Windows Analysis Report
setup.exe

Overview

General Information

Sample name: setup.exe
Analysis ID: 1600765
MD5: 61394f48ee9d0352adcc6509095d5563
SHA1: e393120aad798d3886576f5efc6f5329d1bdb32b
SHA256: 5da064567dfffd366886fbcd36fd89f76ab79830fb1a5f434b5568df0fcdadb2
Tags: de-pumpedexeuser-abuse_ch
Infos:

Detection

LummaC Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection

barindex
Source: https://toppyneedus.biz/apiC# Avira URL Cloud: Label: malware
Source: https://cegu.shop/? Avira URL Cloud: Label: malware
Source: https://cegu.shop/W Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz/api$ Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz/apiH Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz/apir2 Avira URL Cloud: Label: malware
Source: setup.exe.6512.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": "https://toppyneedus.biz/api", "Build Version": "hRjzG3--SBER"}
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability

Exploits

barindex
Source: Yara match File source: 4.2.ISDbg.exe.acd298b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ISDbg.exe.ad18658.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ISDbg.exe.ad17a58.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2775936845.000000000ACCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: setup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49786 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49825 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.195.182:443 -> 192.168.2.6:49835 version: TLS 1.2
Source: Binary string: C:\CodeBases\isdev\System\ISDbg.pdbq source: ISDbg.exe, 00000004.00000000.2757881951.0000000000B3F000.00000002.00000001.01000000.00000006.sdmp, ISDbg.exe, 00000004.00000002.2769328706.0000000000B3F000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: shfolder.pdb source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: E:\FNP-11.16.6\tier1\FNP\Service\Build\_release-Windows-NT4-i686-main\FNPLicensingService.exe.pdb source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\CodeBases\isdev\system\ISUIServices.pdb source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISUIServices.dll.0.dr
Source: Binary string: E:\FNP-11.16.6\tier1\FNP\Service\Build\_release-Windows-NT4-i686-main\FNPLicensingService.exe.pdb^ source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: wntdll.pdbUGP source: ISDbg.exe, 00000004.00000002.2776671015.000000000B2D0000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2771851128.00000000037CE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ISDbg.exe, 00000004.00000002.2776671015.000000000B2D0000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2771851128.00000000037CE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.exe, 00000000.00000003.2500407715.0000000004441000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777714801.000000006D2F1000.00000020.00000001.01000000.0000000B.sdmp, msvcp140.dll.0.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.exe, 00000000.00000003.2500496233.0000000004242000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777836791.000000006D381000.00000020.00000001.01000000.00000009.sdmp, vcruntime140.dll.0.dr
Source: Binary string: C:\CodeBases\isdev\System\ISDbg.pdb source: ISDbg.exe, 00000004.00000000.2757881951.0000000000B3F000.00000002.00000001.01000000.00000006.sdmp, ISDbg.exe, 00000004.00000002.2769328706.0000000000B3F000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.exe, 00000000.00000003.2500407715.0000000004441000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777714801.000000006D2F1000.00000020.00000001.01000000.0000000B.sdmp, msvcp140.dll.0.dr
Source: Binary string: E:\FNP-11.16.6\tier1\FNP\Installer\Build\_release-Windows-NT4-i686-main\FNP_Act_Installer.dll.pdb source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777293427.000000006C68A000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.exe, 00000000.00000003.2500496233.0000000004242000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777836791.000000006D381000.00000020.00000001.01000000.00000009.sdmp, vcruntime140.dll.0.dr
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_00922218 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,_wcslen, 4_2_00922218
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008CF090 FindFirstFileW,FindClose, 4_2_008CF090
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008CF010 FindFirstFileW,FindClose, 4_2_008CF010

Networking

barindex
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.6:49752 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.6:49758 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.6:49770 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2059421 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz) : 192.168.2.6:51239 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2059423 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.6:53911 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.6:49810 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.6:49795 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.6:49786 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.6:49825 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.6:49816 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49752 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49752 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49825 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49786 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49758 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49758 -> 172.67.149.66:443
Source: Malware configuration extractor URLs: https://toppyneedus.biz/api
Source: Joe Sandbox View IP Address: 172.67.149.66 172.67.149.66
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49752 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49758 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49770 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49795 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49810 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49786 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49825 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49816 -> 172.67.149.66:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49835 -> 172.67.195.182:443
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=R1OGYNVD5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12804Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=40WFGCXT8D7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15062Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DPVUN1OO1XV9YUD4KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19956Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YBD9KRTYBNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2609Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RUI378P32OKNP79DSOKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1109Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: GET /cp_sh.eml HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: gg.agroundyogasuspect.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_00AAD722 QueryPerformanceCounter,GetTickCount,ResetEvent,InternetReadFile,QueryPerformanceCounter,GetTickCount,__alldvrm,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 4_2_00AAD722
Source: global traffic HTTP traffic detected: GET /cp_sh.eml HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: gg.agroundyogasuspect.shop
Source: global traffic DNS traffic detected: DNS query: selfcarestop.top
Source: global traffic DNS traffic detected: DNS query: impolitewearr.biz
Source: global traffic DNS traffic detected: DNS query: toppyneedus.biz
Source: global traffic DNS traffic detected: DNS query: cegu.shop
Source: global traffic DNS traffic detected: DNS query: gg.agroundyogasuspect.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: toppyneedus.biz
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770586034.0000000003069000.00000004.00000001.01000000.00000008.sdmp, ISUIServices.dll.0.dr String found in binary or memory: http://169.254.169.254http://169.254.169.254/latest/meta-datalatest/meta-data/public-ipv4latest/meta
Source: setup.exe, 00000000.00000003.2345159843.000000000431D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: setup.exe, 00000000.00000003.2345159843.000000000431D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: setup.exe, 00000000.00000003.2345159843.000000000431D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: setup.exe, 00000000.00000003.2345159843.000000000431D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: setup.exe, 00000000.00000003.2345159843.000000000431D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: setup.exe, 00000000.00000003.2345159843.000000000431D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: setup.exe, 00000000.00000003.2345159843.000000000431D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: setup.exe String found in binary or memory: http://fsf.org/
Source: setup.exe, 00000000.00000003.2345159843.000000000431D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: setup.exe, 00000000.00000003.2345159843.000000000431D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://s.symcd.com06
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://s2.symcb.com0
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: setup.exe String found in binary or memory: http://www.gnu.org/licenses/
Source: setup.exe String found in binary or memory: http://www.gnu.org/philosophy/why-not-lgpl.html
Source: ISDbg.exe, 00000004.00000002.2775936845.000000000AC75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: ISUIServices.dll.0.dr String found in binary or memory: http://www.macrovision.com/fnp/2004/11/activation
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: setup.exe, 00000000.00000003.2345159843.000000000431D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: setup.exe, 00000000.00000003.2345159843.000000000431D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: setup.exe, 00000000.00000003.2308567316.0000000004259000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2308472533.000000000425B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: setup.exe, 00000000.00000003.2308567316.0000000004259000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2308472533.000000000425B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: setup.exe, 00000000.00000003.2498555221.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2500552260.00000000009C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cegu.shop/
Source: setup.exe, 00000000.00000003.2500552260.00000000009C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cegu.shop/8574262446/ph.txt
Source: setup.exe, 00000000.00000003.2498555221.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2500552260.00000000009C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cegu.shop/?
Source: setup.exe, 00000000.00000003.2498555221.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2500552260.00000000009C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cegu.shop/W
Source: setup.exe, 00000000.00000003.2308567316.0000000004259000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2308472533.000000000425B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: setup.exe, 00000000.00000003.2308567316.0000000004259000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2308472533.000000000425B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://d.symcb.com/rpa0.
Source: setup.exe, 00000000.00000003.2308567316.0000000004259000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2308472533.000000000425B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: setup.exe, 00000000.00000003.2308567316.0000000004259000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2308472533.000000000425B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: setup.exe, 00000000.00000003.2308567316.0000000004259000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2308472533.000000000425B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISUIServices.dll.0.dr String found in binary or memory: https://flexerasoftware.flexnetoperations.com/control/inst/ActivationService-CCUninstalling
Source: setup.exe String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: setup.exe, 00000000.00000003.2498555221.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2500552260.00000000009C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gg.agroundyogasuspect.shop/cp_sh.eml
Source: setup.exe, 00000000.00000003.2347294395.000000000453C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: setup.exe, 00000000.00000003.2347294395.000000000453C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: setup.exe, 00000000.00000003.2362556907.0000000004211000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2397414206.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2379108002.00000000009CA000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2343965668.0000000004216000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2379071635.00000000009C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/
Source: setup.exe, setup.exe, 00000000.00000003.2330874787.0000000004220000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2378932528.000000000421F000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2397568109.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2498601813.00000000009CC000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2362556907.0000000004211000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2500610106.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2343965668.0000000004216000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2498692042.00000000009D7000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2379168387.000000000421F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/api
Source: setup.exe, 00000000.00000003.2343965668.0000000004216000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/api$
Source: setup.exe, 00000000.00000003.2397568109.00000000009D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/apiC#
Source: setup.exe, 00000000.00000003.2344496085.00000000009D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/apiH
Source: setup.exe, 00000000.00000003.2378932528.000000000421F000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2379168387.000000000421F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/apir2
Source: setup.exe, 00000000.00000003.2332281369.00000000009D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz:443/api
Source: setup.exe, 00000000.00000003.2308567316.0000000004259000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2308472533.000000000425B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: setup.exe, 00000000.00000003.2308567316.0000000004259000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2308472533.000000000425B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: setup.exe, 00000000.00000003.2346802850.00000000042B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.or
Source: setup.exe, 00000000.00000003.2346802850.00000000042B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: setup.exe, 00000000.00000003.2347294395.000000000453C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: setup.exe, 00000000.00000003.2347294395.000000000453C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: setup.exe, 00000000.00000003.2347294395.000000000453C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49786 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.149.66:443 -> 192.168.2.6:49825 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.195.182:443 -> 192.168.2.6:49835 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_0095EB75 __EH_prolog3,LoadImageW,GetObjectW,DeleteObject,OpenClipboard, 4_2_0095EB75
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008E2A67 GetKeyState,GetKeyState,GetKeyState,SendMessageW, 4_2_008E2A67
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008FF7D9 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 4_2_008FF7D9
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008F1883 GetKeyState,GetKeyState,GetKeyState, 4_2_008F1883

System Summary

barindex
Source: 4.2.ISDbg.exe.acd298b.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.ISDbg.exe.ad18658.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.ISDbg.exe.ad17a58.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009C10ED 0_3_009C10ED
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_04226D7E 0_3_04226D7E
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_04226E05 0_3_04226E05
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A9 0_3_009CD9A9
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A9 0_3_009CD9A9
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009D6238 0_3_009D6238
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009D6238 0_3_009D6238
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A7 0_3_009CD9A7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A9 0_3_009CD9A9
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009CD9A9 0_3_009CD9A9
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009D6238 0_3_009D6238
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009D6238 0_3_009D6238
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_009D57F9 0_3_009D57F9
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_00ACA108 4_2_00ACA108
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008B8520 4_2_008B8520
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_00905466 4_2_00905466
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008B5610 4_2_008B5610
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: String function: 00AAA4F1 appears 51 times
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: String function: 009123A2 appears 145 times
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: String function: 00AAA480 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: String function: 00AAA00E appears 75 times
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: String function: 008EFEE9 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: String function: 00AAA5A0 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: String function: 00AAC7AC appears 35 times
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: String function: 008B5530 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: String function: 00AAA4BD appears 181 times
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: String function: 0090C0B4 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: String function: 0091250E appears 145 times
Source: setup.exe Static PE information: Resource name: None type: PE32+ executable (console) x86-64, for MS Windows
Source: FNP_Act_Installer.dll.0.dr Static PE information: Resource name: BINARY type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: FNP_Act_Installer.dll.0.dr Static PE information: Resource name: BINARY type: PE32 executable (console) Intel 80386, for MS Windows
Source: setup.exe, 00000000.00000003.2281239676.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSDIO_R773.exe^ vs setup.exe
Source: setup.exe, 00000000.00000000.2157302683.00000000004F6000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSDIO_R773.exe^ vs setup.exe
Source: setup.exe, 00000000.00000003.2500496233.0000000004242000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs setup.exe
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dllj% vs setup.exe
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFNPLicensingService.exeV vs setup.exe
Source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFlexNet Publisher (32 bit)V vs setup.exe
Source: setup.exe, 00000000.00000003.2746647026.0000000005F7E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameISUIServices.DLL< vs setup.exe
Source: setup.exe, 00000000.00000003.2500407715.0000000004441000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp140.dllT vs setup.exe
Source: setup.exe Binary or memory string: OriginalFilenameSDIO_R773.exe^ vs setup.exe
Source: setup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: 4.2.ISDbg.exe.acd298b.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.ISDbg.exe.ad18658.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.ISDbg.exe.ad17a58.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@3/5@5/2
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008C5EA0 GetLastError,SetLastError,SetLastError,FormatMessageW,GetLastError,SetLastError,LocalFree, 4_2_008C5EA0
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008F78CC __EH_prolog3_GS,GetDiskFreeSpaceW,GetFullPathNameW,GetTempFileNameW,GetFileTime,SetFileTime,GetFileSecurityW,GetFileSecurityW,SetFileSecurityW, 4_2_008F78CC
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008BE670 CoCreateInstance,StringFromGUID2,RegQueryInfoKeyW,RegQueryInfoKeyW,RegQueryInfoKeyW, 4_2_008BE670
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008E214B IsWindow,FindResourceW,SizeofResource,LoadResource,LockResource,FreeResource, 4_2_008E214B
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6 Jump to behavior
Source: setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: setup.exe, 00000000.00000003.2310174053.0000000004229000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2309553437.0000000004246000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: setup.exe String found in binary or memory: \*.txtSTR_LANG_NAME ()Select Language DirectorystaticSnappy Driver Installer OriginLanguage Translation ToolSelect your language from the drop down combo box then double click the line you want to translate. See the reference manual for more information. Send updated language files to: translations@snappy-driver-installer.org.Language Directoryedit...buttonLanguageComboBoxLegend0OkTranslation StringsSysListView32Reference (English)Translation&Save&Revert&CloseSave ChangesThe translation is modified. Do you want to save the changes?// CommentTranslation is the sameNo translation yetNo reference valueKeySnappy Driver Installer Origin Translation Tool v1.13.6/\MS Sans SerifTahomaCourier New
Source: setup.exe String found in binary or memory: Home Page: www.snappy-driver-installer.orgP
Source: setup.exe String found in binary or memory: Home Page: www.snappy-driver-installer.orgP"\
Source: setup.exe String found in binary or memory: // send updates to translations@snappy-driver-installer.org
Source: setup.exe String found in binary or memory: -install <hwid> <inffile>
Source: setup.exe String found in binary or memory: -save-installed-id[:<file>]
Source: C:\Users\user\Desktop\setup.exe File read: C:\Users\user\Desktop\setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe "C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe"
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe "C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe" Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: isuiservices.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: fnp_act_installer.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Section loaded: shdocvw.dll Jump to behavior
Source: setup.exe Static file information: File size 1798656 > 1048576
Source: Binary string: C:\CodeBases\isdev\System\ISDbg.pdbq source: ISDbg.exe, 00000004.00000000.2757881951.0000000000B3F000.00000002.00000001.01000000.00000006.sdmp, ISDbg.exe, 00000004.00000002.2769328706.0000000000B3F000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: shfolder.pdb source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: E:\FNP-11.16.6\tier1\FNP\Service\Build\_release-Windows-NT4-i686-main\FNPLicensingService.exe.pdb source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\CodeBases\isdev\system\ISUIServices.pdb source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISUIServices.dll.0.dr
Source: Binary string: E:\FNP-11.16.6\tier1\FNP\Service\Build\_release-Windows-NT4-i686-main\FNPLicensingService.exe.pdb^ source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: wntdll.pdbUGP source: ISDbg.exe, 00000004.00000002.2776671015.000000000B2D0000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2771851128.00000000037CE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ISDbg.exe, 00000004.00000002.2776671015.000000000B2D0000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2771851128.00000000037CE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.exe, 00000000.00000003.2500407715.0000000004441000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777714801.000000006D2F1000.00000020.00000001.01000000.0000000B.sdmp, msvcp140.dll.0.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.exe, 00000000.00000003.2500496233.0000000004242000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777836791.000000006D381000.00000020.00000001.01000000.00000009.sdmp, vcruntime140.dll.0.dr
Source: Binary string: C:\CodeBases\isdev\System\ISDbg.pdb source: ISDbg.exe, 00000004.00000000.2757881951.0000000000B3F000.00000002.00000001.01000000.00000006.sdmp, ISDbg.exe, 00000004.00000002.2769328706.0000000000B3F000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.exe, 00000000.00000003.2500407715.0000000004441000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777714801.000000006D2F1000.00000020.00000001.01000000.0000000B.sdmp, msvcp140.dll.0.dr
Source: Binary string: E:\FNP-11.16.6\tier1\FNP\Installer\Build\_release-Windows-NT4-i686-main\FNP_Act_Installer.dll.pdb source: setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777293427.000000006C68A000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.exe, 00000000.00000003.2500496233.0000000004242000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2777836791.000000006D381000.00000020.00000001.01000000.00000009.sdmp, vcruntime140.dll.0.dr
Source: vcruntime140.dll.0.dr Static PE information: 0xF9CD8462 [Sun Oct 22 21:25:54 2102 UTC]
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008B10F8 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress, 4_2_008B10F8
Source: setup.exe Static PE information: real checksum: 0x76467 should be: 0x1b8676
Source: setup.exe Static PE information: section name: .eh_fram
Source: ISUIServices.dll.0.dr Static PE information: section name: .textidx
Source: ISUIServices.dll.0.dr Static PE information: section name: .fnp_dir
Source: ISUIServices.dll.0.dr Static PE information: section name: .fnp_mar
Source: C:\Users\user\Desktop\setup.exe Code function: 0_3_042235CA push ds; retf 0_3_042235CB
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_00AAA486 push ecx; ret 4_2_00AAA499
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_00AAA5E6 push ecx; ret 4_2_00AAA5F9
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008DF30D push esi; ret 4_2_008DF30F
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008DB602 push cs; retf 4_2_008DB608
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_02F55DD6 push ecx; ret 4_2_02F55DE9
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISUIServices.dll Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\FNP_Act_Installer.dll Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008E434B IsIconic, 4_2_008E434B
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008E88A0 IsWindowVisible,IsIconic, 4_2_008E88A0
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008FA86D GetParent,IsIconic,GetParent, 4_2_008FA86D
Source: C:\Users\user\Desktop\setup.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\setup.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\setup.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe API/Special instruction interceptor: Address: 76AC7C44
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe RDTSC instruction interceptor: First address: 76ACF3E1 second address: 76ACF3FD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-20h], eax 0x00000005 mov dword ptr [ebp-1Ch], edx 0x00000008 lea esi, dword ptr [ebp-38h] 0x0000000b xor eax, eax 0x0000000d xor ecx, ecx 0x0000000f cpuid 0x00000011 mov dword ptr [esi], eax 0x00000013 mov dword ptr [esi+04h], ebx 0x00000016 mov dword ptr [esi+08h], ecx 0x00000019 mov dword ptr [esi+0Ch], edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe RDTSC instruction interceptor: First address: 76ACF3FD second address: 76ACF3E1 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-18h], eax 0x00000005 mov dword ptr [ebp-14h], edx 0x00000008 mov eax, dword ptr [ebp-18h] 0x0000000b sub eax, dword ptr [ebp-20h] 0x0000000e mov ecx, dword ptr [ebp-14h] 0x00000011 sbb ecx, dword ptr [ebp-1Ch] 0x00000014 add eax, dword ptr [ebp-10h] 0x00000017 adc ecx, dword ptr [ebp-0Ch] 0x0000001a mov dword ptr [ebp-10h], eax 0x0000001d mov dword ptr [ebp-0Ch], ecx 0x00000020 jmp 00007F67A4B3DFF5h 0x00000022 mov edx, dword ptr [ebp-04h] 0x00000025 add edx, 01h 0x00000028 mov dword ptr [ebp-04h], edx 0x0000002b cmp dword ptr [ebp-04h], 64h 0x0000002f jnl 00007F67A4B3E080h 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe API coverage: 0.0 %
Source: C:\Users\user\Desktop\setup.exe TID: 5160 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\setup.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_00922218 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,_wcslen, 4_2_00922218
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008CF090 FindFirstFileW,FindClose, 4_2_008CF090
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008CF010 FindFirstFileW,FindClose, 4_2_008CF010
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_00ABC7D7 GetModuleHandleW,GetProcAddress,GetSystemInfo, 4_2_00ABC7D7
Source: ISUIServices.dll.0.dr Binary or memory string: VMware
Source: ISUIServices.dll.0.dr Binary or memory string: VMwareVMware detected
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp, ISUIServices.dll.0.dr Binary or memory string: QEMU Virtual CPU
Source: ISUIServices.dll.0.dr Binary or memory string: status - category: public, code: %d (%s), details: %sstatus - category: external, code: %d, details: %sstatus - category: unknown, code: %d, details: %sVirtualMachineNameVMwareMicrosoft Hyper-VMicrosoft Virtual PCXenKVMUnknownAmazon EC2Virtual BoxQemuParallelsGoogle ComputeAzure
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: ISUIServices.dll.0.dr Binary or memory string: .lic%s > %sVM_ALLPHYSICALVM_ONLYVMWHYPER-VXENQEMUPARALLELSVIRTUALBOXAMAZONGOOGLEAZUREVPCi86_rei86_sei86_lsbamd64_rex64_sex64_lsbit64_reit64_lsbppc_reppc_seppc_lsbppc64_reppc64_seppc64_lsb%s <> SIGN%s=NOMORE146,INTERNET=%s
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp, ISUIServices.dll.0.dr Binary or memory string: WMI checking for VM_WMI_QEMU
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: ISUIServices.dll.0.dr Binary or memory string: t t%s.%s.%u2020.07.0.2675582020.06.26-04.33.11%u.%u.%u.%s.%s.%u*.binVirtualMachineNameVMwareMicrosoft Hyper-VMicrosoft Virtual PCXenKVMUnknownAmazon EC2Virtual BoxQemuParallelsGoogle ComputeAzureVirtualMachineNameVMwareMicrosoft Hyper-VMicrosoft Virtual PCXenKVMUnknownAmazon EC2Virtual BoxQemuParallelsGoogle ComputeAzure%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02xVirtualMachineNameVMwareMicrosoft Hyper-VMicrosoft Virtual PCXenKVMUnknownAmazon EC2Virtual BoxQemuParallelsGoogle ComputeAzureVirtualMachineNameVMwareMicrosoft Hyper-VMicrosoft Virtual PCXenKVMUnknownAmazon EC2Virtual BoxQemuParallelsGoogle ComputeAzureVirtualMachineNameVMwareMicrosoft Hyper-VMicrosoft Virtual PCXenKVMUnknownAmazon EC2Virtual BoxQemuParallelsGoogle ComputeAzureUnknown status code.Features are not available due to a rule rejectionThe number of buffer license copies can increase, not decreaseThe client has no available count for the featureThe decremented feature count is greater than the client's current countThe activation ID copies requested were only partially fulfilledThe Requestor ID is invalidThe expiration date override on add-on was ignoredNot licensed.Server's grace period has expired.Binding break detected.The back-office rejected the sync message because it contains invalid feature idsCapability request rejected due to trust breakFeature is not available due to a server checkout filter rejectionServer is currently busy processing reservations. (currently unused)Features with a metered license model are not supported in buffer licensesServer's environment tolerance interval has expiredServer is currently running in environment tolerance intervalLicense Expiration Date not found for the specified activation IDThe activation ID specified cannot have its copies increasedTotal activation ID copies requested exceeds entitled copiesThe host ID is marked as returnedCapability response rejected as it would cause overage and overage control is enabled.Client cannot switch from use of served buffer to trusted storage and vice versa.Served buffer features cannot be returned early.Requesting host is not registered on the license serverServer does not support features with a metered license modelServer does not support features with an overdraft countFeature cannot be returned because it is not marked as reusableUnable to process requestServer cannot grant the return of the feature due to an insufficient countThe allowed undo interval has passed or the correlation ID is incorrectFeature cannot be returned because its start date is in the futureFeature cannot be returned because it has expiredThe requested version of the feature is not available for returnFeature is not available for returnServer records do not match return data in the capability requestDesired features in capability request contain both positive and negative countsThe required correlation ID for this application type is missing from the capability requestServer does not support cli
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: ISUIServices.dll.0.dr Binary or memory string: VMWARE
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISUIServices.dll.0.dr Binary or memory string: Microsoft Hyper-V
Source: ISUIServices.dll.0.dr Binary or memory string: s_vm_wmi_VMware_detection - VMware not detected
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp, ISUIServices.dll.0.dr Binary or memory string: Correction - CPUID data block search indicates QEMU detected
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp, ISUIServices.dll.0.dr Binary or memory string: CPUID Hyper-V Signature rejected
Source: ISUIServices.dll.0.dr Binary or memory string: Running GoogleCompute Environment MechanismGoogleCompute Environment Mechanism positve resultGoogleCompute Environment Mechanism negative resultFake Vm Detection MechanismFNP_FAKE_VMFake Vm Detection Mechanism negative result:cca6e10f064c06c49acf44bd0317aed73000818fFake Vm Detection Mechanism positive resultr :FAKE_VM_TOO_LONG:FAKE_VM_TOO_LONG:FAKE_VM_TOO_LONG:FAKE_VM_TOO_LONGRunning XEN-specific CPUID Detection MechanismInspecting signatures, displaying non-trivial instances....XenVMMXenVMMXen detected using cpuid mechanismXEN-specific CPUID test negativeRunning XEN-specific Vm Detection MechanismXEN-specific CPUID Detection positive resultXEN-specific CPUID Detection negative resultPopulating VMWARE Attributes....VMWAREDESKTOPAttribute Population DoneMICROSOFTHYPERVVIRTUALPCUNKNOWNVMRunning QEMU-specific CPUID Detection MechanismKVMKVMKVMQEMU detected using cpuid mechanismQEMU-specific CPUID test negativeRunning QEMU-specific Vm Detection MechanismQEMU Detection positive resultQEMU Detection negative resultPopulating QEMU VM AttributesPopulating PARALLELS VM AttributesFailed to create WMI objectSELECT * FROM Win32_NetworkAdapterPNPDeviceIDVMBUS\GuidAzure detected on the following NIC:Error: Cmn Wmi query failedRunning AZURE-specific Vm Detection MechanismAZURE-specific detection positive resultAZURE-specific detection negative resultAnalyzing signature....XenVMMXenVMM detectedVMwareVMwareVMwareVMware detectedMicrosoft HvMicrosoft Hv detectedKVM detected but ignoredRunning CPUID Vm Detection MechanismCPUID instruction not implementedCPUID instruction supportedRunning Windows-specific CPUID Detection Mechanism....Obtained signature....Success: Non-Hv hypervisor detectedWindows-specific non-Hv CPUID Detection Mechanism SuccessWindows-specific non-Hv CPUID Detection Mechanism FailedBasic Hypervisor present bit set<empty>Signature recognizedBasic Hypervisor present bit not setCPUID Hypervisor Detection positive resultCPUID Hypervisor Detection negative resultCPUID Vm Detection positive resultCPUID Vm Detection negative resultOpening GenId File Path\\.\VmGenerationCounterFailed to open GenId fileFailed to read GenId counter from file%I64x:%I64xAccessing VMGenId valueInsufficient privilege to access VMGenIdI/O error in the VMGenId privileged accessorSupplied buffer too small to hold GenIdFailed to obtain VMGenId valueVMGenId value successfully obtainedP
Source: ISUIServices.dll.0.dr Binary or memory string: WMI checking for VM_WMI_VMWARE
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: content-length: %dSELECT * FROM Win32_BaseBoardProductVirtual Machines_vm_wmi_hyperv_detection - HyperV detecteds_vm_wmi_hyperv_detection - HyperV not detectedWin32_BIOSSerialNumberVMwares_vm_wmi_VMware_detection - VMware detecteds_vm_wmi_VMware_detection - VMware not detectedSELECT * FROM Win32_BIOSManufacturerinnotek GmbHSMBIOSBIOSVersionVirtualBoxSELECT Name FROM Win32_PROCESSORNameQEMU Virtual CPUSELECT * FROM Win32_DiskDriveCaptionModelWin32_ComputerSystemParallelss_vm_wmi_Parallels_detection - Parallels detected via Manufacturers_vm_wmi_Parallels_detection - Parallels not detected via ManufacturerSELECT HypervisorPresent FROM Win32_ComputerSystemHypervisorPresents_vm_wmi_HypervisorPresent_detection - HypervisorPresent detectedWMI Vm Detection MechanismWMI checking for VM_WMI_HYPERVWMI checking for VM_WMI_VMWAREWMI checking for VM_WMI_VIRTUALBOXWMI checking for VM_WMI_QEMUWMI checking for VM_WMI_PARALLELSWMI checking for VM_FAMILY_UNKNOWNWMI Vm Detection Mechanism positive resultWMI Vm Detection Mechanism negative resultAttempting to read SMBIOS UUID from WMI....SELECT UUID FROM Win32_ComputerSystemProductUUIDSMBIOS UUID successfully readFailed to read SMBIOS UUIDW
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp, ISUIServices.dll.0.dr Binary or memory string: Running QEMU-specific CPUID Detection Mechanism
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp, ISUIServices.dll.0.dr Binary or memory string: Populating QEMU VM Attributes
Source: ISUIServices.dll.0.dr Binary or memory string: content-length: %dSELECT * FROM Win32_BaseBoardProductVirtual Machines_vm_wmi_hyperv_detection - HyperV detecteds_vm_wmi_hyperv_detection - HyperV not detectedWin32_BIOSSerialNumberVMwares_vm_wmi_VMware_detection - VMware detecteds_vm_wmi_VMware_detection - VMware not detectedSELECT * FROM Win32_BIOSManufacturerinnotek GmbHSMBIOSBIOSVersionVirtualBoxSELECT Name FROM Win32_PROCESSORNameQEMU Virtual CPUSELECT * FROM Win32_DiskDriveCaptionModelWin32_ComputerSystemParallelss_vm_wmi_Parallels_detection - Parallels detected via Manufacturers_vm_wmi_Parallels_detection - Parallels not detected via ManufacturerSELECT HypervisorPresent FROM Win32_ComputerSystemHypervisorPresents_vm_wmi_HypervisorPresent_detection - HypervisorPresent detectedWMI Vm Detection MechanismWMI checking for VM_WMI_HYPERVWMI checking for VM_WMI_VMWAREWMI checking for VM_WMI_VIRTUALBOXWMI checking for VM_WMI_QEMUWMI checking for VM_WMI_PARALLELSWMI checking for VM_FAMILY_UNKNOWNWMI Vm Detection Mechanism positive resultWMI Vm Detection Mechanism negative result\\.\pipe\FlexNet Licensing ServiceABF27A87-DC96-4b05-A06B-83EB2749B800The FlexNet Licensing Service failed to startCould not create named pipeCould not open named pipe: 1 second wait timed outNot able to open the named pipe handleNot able to write to the named pipeInsufficient privilege to talk to the Windows Service Control Manager - set the FlexNet Licensing Service to auto-startThe FlexNet Licensing Service is not installedThe FlexNet Licensing Service is disabledThe FlexNet Licensing Service is marked for delete - reboot & then re-installThe FlexNet Licensing Service is already running - no action requiredInsufficient privilege to talk to the FlexNet Licensing Service - set the service to auto-startThe Windows Service Control Manager has a database lock - check which app is using itThe FlexNet Licensing Service is incorrectly configured; please re-installFlexNet Licensing Service%^%^%^VMAttrsVM Attributes not available - incompatible version of the service%^%^%^TPMPropsTPM Properties not available - incompatible version of the service%^%^%^FNLSVerFNLS Version info not available - incompatible version of the service11.16.6.0.260203.2020/01/15Not able to read message from license service%d.%d.%d.%d.%d.%d/%d/%d%*d.%*d.%*d.%*d.%d.%d/%d/%d%d.%d.%d.%dW
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: ISUIServices.dll.0.dr Binary or memory string: VMwareVMware
Source: ISUIServices.dll.0.dr Binary or memory string: Required capability response not received.Unable to locate an appropriate served buffer license source.Short code API does not support the current segment size specification.Short code response decoding scheme not set.Unable to find short code response object.Segmented short code response is incomplete.Unable to locate an appropriate certificate license source.Unable to locate an appropriate buffer license source.Unable to locate a trusted storage license source.Capability response already processed.Unable to locate FlxCore/FlxCore64 library.VirtualMachineNameVMwareMicrosoft Hyper-VMicrosoft Virtual PCXenKVMUnknownAmazon EC2Virtual BoxQemuParallelsGoogle ComputeAzure
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISUIServices.dll.0.dr Binary or memory string: HYPER-V
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp, ISUIServices.dll.0.dr Binary or memory string: QEMU detected using cpuid mechanism
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp, ISUIServices.dll.0.dr Binary or memory string: QEMU Detection positive result
Source: ISDbg.exe, 00000004.00000002.2769616988.0000000000C04000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: IS_VM_TYPE_VMWARE
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: ISUIServices.dll.0.dr Binary or memory string: vendorCloud detectedVMWare detectedXEN detectedQEMU detectedUnknown hypervisor detectedHyper-V detectedCorrection - XEN detectedCorrection - CPUID data block search indicates QEMU detectedCorrection - WMI indicates Physical machinePhysical machine detectedVirtualBox detectedQemu detectedParallels detectedHypervisor detectedFAKE VM detectedLocal\{a3d0d9cf-ef71-409f-acb2-91dca7237f13}-%lx-s_vm_initFAKE VM detected (non-privileged)CPUID Hyper-V Signature rejected
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp, ISUIServices.dll.0.dr Binary or memory string: Qemu detected
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: Running GoogleCompute Environment MechanismGoogleCompute Environment Mechanism positve resultGoogleCompute Environment Mechanism negative resultFake Vm Detection MechanismFNP_FAKE_VMFake Vm Detection Mechanism negative result:cca6e10f064c06c49acf44bd0317aed73000818fFake Vm Detection Mechanism positive result-r :FAKE_VM_TOO_LONG:FAKE_VM_TOO_LONG:FAKE_VM_TOO_LONG:FAKE_VM_TOO_LONGRunning XEN-specific CPUID Detection MechanismInspecting signatures, displaying non-trivial instances....XenVMMXenVMMXen detected using cpuid mechanismXEN-specific CPUID test negativeRunning XEN-specific Vm Detection MechanismXEN-specific CPUID Detection positive resultXEN-specific CPUID Detection negative resultXENPopulating VMWARE Attributes....VMWAREDESKTOPSERVERAttribute Population DoneMICROSOFTHYPERVVIRTUALPCVIRTUALBOXUNKNOWNVMRunning QEMU-specific CPUID Detection MechanismKVMKVMKVMQEMU detected using cpuid mechanismQEMU-specific CPUID test negativeQEMURunning QEMU-specific Vm Detection MechanismQEMU Detection positive resultQEMU Detection negative resultPopulating QEMU VM AttributesPopulating PARALLELS VM AttributesPARALLELSFailed to create WMI objectSELECT * FROM Win32_NetworkAdapterPNPDeviceIDVMBUS\GuidAzure detected on the following NIC:Error: Cmn Wmi query failedRunning AZURE-specific Vm Detection MechanismAZURE-specific detection positive resultAZURE-specific detection negative resultAZUREAnalyzing signature....XenVMMXenVMM detectedVMwareVMwareVMwareVMware detectedMicrosoft HvMicrosoft Hv detectedKVM detected but ignoredRunning CPUID Vm Detection MechanismCPUID instruction not implementedCPUID instruction supportedRunning Windows-specific CPUID Detection Mechanism....Obtained signature....Success: Non-Hv hypervisor detectedWindows-specific non-Hv CPUID Detection Mechanism SuccessWindows-specific non-Hv CPUID Detection Mechanism FailedBasic Hypervisor present bit set<empty>Signature recognizedBasic Hypervisor present bit not setCPUID Hypervisor Detection positive resultCPUID Hypervisor Detection negative resultCPUID Vm Detection positive resultCPUID Vm Detection negative resultOpening GenId File Path\\.\VmGenerationCounterFailed to open GenId fileFailed to read GenId counter from file%I64x:%I64xAccessing VMGenId valueInsufficient privilege to access VMGenIdI/O error in the VMGenId privileged accessorSupplied buffer too small to hold GenIdFailed to obtain VMGenId valueVMGenId value successfully obtainedP
Source: ISUIServices.dll.0.dr Binary or memory string: Populating VMWARE Attributes....
Source: ISUIServices.dll.0.dr Binary or memory string: VMWare detected
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp, ISUIServices.dll.0.dr Binary or memory string: Hyper-V detected
Source: setup.exe, 00000000.00000003.2331133872.000000000422C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696487552p
Source: ISUIServices.dll.0.dr Binary or memory string: s_vm_wmi_VMware_detection - VMware detected
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: HCloud detectedVMWare detectedXEN detectedQEMU detectedUnknown hypervisor detectedHyper-V detectedCorrection - XEN detectedCorrection - CPUID data block search indicates QEMU detectedCorrection - WMI indicates Physical machinePhysical machine detectedVirtualBox detectedQemu detectedParallels detectedHypervisor detectedFAKE VM detectedLocal\{a3d0d9cf-ef71-409f-acb2-91dca7237f13}-%lx-s_vm_initFAKE VM detected (non-privileged)CPUID Hyper-V Signature rejectedstatus=value=<null><undefined>%s0x%x,%s%s%u
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp, ISUIServices.dll.0.dr Binary or memory string: QEMU Detection negative result
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp, ISUIServices.dll.0.dr Binary or memory string: QEMU-specific CPUID test negative
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp, ISUIServices.dll.0.dr Binary or memory string: QEMU detected
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISUIServices.dll.0.dr Binary or memory string: VirtualMachineName
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: setup.exe, 00000000.00000003.2746647026.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2501877009.0000000004516000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770453133.0000000003026000.00000002.00000001.01000000.00000008.sdmp, ISDbg.exe, 00000004.00000002.2777499327.000000006C6F4000.00000002.00000001.01000000.0000000A.sdmp, ISUIServices.dll.0.dr Binary or memory string: Running QEMU-specific Vm Detection Mechanism
Source: ISUIServices.dll.0.dr Binary or memory string: VirtualMachineNameVMwareMicrosoft Hyper-VMicrosoft Virtual PCXenKVMUnknownAmazon EC2Virtual BoxQemuParallelsGoogle ComputeAzureFNE1
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: setup.exe, 00000000.00000003.2331133872.0000000004227000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: setup.exe, 00000000.00000003.2746647026.0000000005F7E000.00000004.00000800.00020000.00000000.sdmp, ISDbg.exe, 00000004.00000002.2770824598.0000000003144000.00000002.00000001.01000000.00000008.sdmp, ISUIServices.dll.0.dr Binary or memory string: pvbVirtualMachineWWW
Source: C:\Users\user\Desktop\setup.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_00AD4023 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00AD4023
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008E6A7F OutputDebugStringA,GetLastError, 4_2_008E6A7F
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008B10F8 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress, 4_2_008B10F8
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008DAF80 GetProcessHeap,__Init_thread_footer, 4_2_008DAF80
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_00AD4023 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00AD4023

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe NtQuerySystemInformation: Direct from: 0x1000100D Jump to behavior
Source: ISDbg.exe, 00000004.00000002.2769616988.0000000000C04000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: ExitProgMan
Source: ISDbg.exe, 00000004.00000002.2769616988.0000000000C04000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: PROGMAN
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_00AAA8C4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 4_2_00AAA8C4
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008F1FB8 __EH_prolog3_GS,GetCurrentThread,GetCurrentThreadId,GetVersionExW, 4_2_008F1FB8
Source: C:\Users\user\Desktop\setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\setup.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: Process Memory Space: setup.exe PID: 6512, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: setup.exe, 00000000.00000003.2332281369.00000000009B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: setup.exe, 00000000.00000003.2332281369.00000000009B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: setup.exe String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: setup.exe, 00000000.00000003.2344496085.00000000009B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet`1/
Source: setup.exe String found in binary or memory: Wallets/Exodus
Source: setup.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: setup.exe, 00000000.00000003.2344496085.00000000009B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: Yara match File source: 00000000.00000003.2344496085.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2362659978.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2366867540.00000000009C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2332281369.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2366822613.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: setup.exe PID: 6512, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: Process Memory Space: setup.exe PID: 6512, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008EF3EF CreateBindCtx,_wcslen,CoTaskMemFree, 4_2_008EF3EF
Source: C:\Users\user\AppData\Local\Temp\ZD058SML6HEQFYABXN6\ISDbg.exe Code function: 4_2_008EF49B __EH_prolog3_GS,_wcslen,__snprintf_s,CoTaskMemFree,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree, 4_2_008EF49B
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs