C-2242-4BDA-88CA-278EA0FBAC71}:.C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\.@.......@.....@.....@......&.{E1F4536E-7D2A-4F44-81EE-727B5F105E80}..01:\Software\Hemoco bvba\CSS Validator\Version.@.......@.....@.....@......&.{834EA0BB-8035-4ACB-9366-174CC245FFAC}C.C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\qclp2.dll.@.......@.....@.....@......&.{F40562C3-E5CF-4975-B128-0CB43DBE0174}G.C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe.@.......@.....@.....@......&.{C321E67B-035D-49DD-B4D5-

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	81287
Entropy (8bit):	5.298823419018036
Encrypted:	false
SSDEEP:	192:XL/vcrZZDZo/ZrXczaIcO/gcMH5elWSLk:XDvsDZGrkaIcO/Y5Xuk
MD5:	D3BF7F2FE7D96CF90EB3393D278780A1
SHA1:	BD85EE8A111C1314DCC2658ABCA971B037E4A016
SHA-256:	37E9A251EE2D4D666A49C8252CEFCDC9344F267463F31C1D9E8D5DBEB7912D30
SHA-512:	0040AF5B6E695D9AA089C8424728510DB1D1858DF543F802A4318422EEB6B2C29D1B1904F4B161B43EA7161EB570B4F5468CD8525C6F76B7089DFB119E6365C0
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:38:04.497 [4552]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:38:04.513 [4552]: ngen returning 0x00000000..07/23/2020 10:38:04.559 [4480]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:38:04.559 [4480]: ngen returning 0x00000000..07/23/2020 10:38:04.622 [4256]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:38:04.622 [

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.979283280048606
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	yRqHWQ91dT.exe
File size:	7580858
MD5:	b50ffa06eca2b3a4d92562561fc6b2d1
SHA1:	4cdbdb338a22fd11f0fcc973598e25ba54529db3
SHA256:	a181b562122fb3752137474073f22e1b2b1b4cc82a5269e73847a0e2e212cd56
SHA512:	f96b0eb15b5d8b0162b039aa83be39059ec282d2afc11f4a4dcd0069407203a48db2438e0062c197032af3e5bd8d0694ed03d703dfb424bd145c68ccf84ebc8a
SSDEEP:	196608:r175c0ur92j0iXGqUIyBOiC5Bl7l8HiX7wTPcVW1XjYvK:r175c0ur60IGqUIyBSlBhrwTP6k
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...\|......H3............@

File Icon


Icon Hash:	f0dcdcdcdccc7830

Static PE Info

General
Entrypoint:	0x403348
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ced282d9b261d1462772017fe2f6972b

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B8h]
call dword ptr [004080BCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F42Ch], eax
je 00007F88C88C23B3h
push ebx
call 00007F88C88C5516h
cmp eax, ebx
je 00007F88C88C23A9h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F88C88C5492h
push esi
call dword ptr [004080CCh]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F88C88C238Dh
push 0000000Bh
call 00007F88C88C54EAh
push 00000009h
call 00007F88C88C54E3h
push 00000007h
mov dword ptr [0042F424h], eax
call 00007F88C88C54D7h
cmp eax, ebx
je 00007F88C88C23B1h
push 0000001Eh
call eax
test eax, eax
je 00007F88C88C23A9h
or byte ptr [0042F42Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429850h
call dword ptr [0040816Ch]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x29b48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6457	0x6600	False	0.66823682598	data	6.43498570321	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1380	0x1400	False	0.4625	data	5.26100389731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25538	0x600	False	0.463541666667	data	4.133728555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x30000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x29b48	0x29c00	False	0.0983345808383	data	3.11769658082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x38358	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x48b80	0x94a8	data	English	United States
RT_ICON	0x52028	0x5488	data	English	United States
RT_ICON	0x574b0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16318463, next used block 4294909696	English	United States
RT_ICON	0x5b6d8	0x25a8	data	English	United States
RT_ICON	0x5dc80	0x17a6	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x5f428	0x10a8	data	English	United States
RT_ICON	0x604d0	0x988	data	English	United States
RT_ICON	0x60e58	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x612c0	0x100	data	English	United States
RT_DIALOG	0x613c0	0x11c	data	English	United States
RT_DIALOG	0x614e0	0x60	data	English	United States
RT_GROUP_ICON	0x61540	0x84	data	English	United States
RT_VERSION	0x615c8	0x240	data	English	United States
RT_MANIFEST	0x61808	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Version Infos

Description	Data
LegalCopyright	Copyright 2021
ProductName	CSS Meta Validator
FileDescription	CSS Meta Validator
FileVersion	2.32.2.7
CompanyName	AI Internet Solutions LLC
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2021 17:08:29.337428093 CEST	49796	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.337492943 CEST	443	49796	185.98.87.196	192.168.2.5
Oct 25, 2021 17:08:29.337601900 CEST	49796	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.357414961 CEST	49796	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.357439995 CEST	443	49796	185.98.87.196	192.168.2.5
Oct 25, 2021 17:08:29.460875034 CEST	443	49796	185.98.87.196	192.168.2.5
Oct 25, 2021 17:08:29.482651949 CEST	49797	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.482693911 CEST	443	49797	185.98.87.196	192.168.2.5
Oct 25, 2021 17:08:29.482920885 CEST	49797	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.483618975 CEST	49797	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.483639956 CEST	443	49797	185.98.87.196	192.168.2.5
Oct 25, 2021 17:08:29.590574026 CEST	443	49797	185.98.87.196	192.168.2.5
Oct 25, 2021 17:08:29.592428923 CEST	49798	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.592473030 CEST	443	49798	185.98.87.196	192.168.2.5
Oct 25, 2021 17:08:29.592598915 CEST	49798	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.593012094 CEST	49798	443	192.168.2.5	185.98.87.196
Oct 25, 2021 17:08:29.593607903 CEST	443	49798	185.98.87.196	192.168.2.5
Oct 25, 2021 17:08:29.593719959 CEST	49798	443	192.168.2.5	185.98.87.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2021 17:07:07.918047905 CEST	61733	53	192.168.2.5	8.8.8.8
Oct 25, 2021 17:07:07.969619989 CEST	53	61733	8.8.8.8	192.168.2.5
Oct 25, 2021 17:08:28.162395954 CEST	59596	53	192.168.2.5	8.8.8.8
Oct 25, 2021 17:08:29.209424973 CEST	59596	53	192.168.2.5	8.8.8.8
Oct 25, 2021 17:08:29.319314003 CEST	53	59596	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 25, 2021 17:07:07.918047905 CEST	192.168.2.5	8.8.8.8	0x537b	Standard query (0)	get.updates.avast.cn	A (IP address)	IN (0x0001)
Oct 25, 2021 17:08:28.162395954 CEST	192.168.2.5	8.8.8.8	0x82e5	Standard query (0)	huyasos.in	A (IP address)	IN (0x0001)
Oct 25, 2021 17:08:29.209424973 CEST	192.168.2.5	8.8.8.8	0x82e5	Standard query (0)	huyasos.in	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 25, 2021 17:07:07.969619989 CEST	8.8.8.8	192.168.2.5	0x537b	Name error (3)	get.updates.avast.cn	none	none	A (IP address)	IN (0x0001)
Oct 25, 2021 17:08:29.319314003 CEST	8.8.8.8	192.168.2.5	0x82e5	No error (0)	huyasos.in		185.98.87.196	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: yRqHWQ91dT.exe PID: 5776 Parent PID: 5984

General

Start time:	17:06:28
Start date:	25/10/2021
Path:	C:\Users\user\Desktop\yRqHWQ91dT.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\yRqHWQ91dT.exe'
Imagebase:	0x400000
File size:	7580858 bytes
MD5 hash:	B50FFA06ECA2B3A4D92562561FC6B2D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: msiexec.exe PID: 3428 Parent PID: 5776

General

Start time:	17:06:30
Start date:	25/10/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec /i 'C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi' /qn /norestart
Imagebase:	0xdf0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: msiexec.exe PID: 2952 Parent PID: 556

General

Start time:	17:06:31
Start date:	25/10/2021
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6e40a0000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: msiexec.exe PID: 640 Parent PID: 2952

General

Start time:	17:06:34
Start date:	25/10/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 7A8FDEF089EF820D04B2E0639E42DA17
Imagebase:	0xdf0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: audiodent.exe PID: 5656 Parent PID: 2952

General

Start time:	17:06:41
Start date:	25/10/2021
Path:	C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe
Imagebase:	0x980000
File size:	10532352 bytes
MD5 hash:	A0052D6EAC0D6D4296DE89213447416D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report yRqHWQ91dT

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre