{"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Source: 9.2.audiodent.exe.7f70000.1.unpack | Malware Configuration Extractor: Ursnif {"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"} |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Joe Sandbox ML: detected |
Source: 9.2.audiodent.exe.980000.0.unpack | Avira: Label: TR/Crypt.XPACK.Gen7 |
Source: audiodent.exe, 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp | Binary or memory string: -----BEGIN PUBLIC KEY-----MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJJidwS/uILMBSO5DLGsBFknIXWWjQJe2kfdfEk3G/j66w4KkhZ1V61Rt4zLaMVCYpDun7FLwRjkMDSepO1q2DcCAwEAAQ==-----END PUBLIC KEY----- |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Unpacked PE file: 9.2.audiodent.exe.980000.0.unpack |
Source: yRqHWQ91dT.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\License.txt | Jump to behavior |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\ReadMe.txt | Jump to behavior |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\LICENSE.electron.txt | Jump to behavior |
Source: yRqHWQ91dT.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256 source: SQLitePCLRaw.core.dll.4.dr |
Source: | Binary string: C:\pdb\pdb\AppData\Service\dkdockhost\WPF\Data\ExpressAuthentication\Csv.pdb source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp, audiodent.exe.4.dr |
Source: | Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: SQLitePCLRaw.core.dll.4.dr |
Source: | Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.e_sqlcipher.most\obj\Release\netstandard2.0\SQLitePCLRaw.provider.e_sqlcipher.pdbSHA256y source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr |
Source: | Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.e_sqlcipher.most\obj\Release\netstandard2.0\SQLitePCLRaw.provider.e_sqlcipher.pdb source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr |
Source: | Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlcipher.dllimport\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdbSHA256 source: SQLitePCLRaw.batteries_v2.dll.4.dr |
Source: | Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: 530d7c.msi.4.dr |
Source: | Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlcipher.dllimport\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdb source: SQLitePCLRaw.batteries_v2.dll.4.dr |
Source: | Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 530d7c.msi.4.dr |
Source: | Binary string: C:\pdb\pdb\AppData\Service\dkdockhost\WPF\Data\ExpressAuthentication\Csv.pdb,88 source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp, audiodent.exe.4.dr |
Source: C:\Windows\System32\msiexec.exe | File opened: z: |
Source: C:\Windows\System32\msiexec.exe | File opened: x: |
Source: C:\Windows\System32\msiexec.exe | File opened: v: |
Source: C:\Windows\System32\msiexec.exe | File opened: t: |
Source: C:\Windows\System32\msiexec.exe | File opened: r: |
Source: C:\Windows\System32\msiexec.exe | File opened: p: |
Source: C:\Windows\System32\msiexec.exe | File opened: n: |
Source: C:\Windows\System32\msiexec.exe | File opened: l: |
Source: C:\Windows\System32\msiexec.exe | File opened: j: |
Source: C:\Windows\System32\msiexec.exe | File opened: h: |
Source: C:\Windows\System32\msiexec.exe | File opened: f: |
Source: C:\Windows\System32\msiexec.exe | File opened: b: |
Source: C:\Windows\System32\msiexec.exe | File opened: y: |
Source: C:\Windows\System32\msiexec.exe | File opened: w: |
Source: C:\Windows\System32\msiexec.exe | File opened: u: |
Source: C:\Windows\System32\msiexec.exe | File opened: s: |
Source: C:\Windows\System32\msiexec.exe | File opened: q: |
Source: C:\Windows\System32\msiexec.exe | File opened: o: |
Source: C:\Windows\System32\msiexec.exe | File opened: m: |
Source: C:\Windows\System32\msiexec.exe | File opened: k: |
Source: C:\Windows\System32\msiexec.exe | File opened: i: |
Source: C:\Windows\System32\msiexec.exe | File opened: g: |
Source: C:\Windows\System32\msiexec.exe | File opened: e: |
Source: C:\Windows\System32\msiexec.exe | File opened: c: |
Source: C:\Windows\System32\msiexec.exe | File opened: a: |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Code function: 1_2_0040646B FindFirstFileA,FindClose, |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Code function: 1_2_004027A1 FindFirstFileA, |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Code function: 1_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
Source: Joe Sandbox View | ASN Name: VM-HOSTINGRU VM-HOSTINGRU |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49798 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49797 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49796 |
Source: unknown | Network traffic detected: HTTP traffic on port 49796 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49797 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49798 -> 443 |
Source: audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr | String found in binary or memory: http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4 |
Source: audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr | String found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI |
Source: audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr | String found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML |
Source: 530d7c.msi.4.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: 530d7c.msi.4.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: 530d7c.msi.4.dr | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: 530d7c.msi.4.dr | String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: 530d7c.msi.4.dr | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: 530d7c.msi.4.dr | String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: yRqHWQ91dT.exe | String found in binary or memory: http://nsis.sf.net/NSIS_Error |
Source: yRqHWQ91dT.exe | String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: 530d7c.msi.4.dr | String found in binary or memory: http://ocsp.digicert.com0C |
Source: 530d7c.msi.4.dr | String found in binary or memory: http://ocsp.digicert.com0O |
Source: 530d7c.msi.4.dr | String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0 |
Source: 530d7c.msi.4.dr | String found in binary or memory: http://t2.symcb.com0 |
Source: 530d7c.msi.4.dr | String found in binary or memory: http://tl.symcb.com/tl.crl0 |
Source: 530d7c.msi.4.dr | String found in binary or memory: http://tl.symcb.com/tl.crt0 |
Source: 530d7c.msi.4.dr | String found in binary or memory: http://tl.symcd.com0& |
Source: 530d7c.msi.4.dr | String found in binary or memory: http://www.digicert.com/CPS0 |
Source: ReadMe.txt.4.dr | String found in binary or memory: http://www.grsoftware.net/downloads/grbackpro/grbakpro.pdf |
Source: ReadMe.txt.4.dr | String found in binary or memory: http://www.grsoftware.net/home/buynow.html |
Source: audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr | String found in binary or memory: http://www.mega-nerd.com/libsndfile/ |
Source: audiodent.exe.4.dr | String found in binary or memory: https://bitbucket.org/Coin3D/ |
Source: audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr | String found in binary or memory: https://bitbucket.org/Coin3D/error |
Source: audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp | String found in binary or memory: https://get.updates.avast.cn/ |
Source: audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp | String found in binary or memory: https://get.updates.avast.cn/I |
Source: audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp | String found in binary or memory: https://get.updates.avast.cn/sreamble/L9cG8Vo2GQztGm0qovd/ps29AL3_2BtYxlbeUwyhe0/qJy1kBhZdmLJX/23gke |
Source: SQLitePCLRaw.core.dll.4.dr | String found in binary or memory: https://github.com/ericsink/SQLitePCL.raw |
Source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr | String found in binary or memory: https://github.com/ericsink/SQLitePCL.rawF |
Source: SQLitePCLRaw.core.dll.4.dr | String found in binary or memory: https://github.com/ericsink/SQLitePCL.rawX |
Source: audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr | String found in binary or memory: https://groups.google.com/forum/# |
Source: audiodent.exe, 00000009.00000002.523718501.0000000007BD4000.00000004.00000001.sdmp | String found in binary or memory: https://huyasos.in/ |
Source: audiodent.exe, 00000009.00000002.523890285.0000000007F5B000.00000004.00000010.sdmp | String found in binary or memory: https://huyasos.in/sreamble/1Cy_2BOoNkPfZNI/cBFrvY8_2BuNL_2FRI/EvMKECOy8/d_2Bs3isSO |
Source: audiodent.exe, 00000009.00000002.523791607.0000000007C02000.00000004.00000001.sdmp | String found in binary or memory: https://huyasos.in/sreamble/1Cy_2BOoNkPfZNI/cBFrvY8_2BuNL_2FRI/EvMKECOy8/d_2Bs3isSO64yzYzMTFW/VpmMJy |
Source: 530d7c.msi.4.dr | String found in binary or memory: https://www.advancedinstaller.com |
Source: 530d7c.msi.4.dr | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: ReadMe.txt.4.dr | String found in binary or memory: https://www.grsoftware.net |
Source: 530d7c.msi.4.dr | String found in binary or memory: https://www.thawte.com/cps0/ |
Source: 530d7c.msi.4.dr | String found in binary or memory: https://www.thawte.com/repository0W |
Source: unknown | DNS traffic detected: queries for: get.updates.avast.cn |
Source: Yara match | File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR |
Source: Yara match | File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY |
Source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp | Binary or memory string: GetRawInputData |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Windows user hook set: 0 mouse low level C:\Windows\System32\dinput8.dll |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Code function: 1_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, |
Source: Yara match | File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR |
Source: Yara match | File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY |
Source: audiodent.exe.4.dr | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: yRqHWQ91dT.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Windows\System32\msiexec.exe | File deleted: C:\Windows\Installer\MSI14BC.tmp | Jump to behavior |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Code function: 1_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Windows\Installer\530d79.msi | Jump to behavior |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Code function: 1_2_00406945 |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Code function: 1_2_0040711C |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_6EA5C160 |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_07F7AFC0 |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_07F77FBE |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_07F7836E |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_00981C90 GetProcAddress,NtCreateSection,memset, |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_00981703 NtMapViewOfSection, |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_009819A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_07F79A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_07F7B1E5 NtQueryVirtualMemory, |
Source: yRqHWQ91dT.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: audiodent.exe.4.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: sfc.dll |
Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: tsappcmp.dll |
Source: C:\Windows\System32\msiexec.exe | Section loaded: sfc.dll |
Source: C:\Windows\System32\msiexec.exe | Section loaded: tsappcmp.dll |
Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: sfc.dll |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Section loaded: libtrg2.dll |
Source: yRqHWQ91dT.exe | Virustotal: Detection: 13% |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | File read: C:\Users\user\Desktop\yRqHWQ91dT.exe | Jump to behavior |
Source: yRqHWQ91dT.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: unknown | Process created: C:\Users\user\Desktop\yRqHWQ91dT.exe 'C:\Users\user\Desktop\yRqHWQ91dT.exe' |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /i 'C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi' /qn /norestart |
Source: unknown | Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V |
Source: C:\Windows\System32\msiexec.exe | Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7A8FDEF089EF820D04B2E0639E42DA17 |
Source: C:\Windows\System32\msiexec.exe | Process created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /i 'C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi' /qn /norestart |
Source: C:\Windows\System32\msiexec.exe | Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7A8FDEF089EF820D04B2E0639E42DA17 |
Source: C:\Windows\System32\msiexec.exe | Process created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Code function: 1_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Hemoco bvba | Jump to behavior |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | File created: C:\Users\user\AppData\Local\Temp\nsz2BB.tmp | Jump to behavior |
Source: classification engine | Classification label: mal100.troj.evad.winEXE@8/22@3/1 |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Code function: 1_2_0040216B CoCreateInstance,MultiByteToWideChar, |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | File read: C:\Users\desktop.ini | Jump to behavior |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Code function: 1_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_07F78F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, |
Source: yRqHWQ91dT | Joe Sandbox Cloud Basic: Detection: clean Score: 0 | Perma Link |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Mutant created: \Sessions\1\BaseNamedObjects\COIN_LIBRARY_PROCESS_5656 |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: yRqHWQ91dT.exe | Static file information: File size 7580858 > 1048576 |
Source: yRqHWQ91dT.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256 source: SQLitePCLRaw.core.dll.4.dr |
Source: | Binary string: C:\pdb\pdb\AppData\Service\dkdockhost\WPF\Data\ExpressAuthentication\Csv.pdb source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp, audiodent.exe.4.dr |
Source: | Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: SQLitePCLRaw.core.dll.4.dr |
Source: | Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.e_sqlcipher.most\obj\Release\netstandard2.0\SQLitePCLRaw.provider.e_sqlcipher.pdbSHA256y source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr |
Source: | Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.e_sqlcipher.most\obj\Release\netstandard2.0\SQLitePCLRaw.provider.e_sqlcipher.pdb source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr |
Source: | Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlcipher.dllimport\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdbSHA256 source: SQLitePCLRaw.batteries_v2.dll.4.dr |
Source: | Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: 530d7c.msi.4.dr |
Source: | Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlcipher.dllimport\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdb source: SQLitePCLRaw.batteries_v2.dll.4.dr |
Source: | Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 530d7c.msi.4.dr |
Source: | Binary string: C:\pdb\pdb\AppData\Service\dkdockhost\WPF\Data\ExpressAuthentication\Csv.pdb,88 source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp, audiodent.exe.4.dr |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Unpacked PE file: 9.2.audiodent.exe.980000.0.unpack |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Unpacked PE file: 9.2.audiodent.exe.980000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R; |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_07F7AFAF push ecx; ret |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_07F7E9AC push 0B565A71h; ret |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_07F7E62F push edi; retf |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_07F7AC00 push ecx; ret |
Source: libEGL.dll.4.dr | Static PE information: section name: .00cfg |
Source: libEGL.dll.4.dr | Static PE information: section name: .voltbl |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_00981264 LoadLibraryA,GetProcAddress, |
Source: yRqHWQ91dT.exe | Static PE information: real checksum: 0x0 should be: 0x742c54 |
Source: libEGL.dll.4.dr | Static PE information: real checksum: 0x0 should be: 0x1b503 |
Source: audiodent.exe.4.dr | Static PE information: real checksum: 0xa095fa should be: |
Source: qclp2.dll.4.dr | Static PE information: real checksum: 0x403d8b should be: 0x4105cf |
Source: Typography.GlyphLayout.dll.4.dr | Static PE information: real checksum: 0x0 should be: 0x73e6 |
Source: SQLitePCLRaw.batteries_v2.dll.4.dr | Static PE information: 0xA466DFED [Sun May 27 16:10:21 2057 UTC] |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\zmq | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.core.dll | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\Typography.GlyphLayout.dll | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.batteries_v2.dll | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\libEGL.dll | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\qclp2.dll | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.e_sqlcipher.dll | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Windows\Installer\MSI17DA.tmp | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Windows\Installer\MSI14BC.tmp | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.dynamic_cdecl.dll | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Windows\Installer\MSI17DA.tmp | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Windows\Installer\MSI14BC.tmp | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\License.txt | Jump to behavior |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\ReadMe.txt | Jump to behavior |
Source: C:\Windows\System32\msiexec.exe | File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\LICENSE.electron.txt | Jump to behavior |
Source: Yara match | File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR |
Source: Yara match | File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY |
Source: C:\Windows\SysWOW64\msiexec.exe | Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\msiexec.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\msiexec.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\msiexec.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\msiexec.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\msiexec.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\msiexec.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\msiexec.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\msiexec.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\msiexec.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\msiexec.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\msiexec.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\msiexec.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\msiexec.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\msiexec.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\msiexec.exe | Process information set: NOGPFAULTERRORBOX |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Process information set: NOGPFAULTERRORBOX |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Process information set: NOGPFAULTERRORBOX |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Process information set: NOGPFAULTERRORBOX |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Process information set: NOGPFAULTERRORBOX |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Process information set: NOGPFAULTERRORBOX |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Process information set: NOGPFAULTERRORBOX |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Process information set: NOGPFAULTERRORBOX |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Process information set: NOGPFAULTERRORBOX |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Process information set: NOGPFAULTERRORBOX |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Process information set: NOGPFAULTERRORBOX |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe TID: 2200 | Thread sleep time: -240000s >= -30000s |
Source: C:\Windows\System32\msiexec.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.core.dll | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\Typography.GlyphLayout.dll | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.batteries_v2.dll | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\libEGL.dll | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.e_sqlcipher.dll | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | Dropped PE file which has not been started: C:\Windows\Installer\MSI17DA.tmp | Jump to dropped file |
Source: C:\Windows\System32\msiexec.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.dynamic_cdecl.dll | Jump to dropped file |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Thread delayed: delay time: 240000 |
Source: C:\Windows\System32\msiexec.exe | Process information queried: ProcessInformation |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Code function: 1_2_0040646B FindFirstFileA,FindClose, |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Code function: 1_2_004027A1 FindFirstFileA, |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Code function: 1_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Thread delayed: delay time: 240000 |
Source: C:\Windows\System32\msiexec.exe | File Volume queried: C:\ FullSizeInformation |
Source: C:\Windows\System32\msiexec.exe | File Volume queried: C:\ FullSizeInformation |
Source: C:\Windows\System32\msiexec.exe | File Volume queried: C:\ FullSizeInformation |
Source: C:\Windows\System32\msiexec.exe | File Volume queried: C:\ FullSizeInformation |
Source: C:\Windows\System32\msiexec.exe | File Volume queried: C:\ FullSizeInformation |
Source: C:\Windows\System32\msiexec.exe | File Volume queried: C:\ FullSizeInformation |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_6EA60A70 LoadLibraryW,GetProcAddress,SetThreadDescription,GetCurrentThread,SetThreadDescription,IsDebuggerPresent,RaiseException, |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_00981264 LoadLibraryA,GetProcAddress, |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_6EB36EF7 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_6EB33A55 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_6EB36F7F mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\System32\msiexec.exe | Process created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_6EB25F3D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_6EB16501 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp | Binary or memory string: SProgram Managerl |
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd, |
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\System32\msiexec.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_07F77A2E cpuid |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_00981E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, |
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe | Code function: 1_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe | Code function: 9_2_07F77A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, |
Source: Yara match | File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR |
Source: Yara match | File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR |
Source: Yara match | File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.