Windows Analysis Report
setupx 2.exe1.exe

Overview

General Information

Sample name: setupx 2.exe1.exe
Analysis ID: 1637272
MD5: fcebf765658ef7adabf6a5b1cc1384f6
SHA1: 705760f3154799ba9ce17f27dc22bcdc1f519526
SHA256: 62a29296217254a2236699307ebf64d245aeb14c38f85fc714e161d4f2961bf6
Tags: exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: setupx 2.exe1.exe Avira: detected
Antivirus detection for URL or domain
Source: https://citydisco.bet:443/gdJIS Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: LummaC {"C2 url": ["citydisco.bet/gdJIS", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "a2e96289bea52606571039e31bd4e1154b81e6fbc2c168c2ccac"}
Multi AV Scanner detection for submitted file
Source: setupx 2.exe1.exe Virustotal: Detection: 48% Perma Link
Source: setupx 2.exe1.exe ReversingLabs: Detection: 65%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp String decryptor: citydisco.bet/gdJIS
Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp String decryptor: featureccus.shop/bdMAn
Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp String decryptor: mrodularmall.top/aNzS
Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp String decryptor: jowinjoinery.icu/bdWUa
Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp String decryptor: legenassedk.top/bdpWO
Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp String decryptor: htardwarehu.icu/Sbdsa
Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp String decryptor: cjlaspcorne.icu/DbIps
Source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp String decryptor: bugildbett.top/bAuz
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0041CAA0 CryptUnprotectData,CryptUnprotectData, 3_2_0041CAA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0041BED0 CryptUnprotectData, 3_2_0041BED0
Uses 32bit PE files
Source: setupx 2.exe1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49681 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49683 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49685 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49689 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49690 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49691 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49693 version: TLS 1.2
Source: setupx 2.exe1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0019FCDE FindFirstFileExW, 0_2_0019FCDE
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0019FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_0019FD8F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0019FCDE FindFirstFileExW, 2_2_0019FCDE
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0019FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_0019FD8F
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+3EEB158Ah] 3_2_0040D880
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then cmp word ptr [edi+ebx], 0000h 3_2_0044E140
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C0F3A0E1h 3_2_0044C13E
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000000E0h] 3_2_00411A86
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 18A944CDh 3_2_0041CAA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov eax, ecx 3_2_0041CAA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov byte ptr [esi], cl 3_2_00439E3D
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+00000160h] 3_2_0041BED0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+000002E8h] 3_2_0041BED0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+7002D656h] 3_2_00430EF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+04h] 3_2_0044B695
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h 3_2_0044E850
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000DAh] 3_2_0044E850
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx eax, word ptr [ecx] 3_2_0044E850
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h 3_2_0044A0E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 3_2_00435090
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 3_2_0041B150
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-3A6108A1h] 3_2_00423938
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx ecx, word ptr [ebx+eax] 3_2_0042A1D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h 3_2_0042A1D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_004219EE
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-30929966h] 3_2_0043998F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-48C7705Ah] 3_2_0041B210
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-48C7705Eh] 3_2_0044A220
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h] 3_2_0040A230
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 3_2_0040A230
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then jmp dword ptr [004555DCh] 3_2_00420AE4
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [edx+eax-639E4F5Ch] 3_2_0042134F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3CB6001Eh] 3_2_00428350
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+50DC5C06h] 3_2_0040DB5B
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_00437376
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then jmp ecx 3_2_0042FB3B
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then lea edx, dword ptr [eax+00000270h] 3_2_0040BBD0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_004373E4
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov byte ptr [edi], 00000020h 3_2_00437395
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_00439B99
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+06h] 3_2_004333B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_00437443
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+000002E8h] 3_2_0041C444
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov dword ptr [esp+38h], 00000800h 3_2_00430451
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+1D2427C0h] 3_2_0043946D
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then jmp ecx 3_2_0042FC38
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx ebx, byte ptr [esp+edx+3E68D7A0h] 3_2_0040C4F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+08h] 3_2_0040C4F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+1BA59E12h] 3_2_0040C4F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov dword ptr [esp+04h], edi 3_2_0041D4F8
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov byte ptr [edi], cl 3_2_00437CB9
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov dword ptr [esp], edx 3_2_00432557
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_00433DD6
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov edx, edi 3_2_004255A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+76318D9Ah] 3_2_0044A640
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-48C7705Eh] 3_2_0044A640
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov dword ptr [esi], 6B6A7573h 3_2_0044BE48
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 3_2_00443660
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-505762B2h] 3_2_0041EE70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx ebx, byte ptr [esp+edi-0AAF5356h] 3_2_00437E7B
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov byte ptr [edi], cl 3_2_00438E0F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3AEEC40Ch] 3_2_004316FF
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then jmp eax 3_2_004316FF
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-1ADEC1F4h] 3_2_004236B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6Ch] 3_2_0041DF48
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_0041DF48
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov dword ptr [esp+04h], edx 3_2_0041DF48
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov dword ptr [esp+0Ch], eax 3_2_0042A750
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+10h] 3_2_0040DF5F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov word ptr [esi], cx 3_2_00412F23
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-21FA49F8h] 3_2_0044DFF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 3_2_00402780
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+edx+10h] 3_2_004337A2
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 4x nop then mov dword ptr [esp], eax 3_2_00410FB0

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: citydisco.bet/gdJIS
Source: Malware configuration extractor URLs: featureccus.shop/bdMAn
Source: Malware configuration extractor URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor URLs: bugildbett.top/bAuz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49683 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49690 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49693 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49691 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49685 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49681 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49689 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Z0C9g0vMumphw6S5yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14513Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=nz73w5KkTES5g8rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15065Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=bXvL6tabwYEq5QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20385Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=iTN6Qmj74616BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2489Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=f3ZvH0vY6SO5sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 551933Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 99Host: citydisco.bet
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: citydisco.bet
Source: unknown HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: citydisco.bet
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: setupx 2.exe1.exe, 00000003.00000003.1061751941.0000000003290000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org?q=
Source: setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: setupx 2.exe1.exe, 00000003.00000003.1778410150.0000000000C9C000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1061477221.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1061156152.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1087834589.0000000000C9C000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1128257030.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000002.2244132825.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1013191899.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/
Source: setupx 2.exe1.exe, 00000003.00000002.2244132825.0000000000D14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/0l&1&
Source: setupx 2.exe1.exe, 00000003.00000003.1087780210.0000000000D0F000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1084939054.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1088036610.0000000000D13000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1128257030.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000002.2244132825.0000000000D14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/5
Source: setupx 2.exe1.exe, 00000003.00000003.1108761288.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000002.2244132825.0000000000D14000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1084939054.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJIS
Source: setupx 2.exe1.exe, 00000003.00000003.1128257030.0000000000D14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJISde(z
Source: setupx 2.exe1.exe, 00000003.00000003.1061156152.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet:443/gdJIS
Source: setupx 2.exe1.exe, 00000003.00000003.1127914685.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet:443/gdJISP
Source: setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=
Source: setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: setupx 2.exe1.exe, 00000003.00000003.1062884184.00000000035B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: setupx 2.exe1.exe, 00000003.00000003.1062884184.00000000035B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: setupx 2.exe1.exe, 00000003.00000003.1014672869.00000000032AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: setupx 2.exe1.exe, 00000003.00000003.1063219252.0000000000D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: setupx 2.exe1.exe, 00000003.00000003.1062884184.00000000035B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: setupx 2.exe1.exe, 00000003.00000003.1062884184.00000000035B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: setupx 2.exe1.exe, 00000003.00000003.1062884184.00000000035B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: setupx 2.exe1.exe, 00000003.00000003.1062884184.00000000035B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: setupx 2.exe1.exe, 00000003.00000003.1062884184.00000000035B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49681 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49683 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49685 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49689 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49690 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49691 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49693 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_004416E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard, 3_2_004416E0
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_030C1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber, 3_2_030C1000
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_004416E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard, 3_2_004416E0
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_004418D0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 3_2_004418D0
Detected potential crypto function
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00166460 0_2_00166460
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00164CB0 0_2_00164CB0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0012553B 0_2_0012553B
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00141F50 0_2_00141F50
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0013D810 0_2_0013D810
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0015A810 0_2_0015A810
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00176010 0_2_00176010
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00121000 0_2_00121000
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00182800 0_2_00182800
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0012E030 0_2_0012E030
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0018A030 0_2_0018A030
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0014E020 0_2_0014E020
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00125856 0_2_00125856
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0017C050 0_2_0017C050
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00133840 0_2_00133840
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0015C870 0_2_0015C870
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0015D070 0_2_0015D070
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0017D070 0_2_0017D070
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0013F860 0_2_0013F860
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00166090 0_2_00166090
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001498A0 0_2_001498A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001678A0 0_2_001678A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001428C0 0_2_001428C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0013A0F0 0_2_0013A0F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001790F0 0_2_001790F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0017E0F0 0_2_0017E0F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0018B0F0 0_2_0018B0F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001350E0 0_2_001350E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001400E0 0_2_001400E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00150110 0_2_00150110
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00174110 0_2_00174110
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0018D90A 0_2_0018D90A
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0013E900 0_2_0013E900
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0012C906 0_2_0012C906
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00158900 0_2_00158900
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00158130 0_2_00158130
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00176920 0_2_00176920
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00139150 0_2_00139150
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00136940 0_2_00136940
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00157170 0_2_00157170
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0012B960 0_2_0012B960
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00128990 0_2_00128990
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0013F190 0_2_0013F190
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0017D980 0_2_0017D980
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001301A0 0_2_001301A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001389A0 0_2_001389A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001241D0 0_2_001241D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001841D0 0_2_001841D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0015E9C0 0_2_0015E9C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00182210 0_2_00182210
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00143200 0_2_00143200
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00171A00 0_2_00171A00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0014CA30 0_2_0014CA30
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0014DA30 0_2_0014DA30
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00198230 0_2_00198230
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00183A20 0_2_00183A20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0012D250 0_2_0012D250
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00153A50 0_2_00153A50
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00160240 0_2_00160240
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0017BA40 0_2_0017BA40
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00168A70 0_2_00168A70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00143A90 0_2_00143A90
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00145290 0_2_00145290
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001382B0 0_2_001382B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001812B0 0_2_001812B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00187AB0 0_2_00187AB0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00137AA0 0_2_00137AA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00158AA0 0_2_00158AA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001922CA 0_2_001922CA
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00129AF6 0_2_00129AF6
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001272E0 0_2_001272E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00128310 0_2_00128310
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0013B310 0_2_0013B310
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0012A300 0_2_0012A300
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00127B00 0_2_00127B00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0012CB0F 0_2_0012CB0F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0014D330 0_2_0014D330
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00183330 0_2_00183330
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00147320 0_2_00147320
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00161320 0_2_00161320
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00137B50 0_2_00137B50
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0016A350 0_2_0016A350
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00170350 0_2_00170350
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0017C350 0_2_0017C350
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0016EB40 0_2_0016EB40
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00149360 0_2_00149360
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00130B90 0_2_00130B90
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0013DB80 0_2_0013DB80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00177BB0 0_2_00177BB0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0017D3B0 0_2_0017D3B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00131BA0 0_2_00131BA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0013E3A0 0_2_0013E3A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001553A0 0_2_001553A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001693D0 0_2_001693D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0014A3F0 0_2_0014A3F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0014ABF0 0_2_0014ABF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0015ABF0 0_2_0015ABF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001893E0 0_2_001893E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0013D410 0_2_0013D410
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00134C10 0_2_00134C10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00156410 0_2_00156410
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00142C00 0_2_00142C00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00181C00 0_2_00181C00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00134430 0_2_00134430
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00130430 0_2_00130430
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00173430 0_2_00173430
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00188420 0_2_00188420
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00132450 0_2_00132450
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00145450 0_2_00145450
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0013EC70 0_2_0013EC70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00153C70 0_2_00153C70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0014E490 0_2_0014E490
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001784C0 0_2_001784C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0018A4C0 0_2_0018A4C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00133510 0_2_00133510
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00149D00 0_2_00149D00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0017FD00 0_2_0017FD00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00129D30 0_2_00129D30
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00136530 0_2_00136530
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00143530 0_2_00143530
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0017F530 0_2_0017F530
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0015FD20 0_2_0015FD20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00179576 0_2_00179576
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0015B560 0_2_0015B560
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00183D60 0_2_00183D60
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001A5592 0_2_001A5592
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00142D80 0_2_00142D80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0015DD80 0_2_0015DD80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0015C5A0 0_2_0015C5A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00128DD0 0_2_00128DD0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00157DD0 0_2_00157DD0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0015F5D0 0_2_0015F5D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001895D0 0_2_001895D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0015DDD9 0_2_0015DDD9
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001455C0 0_2_001455C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0014B5F0 0_2_0014B5F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00125DF6 0_2_00125DF6
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00167DF0 0_2_00167DF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00130DE0 0_2_00130DE0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0012C610 0_2_0012C610
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00140E10 0_2_00140E10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00187E10 0_2_00187E10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00177630 0_2_00177630
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00181630 0_2_00181630
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00130620 0_2_00130620
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0014FE20 0_2_0014FE20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00169650 0_2_00169650
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00184640 0_2_00184640
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0012DE60 0_2_0012DE60
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00161660 0_2_00161660
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0017A660 0_2_0017A660
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0012E690 0_2_0012E690
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00175690 0_2_00175690
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00162E80 0_2_00162E80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0017AE80 0_2_0017AE80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00145EB0 0_2_00145EB0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00163EA0 0_2_00163EA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0014C6D0 0_2_0014C6D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001376C0 0_2_001376C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0015AEC0 0_2_0015AEC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0012B6F0 0_2_0012B6F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001466F0 0_2_001466F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0015D6E0 0_2_0015D6E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001586E0 0_2_001586E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0016AEE0 0_2_0016AEE0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001A3718 0_2_001A3718
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0012BF10 0_2_0012BF10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00142F10 0_2_00142F10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0017EF10 0_2_0017EF10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00129718 0_2_00129718
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0012A700 0_2_0012A700
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00175700 0_2_00175700
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00133F20 0_2_00133F20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00139740 0_2_00139740
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00166F90 0_2_00166F90
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0017FF90 0_2_0017FF90
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00146FC0 0_2_00146FC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00172FC0 0_2_00172FC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0012D7F0 0_2_0012D7F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001707F0 0_2_001707F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0013D810 2_2_0013D810
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0015A810 2_2_0015A810
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00176010 2_2_00176010
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00121000 2_2_00121000
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00182800 2_2_00182800
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0012E030 2_2_0012E030
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0014E020 2_2_0014E020
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00133840 2_2_00133840
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0015C870 2_2_0015C870
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0015D070 2_2_0015D070
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0013F860 2_2_0013F860
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0012C890 2_2_0012C890
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00166090 2_2_00166090
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001798B0 2_2_001798B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001498A0 2_2_001498A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001678A0 2_2_001678A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001428C0 2_2_001428C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0013A0F0 2_2_0013A0F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001790F0 2_2_001790F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0018B0F0 2_2_0018B0F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001350E0 2_2_001350E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001400E0 2_2_001400E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00150110 2_2_00150110
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00174110 2_2_00174110
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0018D90A 2_2_0018D90A
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0013E900 2_2_0013E900
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00158900 2_2_00158900
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00158130 2_2_00158130
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00176920 2_2_00176920
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00139150 2_2_00139150
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00136940 2_2_00136940
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00157170 2_2_00157170
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0012B960 2_2_0012B960
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00128990 2_2_00128990
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0013F190 2_2_0013F190
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001301A0 2_2_001301A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001389A0 2_2_001389A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001241D0 2_2_001241D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001841D0 2_2_001841D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0015E9C0 2_2_0015E9C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0012D1E0 2_2_0012D1E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00182210 2_2_00182210
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00143200 2_2_00143200
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00171A00 2_2_00171A00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00198230 2_2_00198230
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00183A20 2_2_00183A20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00153A50 2_2_00153A50
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00127240 2_2_00127240
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00168A70 2_2_00168A70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00143A90 2_2_00143A90
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00145290 2_2_00145290
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001382B0 2_2_001382B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001812B0 2_2_001812B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00187AB0 2_2_00187AB0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00137AA0 2_2_00137AA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00158AA0 2_2_00158AA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001922CA 2_2_001922CA
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001522F0 2_2_001522F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00128310 2_2_00128310
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0013B310 2_2_0013B310
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00127B00 2_2_00127B00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0012A300 2_2_0012A300
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0016130F 2_2_0016130F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00147320 2_2_00147320
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00161320 2_2_00161320
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00137B50 2_2_00137B50
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0016A350 2_2_0016A350
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00170350 2_2_00170350
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0016EB40 2_2_0016EB40
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00149360 2_2_00149360
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00130B90 2_2_00130B90
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0013DB80 2_2_0013DB80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00177BB0 2_2_00177BB0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00131BA0 2_2_00131BA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0013E3A0 2_2_0013E3A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001553A0 2_2_001553A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001693D0 2_2_001693D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0014ABF0 2_2_0014ABF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0015ABF0 2_2_0015ABF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001893E0 2_2_001893E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00134C10 2_2_00134C10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0013D410 2_2_0013D410
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00153410 2_2_00153410
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00142C00 2_2_00142C00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00181C00 2_2_00181C00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00134430 2_2_00134430
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00130430 2_2_00130430
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00173430 2_2_00173430
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00132450 2_2_00132450
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00145450 2_2_00145450
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0013EC70 2_2_0013EC70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00153C70 2_2_00153C70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00166460 2_2_00166460
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00164CB0 2_2_00164CB0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001254D0 2_2_001254D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0017BCC0 2_2_0017BCC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001784C0 2_2_001784C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0018A4C0 2_2_0018A4C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00133510 2_2_00133510
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00149D00 2_2_00149D00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00179500 2_2_00179500
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0017FD00 2_2_0017FD00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00129D30 2_2_00129D30
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00136530 2_2_00136530
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00143530 2_2_00143530
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0015FD20 2_2_0015FD20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0012CD50 2_2_0012CD50
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0015B560 2_2_0015B560
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00183D60 2_2_00183D60
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001A5592 2_2_001A5592
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00142D80 2_2_00142D80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0015DD80 2_2_0015DD80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0015C5A0 2_2_0015C5A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00128DD0 2_2_00128DD0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0015F5D0 2_2_0015F5D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00157DD0 2_2_00157DD0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0015DDD9 2_2_0015DDD9
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001455C0 2_2_001455C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0014B5F0 2_2_0014B5F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00167DF0 2_2_00167DF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00130DE0 2_2_00130DE0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0012C610 2_2_0012C610
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00140E10 2_2_00140E10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00187E10 2_2_00187E10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00130620 2_2_00130620
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0014FE20 2_2_0014FE20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00169650 2_2_00169650
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00184640 2_2_00184640
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0012DE60 2_2_0012DE60
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00189E60 2_2_00189E60
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00129690 2_2_00129690
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0012E690 2_2_0012E690
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00175690 2_2_00175690
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00162E80 2_2_00162E80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001216B0 2_2_001216B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00145EB0 2_2_00145EB0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00163EA0 2_2_00163EA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001376C0 2_2_001376C0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0015AEC0 2_2_0015AEC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0012B6F0 2_2_0012B6F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001466F0 2_2_001466F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0015D6E0 2_2_0015D6E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001586E0 2_2_001586E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0016AEE0 2_2_0016AEE0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0012BF10 2_2_0012BF10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001A3718 2_2_001A3718
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00142F10 2_2_00142F10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0012A700 2_2_0012A700
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00133F20 2_2_00133F20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00141F50 2_2_00141F50
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00139740 2_2_00139740
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00166F90 2_2_00166F90
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0017FF90 2_2_0017FF90
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00146FC0 2_2_00146FC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00172FC0 2_2_00172FC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001707F0 2_2_001707F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001227E0 2_2_001227E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0043805F 3_2_0043805F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0040B860 3_2_0040B860
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0044F060 3_2_0044F060
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_004461D0 3_2_004461D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00417AC0 3_2_00417AC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0041CAA0 3_2_0041CAA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0044E2B0 3_2_0044E2B0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00429320 3_2_00429320
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0040D440 3_2_0040D440
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0044FD20 3_2_0044FD20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00445E00 3_2_00445E00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00421EC0 3_2_00421EC0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0041BED0 3_2_0041BED0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00430EF0 3_2_00430EF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00415EA5 3_2_00415EA5
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0042D782 3_2_0042D782
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00401040 3_2_00401040
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0043B049 3_2_0043B049
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00420851 3_2_00420851
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0044E850 3_2_0044E850
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00430070 3_2_00430070
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0043E030 3_2_0043E030
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0042E0D0 3_2_0042E0D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0041209E 3_2_0041209E
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0043D8A0 3_2_0043D8A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00425960 3_2_00425960
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00447960 3_2_00447960
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00441100 3_2_00441100
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0043C91A 3_2_0043C91A
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00447120 3_2_00447120
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0042C93A 3_2_0042C93A
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0042A1D0 3_2_0042A1D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_004219EE 3_2_004219EE
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0043C1A8 3_2_0043C1A8
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00408A60 3_2_00408A60
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00432273 3_2_00432273
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0041B210 3_2_0041B210
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0040A230 3_2_0040A230
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00402AD0 3_2_00402AD0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_004572E4 3_2_004572E4
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0040BAF0 3_2_0040BAF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0042134F 3_2_0042134F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00428350 3_2_00428350
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00434330 3_2_00434330
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00427B37 3_2_00427B37
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_004413D0 3_2_004413D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0043E3E0 3_2_0043E3E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_004373E4 3_2_004373E4
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0042D3BF 3_2_0042D3BF
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0044EC40 3_2_0044EC40
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0041C444 3_2_0041C444
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00409450 3_2_00409450
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00430451 3_2_00430451
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0044D460 3_2_0044D460
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00443C6D 3_2_00443C6D
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00433C00 3_2_00433C00
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0042E422 3_2_0042E422
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00429C20 3_2_00429C20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_004034D0 3_2_004034D0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_004454E0 3_2_004454E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0040C4F0 3_2_0040C4F0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0043848D 3_2_0043848D
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00423C9E 3_2_00423C9E
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00437CB9 3_2_00437CB9
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0040CD40 3_2_0040CD40
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00425D60 3_2_00425D60
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00407D70 3_2_00407D70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00440D70 3_2_00440D70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0044D570 3_2_0044D570
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0043805F 3_2_0043805F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0041FD10 3_2_0041FD10
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00416D20 3_2_00416D20
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00447DE2 3_2_00447DE2
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0042DDF0 3_2_0042DDF0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00446D80 3_2_00446D80
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0044D589 3_2_0044D589
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0044D58B 3_2_0044D58B
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00402590 3_2_00402590
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_004255A0 3_2_004255A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0044A640 3_2_0044A640
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00432E5D 3_2_00432E5D
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0043266C 3_2_0043266C
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00403E70 3_2_00403E70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0041EE70 3_2_0041EE70
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0044D608 3_2_0044D608
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00438E0F 3_2_00438E0F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0044461C 3_2_0044461C
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00408ED0 3_2_00408ED0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_004316FF 3_2_004316FF
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0040E6A0 3_2_0040E6A0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00445740 3_2_00445740
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00404752 3_2_00404752
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0041E75B 3_2_0041E75B
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0044FF60 3_2_0044FF60
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0041F779 3_2_0041F779
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0044D730 3_2_0044D730
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0044D7E0 3_2_0044D7E0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00425FA0 3_2_00425FA0
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00410FB0 3_2_00410FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: String function: 0018DE10 appears 97 times
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: String function: 0019607C appears 44 times
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: String function: 0019AE24 appears 34 times
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: String function: 0041B200 appears 98 times
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: String function: 0040B230 appears 39 times
One or more processes crash
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 692
Uses 32bit PE files
Source: setupx 2.exe1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: setupx 2.exe1.exe Static PE information: Section: .bss ZLIB complexity 1.0003282335069446
Source: setupx 2.exe1.exe Static PE information: Section: .bss ZLIB complexity 1.0003282335069446
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/6@1/1
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_004461D0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW, 3_2_004461D0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6724
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c3cd5441-fce9-4321-9e5a-7707b94c0ea6 Jump to behavior
Source: setupx 2.exe1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: setupx 2.exe1.exe, 00000003.00000003.1015092021.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1014425820.0000000003298000.00000004.00000800.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1039114100.0000000003278000.00000004.00000800.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1039476683.000000000326A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: setupx 2.exe1.exe Virustotal: Detection: 48%
Source: setupx 2.exe1.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File read: C:\Users\user\Desktop\setupx 2.exe1.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\setupx 2.exe1.exe "C:\Users\user\Desktop\setupx 2.exe1.exe"
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Process created: C:\Users\user\Desktop\setupx 2.exe1.exe "C:\Users\user\Desktop\setupx 2.exe1.exe"
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Process created: C:\Users\user\Desktop\setupx 2.exe1.exe "C:\Users\user\Desktop\setupx 2.exe1.exe"
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 692
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Process created: C:\Users\user\Desktop\setupx 2.exe1.exe "C:\Users\user\Desktop\setupx 2.exe1.exe" Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Process created: C:\Users\user\Desktop\setupx 2.exe1.exe "C:\Users\user\Desktop\setupx 2.exe1.exe" Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: setupx 2.exe1.exe Static file information: File size 1385984 > 1048576
Source: setupx 2.exe1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0018DFCA push ecx; ret 0_2_0018DFDD
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001604DD push ebx; iretd 2_2_001604E3
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_001604F7 push ebx; iretd 2_2_001604F9
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0014A775 push es; iretd 2_2_0014A776
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0018DFCA push ecx; ret 2_2_0018DFDD
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0040FA67 push esi; ret 3_2_0040FA68
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00454422 push edi; retf 3_2_00454423
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_0042B48C push eax; retf 3_2_0042B48D
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00455CB0 push cs; ret 3_2_00455C69
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00427569 push ebp; mov dword ptr [esp], ebx 3_2_0042756D
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 3_2_00452736 push eax; ret 3_2_00452737
Source: setupx 2.exe1.exe Static PE information: section name: .text entropy: 7.09207256696417
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\setupx 2.exe1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\setupx 2.exe1.exe System information queried: FirmwareTableInformation Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Window / User API: threadDelayed 6540 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\setupx 2.exe1.exe TID: 2644 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe TID: 3796 Thread sleep count: 6540 > 30 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\setupx 2.exe1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0019FCDE FindFirstFileExW, 0_2_0019FCDE
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0019FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_0019FD8F
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0019FCDE FindFirstFileExW, 2_2_0019FCDE
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0019FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_0019FD8F
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: setupx 2.exe1.exe, 00000003.00000003.1013344220.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1013126134.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1778278456.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1127948218.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1108840253.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000002.2243952725.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000002.2243427244.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1088080681.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1087834589.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, setupx 2.exe1.exe, 00000003.00000003.1087965493.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Amcache.hve.6.dr Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: setupx 2.exe1.exe, 00000003.00000003.1039570211.00000000032AB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696492231p
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: setupx 2.exe1.exe, 00000003.00000003.1039648408.000000000329D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: C:\Users\user\Desktop\setupx 2.exe1.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0012553B _strlen,GetModuleHandleA,GetProcAddress,VirtualProtect,LdrInitializeThunk,OleDraw,GetModuleHandleA,GetProcAddress,OleDraw,FreeConsole,__fread_nolock,_strlen,_strlen,FreeConsole,__fread_nolock,FreeConsole,__fread_nolock, 0_2_0012553B
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0018DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0018DC9E
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001B61B4 mov edi, dword ptr fs:[00000030h] 0_2_001B61B4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0019B71C GetProcessHeap, 0_2_0019B71C
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0018D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0018D8E2
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0018DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0018DC9E
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0018DC92 SetUnhandledExceptionFilter, 0_2_0018DC92
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_00195DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00195DCE
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0018D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0018D8E2
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_0018DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0018DC9E
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 2_2_00195DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00195DCE

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_001B61B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_001B61B4
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Memory written: C:\Users\user\Desktop\setupx 2.exe1.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Process created: C:\Users\user\Desktop\setupx 2.exe1.exe "C:\Users\user\Desktop\setupx 2.exe1.exe" Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Process created: C:\Users\user\Desktop\setupx 2.exe1.exe "C:\Users\user\Desktop\setupx 2.exe1.exe" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: EnumSystemLocalesW, 0_2_0019B007
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0019F048
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: GetLocaleInfoW, 0_2_0019F8B3
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: EnumSystemLocalesW, 0_2_0019F299
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: GetLocaleInfoW, 0_2_0019AB0C
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0019F334
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: EnumSystemLocalesW, 0_2_0019F587
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: GetLocaleInfoW, 0_2_0019F5E6
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: EnumSystemLocalesW, 0_2_0019F6BB
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: GetLocaleInfoW, 0_2_0019F706
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0019F7AD
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: EnumSystemLocalesW, 2_2_0019B007
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_0019F048
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: GetLocaleInfoW, 2_2_0019F8B3
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: EnumSystemLocalesW, 2_2_0019F299
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: GetLocaleInfoW, 2_2_0019AB0C
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_0019F334
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: EnumSystemLocalesW, 2_2_0019F587
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: GetLocaleInfoW, 2_2_0019F5E6
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: EnumSystemLocalesW, 2_2_0019F6BB
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: GetLocaleInfoW, 2_2_0019F706
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_0019F7AD
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Code function: 0_2_0018E6D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0018E6D7
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: setupx 2.exe1.exe, 00000003.00000003.1778410150.0000000000C9C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\setupx 2.exe1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: setupx 2.exe1.exe PID: 5712, type: MEMORYSTR
Source: Yara match File source: 3.2.setupx 2.exe1.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.setupx 2.exe1.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2242806640.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: setupx 2.exe1.exe, 00000003.00000003.1061477221.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum"
Source: setupx 2.exe1.exe, 00000003.00000003.1061477221.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"
Source: setupx 2.exe1.exe, 00000003.00000003.1061477221.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty_"
Source: setupx 2.exe1.exe, 00000003.00000003.1778278456.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: setupx 2.exe1.exe, 00000003.00000003.1061156152.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walletL
Source: setupx 2.exe1.exe, 00000003.00000003.1061477221.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: setupx 2.exe1.exe, 00000003.00000003.1778278456.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: setupx 2.exe1.exe, 00000003.00000003.1087834589.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: setupx 2.exe1.exe, 00000003.00000003.1087834589.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Directory queried: C:\Users\user\Documents\TQDFJHPUIU Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Directory queried: C:\Users\user\Documents\TQDFJHPUIU Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Directory queried: C:\Users\user\Documents\QFAPOWPAFG Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Directory queried: C:\Users\user\Documents\QFAPOWPAFG Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Users\user\Desktop\setupx 2.exe1.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: setupx 2.exe1.exe PID: 5712, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: setupx 2.exe1.exe PID: 5712, type: MEMORYSTR
Source: Yara match File source: 3.2.setupx 2.exe1.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.setupx 2.exe1.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2242806640.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1062249228.000000000304A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637272 Sample: setupx 2.exe1.exe Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 20 citydisco.bet 2->20 24 Found malware configuration 2->24 26 Antivirus detection for URL or domain 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 7 other signatures 2->30 7 setupx 2.exe1.exe 1 2->7         started        signatures3 process4 signatures5 32 Injects a PE file into a foreign processes 7->32 10 setupx 2.exe1.exe 7->10         started        14 WerFault.exe 21 16 7->14         started        16 conhost.exe 7->16         started        18 setupx 2.exe1.exe 7->18         started        process6 dnsIp7 22 citydisco.bet 188.114.96.3, 443, 49681, 49683 CLOUDFLARENETUS European Union 10->22 34 Query firmware table information (likely to detect VMs) 10->34 36 Found many strings related to Crypto-Wallets (likely being stolen) 10->36 38 Tries to harvest and steal ftp login credentials 10->38 40 2 other signatures 10->40 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 citydisco.bet European Union
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
citydisco.bet 188.114.96.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
mrodularmall.top/aNzS false
    		high
    bugildbett.top/bAuz false
      		high
      jowinjoinery.icu/bdWUa false
        		high
        legenassedk.top/bdpWO false
          		high
          citydisco.bet/gdJIS false
            		high
            featureccus.shop/bdMAn false
              		high
              htardwarehu.icu/Sbdsa false
                		high
                https://citydisco.bet/gdJIS false
                  		high
                  cjlaspcorne.icu/DbIps false
                    		high