Windows Analysis Report
setup_run.exe

Overview

General Information

Sample name: setup_run.exe
Analysis ID: 1525818
MD5: f9e546bb5a4898d65b61f8b3d93a1662
SHA1: a4f5d8c4fec7657211c71c31f92d347cad13b1c8
SHA256: b1a638cc1c6fab24c26193035daa72cdc459deebf7a11de130cf41a4218e81d0
Tags: exeuser-aachum
Infos:

Detection

CredGrabber, Meduza Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
AI detected suspicious sample
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Self deletion via cmd or bat file
Sigma detected: Suspicious Ping/Del Command Combination
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Terminates after testing mutex exists (may check infected machine status)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\Desktop\setup_run.exe:a.dll Avira: detection malicious, Label: HEUR/AGEN.1354117
Multi AV Scanner detection for submitted file
Source: setup_run.exe ReversingLabs: Detection: 13%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\setup_run.exe:a.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: setup_run.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014006FB20 CryptUnprotectData,LocalFree, 1_2_000000014006FB20
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400D0060 OpenProcessToken,CryptProtectData,BitBlt, 1_2_00000001400D0060
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400D0098 CryptProtectData, 1_2_00000001400D0098
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140035E00 CryptUnprotectData,LocalFree, 1_2_0000000140035E00
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014006FE40 CryptProtectData,LocalFree, 1_2_000000014006FE40
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: setup_run.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400B66D0 FindClose,FindFirstFileExW,GetLastError, 1_2_00000001400B66D0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400B6780 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 1_2_00000001400B6780
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014007EEF0 GetLogicalDriveStringsW, 1_2_000000014007EEF0
Source: C:\Users\user\Desktop\setup_run.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rbx 0_2_00007FF650A291F6
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then cmp rdx, 01h 0_2_00007FF650A3F160
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rsi 0_2_00007FF650A49250
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rdi 0_2_00007FF650A4A250
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rdi 0_2_00007FF650A4A250
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rdi 0_2_00007FF650A4A250
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rsi 0_2_00007FF650A412A0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rbp 0_2_00007FF650A3A3B0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push r12 0_2_00007FF650A515F0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push r12 0_2_00007FF650A515F0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rsi 0_2_00007FF650A41630
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rdi 0_2_00007FF650A49730
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rdi 0_2_00007FF650A49730
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rdi 0_2_00007FF650A49730
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rsi 0_2_00007FF650A4C700
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rsi 0_2_00007FF650A4C700
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push r15 0_2_00007FF650A3881E
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rbp 0_2_00007FF650A3A9F0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push r12 0_2_00007FF650A50A70
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push r12 0_2_00007FF650A50A70
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then sub rsp, 28h 0_2_00007FF650A54DF0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then sub rsp, 28h 0_2_00007FF650A54EE9
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then mov rcx, qword ptr [rcx] 0_2_00007FF650A4AE40
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rbx 1_2_00007FF650A291F6
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then cmp rdx, 01h 1_2_00007FF650A3F160
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rsi 1_2_00007FF650A49250
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rdi 1_2_00007FF650A4A250
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rdi 1_2_00007FF650A4A250
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rdi 1_2_00007FF650A4A250
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rsi 1_2_00007FF650A412A0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rbp 1_2_00007FF650A3A3B0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push r12 1_2_00007FF650A515F0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push r12 1_2_00007FF650A515F0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rsi 1_2_00007FF650A41630
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rdi 1_2_00007FF650A49730
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rdi 1_2_00007FF650A49730
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rdi 1_2_00007FF650A49730
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rsi 1_2_00007FF650A4C700
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rsi 1_2_00007FF650A4C700
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push r15 1_2_00007FF650A3881E
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push rbp 1_2_00007FF650A3A9F0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push r12 1_2_00007FF650A50A70
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then push r12 1_2_00007FF650A50A70
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then sub rsp, 28h 1_2_00007FF650A54DF0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then sub rsp, 28h 1_2_00007FF650A54EE9
Source: C:\Users\user\Desktop\setup_run.exe Code function: 4x nop then mov rcx, qword ptr [rcx] 1_2_00007FF650A4AE40

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.9:49705 -> 109.107.181.162:15666
Source: Network traffic Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.9:49705 -> 109.107.181.162:15666
Source: Network traffic Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.9:49705 -> 109.107.181.162:15666
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.9:49705 -> 109.107.181.162:15666
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEPORT-TV-ASRU TELEPORT-TV-ASRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014007C570 recv,recv,closesocket,WSACleanup, 1_2_000000014007C570
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: setup_run.exe, 00000001.00000003.1600289450.000002157B563000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1598373186.000002157B563000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1601265710.000002157B563000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1598513815.000002157B580000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1599915494.000002157B563000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: setup_run.exe, 00000001.00000003.2162308315.000002157D2A0000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.2162363651.000002157D2A0000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.2162448327.000002157D2A4000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1597864768.000002157D291000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.microsoft.t/Regi
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B4A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B4A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B4A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/ocal
Source: setup_run.exe, 00000001.00000003.1618471140.000002157D49E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
Source: setup_run.exe, 00000001.00000003.1618691332.000002157D47B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: setup_run.exe, 00000001.00000003.1618471140.000002157D49E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: setup_run.exe, 00000001.00000003.1618691332.000002157D47B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600042334.000002157D4C2000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600397344.000002157D4C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600042334.000002157D4C2000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600397344.000002157D4C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600042334.000002157D4C2000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1600397344.000002157D4C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: setup_run.exe String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: setup_run.exe, 00000001.00000003.1618691332.000002157D47B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: setup_run.exe, 00000001.00000003.1606400571.000002157D580000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607442947.000002157D640000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D738000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D785000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607922547.000002157D78D000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1616945458.000002157E919000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D730000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607134875.000002157D4FA000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1608627327.000002157D804000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607134875.000002157D4F2000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1608627327.000002157D80C000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606400571.000002157D588000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
Source: setup_run.exe, 00000001.00000003.1618691332.000002157D47B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: setup_run.exe, 00000001.00000003.1600397344.000002157D4DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: setup_run.exe, 00000001.00000003.1618691332.000002157D47B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: setup_run.exe, 00000001.00000003.1606400571.000002157D580000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607442947.000002157D640000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D738000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D785000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607922547.000002157D78D000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1616945458.000002157E919000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D730000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607134875.000002157D4FA000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1608627327.000002157D804000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607134875.000002157D4F2000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1608627327.000002157D80C000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606400571.000002157D588000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: setup_run.exe, 00000001.00000003.1609316820.000002157DFC5000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1608627327.000002157D814000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606400571.000002157D58F000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607134875.000002157D502000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D740000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: setup_run.exe, 00000001.00000003.1609316820.000002157DFC5000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1608627327.000002157D814000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606400571.000002157D58F000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607134875.000002157D502000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D740000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: setup_run.exe, 00000001.00000003.1609316820.000002157DFC5000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1608627327.000002157D814000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606400571.000002157D58F000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607134875.000002157D502000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1606806483.000002157D740000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.1607922547.000002157D795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49706 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014007D670 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 1_2_000000014007D670
Contains functionality to call native functions
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A124B0 GetModuleFileNameW,LoadLibraryA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,wcslen,LdrLoadDll,GetProcAddress,GetCurrentProcess,NtAllocateVirtualMemory,memcpy,memcpy, 0_2_00007FF650A124B0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A11E00 memcpy,wcslen,CreateFileW,NtWriteFile,CloseHandle,free,CloseHandle, 0_2_00007FF650A11E00
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400D0670 GdipCreateBitmapFromHBITMAP,GdiplusStartup,NtQueryObject, 1_2_00000001400D0670
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400D06D8 NtQuerySystemInformation, 1_2_00000001400D06D8
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400D06E8 NtAllocateVirtualMemory, 1_2_00000001400D06E8
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140081880 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle, 1_2_0000000140081880
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140081FC0 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize, 1_2_0000000140081FC0
Detected potential crypto function
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A124B0 0_2_00007FF650A124B0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A11E00 0_2_00007FF650A11E00
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A24220 0_2_00007FF650A24220
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A15140 0_2_00007FF650A15140
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A461B0 0_2_00007FF650A461B0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A4E380 0_2_00007FF650A4E380
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A115B0 0_2_00007FF650A115B0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A2C710 0_2_00007FF650A2C710
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A4C700 0_2_00007FF650A4C700
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A4E690 0_2_00007FF650A4E690
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A52740 0_2_00007FF650A52740
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A17890 0_2_00007FF650A17890
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A3A9F0 0_2_00007FF650A3A9F0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A309D0 0_2_00007FF650A309D0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A15990 0_2_00007FF650A15990
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A3CB70 0_2_00007FF650A3CB70
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A12BB4 0_2_00007FF650A12BB4
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A2DDF0 0_2_00007FF650A2DDF0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A4CD40 0_2_00007FF650A4CD40
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A31FC0 0_2_00007FF650A31FC0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF8E7B20750 0_2_00007FF8E7B20750
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF8E7B1C5B0 0_2_00007FF8E7B1C5B0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF8E7B04460 0_2_00007FF8E7B04460
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF8E7B06360 0_2_00007FF8E7B06360
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF8E7B1F190 0_2_00007FF8E7B1F190
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF8E7B1AED0 0_2_00007FF8E7B1AED0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF8E7B12CF0 0_2_00007FF8E7B12CF0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF8E7B03C10 0_2_00007FF8E7B03C10
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014005F0E0 1_2_000000014005F0E0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140042160 1_2_0000000140042160
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014007F1A0 1_2_000000014007F1A0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400841FB 1_2_00000001400841FB
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140074330 1_2_0000000140074330
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014007E360 1_2_000000014007E360
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140086610 1_2_0000000140086610
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014002F650 1_2_000000014002F650
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014007D670 1_2_000000014007D670
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014003B6E0 1_2_000000014003B6E0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400B6780 1_2_00000001400B6780
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014003C780 1_2_000000014003C780
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140076B30 1_2_0000000140076B30
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014007FB30 1_2_000000014007FB30
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014003AB80 1_2_000000014003AB80
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014009AC80 1_2_000000014009AC80
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140084C80 1_2_0000000140084C80
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014007CD80 1_2_000000014007CD80
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014003CE20 1_2_000000014003CE20
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014009DF30 1_2_000000014009DF30
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014002EF60 1_2_000000014002EF60
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140092024 1_2_0000000140092024
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014007E040 1_2_000000014007E040
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014006B040 1_2_000000014006B040
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140036050 1_2_0000000140036050
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014006A0A0 1_2_000000014006A0A0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014003A0B0 1_2_000000014003A0B0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400300C6 1_2_00000001400300C6
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140006180 1_2_0000000140006180
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014009E1AC 1_2_000000014009E1AC
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140028200 1_2_0000000140028200
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014009220C 1_2_000000014009220C
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400B9270 1_2_00000001400B9270
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140053280 1_2_0000000140053280
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140096290 1_2_0000000140096290
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400562E0 1_2_00000001400562E0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400932D4 1_2_00000001400932D4
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140082310 1_2_0000000140082310
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140026340 1_2_0000000140026340
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140025350 1_2_0000000140025350
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014006A3A0 1_2_000000014006A3A0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400A53F4 1_2_00000001400A53F4
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400923F4 1_2_00000001400923F4
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014009C428 1_2_000000014009C428
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014006E43A 1_2_000000014006E43A
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014004C4A0 1_2_000000014004C4A0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400624B0 1_2_00000001400624B0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140070540 1_2_0000000140070540
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140006610 1_2_0000000140006610
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140059650 1_2_0000000140059650
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014006A6D0 1_2_000000014006A6D0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400666F0 1_2_00000001400666F0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140090730 1_2_0000000140090730
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014009E734 1_2_000000014009E734
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140065820 1_2_0000000140065820
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014009B8F8 1_2_000000014009B8F8
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400789D0 1_2_00000001400789D0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400269E0 1_2_00000001400269E0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014006A9F0 1_2_000000014006A9F0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140092A3C 1_2_0000000140092A3C
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400A6A5C 1_2_00000001400A6A5C
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140037AAD 1_2_0000000140037AAD
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400BBB10 1_2_00000001400BBB10
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014006DB60 1_2_000000014006DB60
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014002FC80 1_2_000000014002FC80
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014004ACD0 1_2_000000014004ACD0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140066CF3 1_2_0000000140066CF3
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014006AD10 1_2_000000014006AD10
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140006D20 1_2_0000000140006D20
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014009BDA8 1_2_000000014009BDA8
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140005DB0 1_2_0000000140005DB0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014006CDE0 1_2_000000014006CDE0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140075E00 1_2_0000000140075E00
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140072E60 1_2_0000000140072E60
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014009CEA8 1_2_000000014009CEA8
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014006DFA0 1_2_000000014006DFA0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014004DFA0 1_2_000000014004DFA0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140038FB0 1_2_0000000140038FB0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140081FC0 1_2_0000000140081FC0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A24220 1_2_00007FF650A24220
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A15140 1_2_00007FF650A15140
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A461B0 1_2_00007FF650A461B0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A4E380 1_2_00007FF650A4E380
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A124B0 1_2_00007FF650A124B0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A115B0 1_2_00007FF650A115B0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A2C710 1_2_00007FF650A2C710
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A4C700 1_2_00007FF650A4C700
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A4E690 1_2_00007FF650A4E690
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A52740 1_2_00007FF650A52740
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A17890 1_2_00007FF650A17890
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A3A9F0 1_2_00007FF650A3A9F0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A309D0 1_2_00007FF650A309D0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A15990 1_2_00007FF650A15990
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A3CB70 1_2_00007FF650A3CB70
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A12BB4 1_2_00007FF650A12BB4
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A2DDF0 1_2_00007FF650A2DDF0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A11E00 1_2_00007FF650A11E00
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A4CD40 1_2_00007FF650A4CD40
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A31FC0 1_2_00007FF650A31FC0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\setup_run.exe Code function: String function: 00000001400300A0 appears 62 times
Source: C:\Users\user\Desktop\setup_run.exe Code function: String function: 00007FF650A548B0 appears 250 times
Source: C:\Users\user\Desktop\setup_run.exe Code function: String function: 00007FF650A52650 appears 54 times
Source: C:\Users\user\Desktop\setup_run.exe Code function: String function: 00007FF650A54720 appears 88 times
Source: C:\Users\user\Desktop\setup_run.exe Code function: String function: 0000000140034B20 appears 41 times
Source: C:\Users\user\Desktop\setup_run.exe Code function: String function: 00007FF650A54810 appears 598 times
PE file contains more sections than normal
Source: setup_run.exe_a.dll.0.dr Static PE information: Number of sections : 11 > 10
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/2
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140083540 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle, 1_2_0000000140083540
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A12BB4 CreateToolhelp32Snapshot,Process32First,MultiByteToWideChar,Process32Next,MultiByteToWideChar,MultiByteToWideChar, 0_2_00007FF650A12BB4
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014006CDE0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocStringByteLen,SysFreeString,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysFreeString,SysFreeString,SysStringByteLen,SysFreeString,SysFreeString, 1_2_000000014006CDE0
Source: C:\Users\user\Desktop\setup_run.exe File created: C:\Users\user\Desktop\setup_run.exe:a.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4984:120:WilError_03
Source: C:\Users\user\Desktop\setup_run.exe Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E6963A15E1DEB
Source: setup_run.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\setup_run.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: setup_run.exe ReversingLabs: Detection: 13%
Source: unknown Process created: C:\Users\user\Desktop\setup_run.exe "C:\Users\user\Desktop\setup_run.exe"
Source: C:\Users\user\Desktop\setup_run.exe Process created: C:\Users\user\Desktop\setup_run.exe "C:\Users\user\Desktop\setup_run.exe"
Source: C:\Users\user\Desktop\setup_run.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\setup_run.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Users\user\Desktop\setup_run.exe Process created: C:\Users\user\Desktop\setup_run.exe "C:\Users\user\Desktop\setup_run.exe" Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\setup_run.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: setup_run.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: setup_run.exe Static file information: File size 1766400 > 1048576
Source: setup_run.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x163000
Source: setup_run.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A30D70 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress, 0_2_00007FF650A30D70
PE file contains sections with non-standard names
Source: setup_run.exe Static PE information: section name: .xdata
Source: setup_run.exe_a.dll.0.dr Static PE information: section name: .xdata
Drops PE files
Source: C:\Users\user\Desktop\setup_run.exe File created: C:\Users\user\Desktop\setup_run.exe:a.dll Jump to dropped file
Terminates after testing mutex exists (may check infected machine status)
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140074060 ExitProcess,OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle, 1_2_0000000140074060

Hooking and other Techniques for Hiding and Protection
barindex
Creates files in alternative data streams (ADS)
Source: C:\Users\user\Desktop\setup_run.exe File created: C:\Users\user\Desktop\setup_run.exe:a.dll Jump to behavior
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\setup_run.exe Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\setup_run.exe"
Source: C:\Users\user\Desktop\setup_run.exe Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\setup_run.exe" Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\setup_run.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contain functionality to detect virtual machines
Source: C:\Users\user\Desktop\setup_run.exe Code function: VMwareVMMicrosofVBoxVBox VMwareVMMicrosofVBoxVBox MicrosofVBoxVBox VBoxVBox VBox 0_2_00007FF650A129E0
Source: C:\Users\user\Desktop\setup_run.exe Code function: VMwareVMMicrosofVBoxVBox VMwareVMMicrosofVBoxVBox MicrosofVBoxVBox VBoxVBox VBox 1_2_00007FF650A129E0
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\setup_run.exe Dropped PE file which has not been started: C:\Users\user\Desktop\setup_run.exe:a.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\setup_run.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\setup_run.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\setup_run.exe API coverage: 4.3 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400B66D0 FindClose,FindFirstFileExW,GetLastError, 1_2_00000001400B66D0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400B6780 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 1_2_00000001400B6780
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014007EEF0 GetLogicalDriveStringsW, 1_2_000000014007EEF0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400949C0 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 1_2_00000001400949C0
Source: C:\Users\user\Desktop\setup_run.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696497155j
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696497155
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: setup_run.exe Binary or memory string: VMwareVMMicrosofVBoxVBox
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: setup_run.exe, 00000001.00000003.1598492369.000002157B513000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000003.2161425879.000002157B515000.00000004.00000020.00020000.00000000.sdmp, setup_run.exe, 00000001.00000002.2163940331.000002157B516000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696497155o
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B4A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: setup_run.exe Binary or memory string: 6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAEe6yy7UkVAntdll.dllLdrLoadDll:a.dllntdll.dllRtlInitUnicodeStLdrUnloaExecuteVMwareVMMicrosofVBoxVBox
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696497155
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696497155f
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696497155s
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: setup_run.exe, 00000001.00000003.1604591298.000002157D598000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: C:\Users\user\Desktop\setup_run.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\setup_run.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\setup_run.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A124B0 GetModuleFileNameW,LoadLibraryA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,wcslen,LdrLoadDll,GetProcAddress,GetCurrentProcess,NtAllocateVirtualMemory,memcpy,memcpy, 0_2_00007FF650A124B0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014008D368 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_000000014008D368
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400B89D4 GetLastError,IsDebuggerPresent,OutputDebugStringW, 1_2_00000001400B89D4
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A30D70 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress, 0_2_00007FF650A30D70
Enables debug privileges
Source: C:\Users\user\Desktop\setup_run.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A11180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA, 0_2_00007FF650A11180
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014008D368 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_000000014008D368
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650A11180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA, 1_2_00007FF650A11180
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00007FF650BC13E0 SetUnhandledExceptionFilter, 1_2_00007FF650BC13E0

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF8E7B01690 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleFileNameA,CreateProcessA,FreeLibrary,FreeLibrary,FreeLibrary,VirtualAlloc,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject, 0_2_00007FF8E7B01690
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\setup_run.exe NtWriteFile: Indirect: 0x7FF650A122C2 Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe NtAllocateVirtualMemory: Indirect: 0x7FF650A12840 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\setup_run.exe Memory written: C:\Users\user\Desktop\setup_run.exe base: 140000000 value starts with: 4D5A Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\setup_run.exe Thread register set: target process: 6156 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_0000000140072E60 ShellExecuteW, 1_2_0000000140072E60
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\setup_run.exe Process created: C:\Users\user\Desktop\setup_run.exe "C:\Users\user\Desktop\setup_run.exe" Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\setup_run.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\setup_run.exe Code function: 0_2_00007FF650A129E0 cpuid 0_2_00007FF650A129E0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\setup_run.exe Code function: EnumSystemLocalesW, 1_2_00000001400A402C
Source: C:\Users\user\Desktop\setup_run.exe Code function: EnumSystemLocalesW, 1_2_00000001400A40FC
Source: C:\Users\user\Desktop\setup_run.exe Code function: EnumSystemLocalesW, 1_2_00000001400992E4
Source: C:\Users\user\Desktop\setup_run.exe Code function: GetLocaleInfoEx,FormatMessageA, 1_2_00000001400B6340
Source: C:\Users\user\Desktop\setup_run.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_00000001400A4538
Source: C:\Users\user\Desktop\setup_run.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_00000001400A4714
Source: C:\Users\user\Desktop\setup_run.exe Code function: GetLocaleInfoW, 1_2_0000000140099828
Source: C:\Users\user\Desktop\setup_run.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 1_2_00000001400A3CE0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\setup_run.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Queries time zone information
Source: C:\Users\user\Desktop\setup_run.exe Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_00000001400940C0 GetSystemTimeAsFileTime, 1_2_00000001400940C0
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014007DC50 GetUserNameW, 1_2_000000014007DC50
Source: C:\Users\user\Desktop\setup_run.exe Code function: 1_2_000000014007F1A0 GetTimeZoneInformation,GlobalMemoryStatusEx,wcsftime,GetModuleFileNameA, 1_2_000000014007F1A0

Stealing of Sensitive Information
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: setup_run.exe PID: 6156, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: Process Memory Space: setup_run.exe PID: 6156, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B497000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Electrum-LTC\config
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B497000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectronCash\wallets
Source: setup_run.exe, 00000001.00000003.1600289450.000002157B563000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzNF0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B497000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Exodus\exodus.wallet
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B497000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum\keystore
Source: setup_run.exe, 00000001.00000002.2163940331.000002157B497000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum\keystore
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\setup_run.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\setup_run.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\setup_run.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Remote Access Functionality
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: setup_run.exe PID: 6156, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: Process Memory Space: setup_run.exe PID: 6156, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525818 Sample: setup_run.exe Startdate: 04/10/2024 Architecture: WINDOWS Score: 100 26 api.ipify.org 2->26 36 Suricata IDS alerts for network traffic 2->36 38 Antivirus detection for dropped file 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 6 other signatures 2->42 9 setup_run.exe 1 2->9         started        signatures3 process4 file5 24 C:\Users\user\Desktop\setup_run.exe:a.dll, PE32+ 9->24 dropped 44 Creates files in alternative data streams (ADS) 9->44 46 Self deletion via cmd or bat file 9->46 48 Contain functionality to detect virtual machines 9->48 50 4 other signatures 9->50 13 setup_run.exe 7 9->13         started        signatures6 process7 dnsIp8 28 109.107.181.162, 15666, 49705 TELEPORT-TV-ASRU Russian Federation 13->28 30 api.ipify.org 172.67.74.152, 443, 49706 CLOUDFLARENETUS United States 13->30 52 Tries to steal Mail credentials (via file / registry access) 13->52 54 Found many strings related to Crypto-Wallets (likely being stolen) 13->54 56 Self deletion via cmd or bat file 13->56 58 2 other signatures 13->58 17 cmd.exe 1 13->17         started        signatures9 process10 signatures11 32 Uses ping.exe to sleep 17->32 34 Uses ping.exe to check the status of other devices and networks 17->34 20 conhost.exe 17->20         started        22 PING.EXE 1 17->22         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.107.181.162
 unknown Russian Federation
49973 TELEPORT-TV-ASRU true
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
api.ipify.org 172.67.74.152 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown