Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lumma_shredder.exe

Overview

General Information

Sample name:lumma_shredder.exe
Analysis ID:1615221
MD5:4ea56fe4a67ad0ec44bed42c40c5b6ae
SHA1:3a2e69c86fc66ae8d12a0e5e55e1fa6142e3cf22
SHA256:19268364210977c4938d3ef1d146bfc4e3ee52c502d332b877ae5489e2225fc5
Tags:exeLummaStealeruser-threatcat_ch
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • lumma_shredder.exe (PID: 4480 cmdline: "C:\Users\user\Desktop\lumma_shredder.exe" MD5: 4EA56FE4A67AD0EC44BED42C40C5B6AE)
    • lumma_shredder.exe (PID: 5180 cmdline: "C:\Users\user\Desktop\lumma_shredder.exe" MD5: 4EA56FE4A67AD0EC44BED42C40C5B6AE)
      • vcpkgsrv.exe (PID: 5840 cmdline: "C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exe" MD5: 38901633C833CBA7F682472CED0DBE4B)
        • vcpkgsrv.exe (PID: 5264 cmdline: C:\ProgramData\FNPLicensingService\vcpkgsrv.exe MD5: 38901633C833CBA7F682472CED0DBE4B)
          • choice.exe (PID: 7092 cmdline: C:\Windows\SysWOW64\choice.exe MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
            • conhost.exe (PID: 1184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • explorer.exe (PID: 1816 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
              • WerFault.exe (PID: 5644 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 324 MD5: C31336C1EFC2CCB44B4326EA793040F2)
              • WerFault.exe (PID: 3448 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 332 MD5: C31336C1EFC2CCB44B4326EA793040F2)
              • WerFault.exe (PID: 5916 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 376 MD5: C31336C1EFC2CCB44B4326EA793040F2)
              • WerFault.exe (PID: 4924 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 384 MD5: C31336C1EFC2CCB44B4326EA793040F2)
              • WerFault.exe (PID: 5012 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 348 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • vcpkgsrv.exe (PID: 1888 cmdline: C:\ProgramData\FNPLicensingService\vcpkgsrv.exe MD5: 38901633C833CBA7F682472CED0DBE4B)
    • choice.exe (PID: 4088 cmdline: C:\Windows\SysWOW64\choice.exe MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
      • conhost.exe (PID: 4336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • vcpkgsrv.exe (PID: 1784 cmdline: "C:\ProgramData\FNPLicensingService\vcpkgsrv.exe" MD5: 38901633C833CBA7F682472CED0DBE4B)
    • choice.exe (PID: 1988 cmdline: C:\Windows\SysWOW64\choice.exe MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
      • conhost.exe (PID: 2112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorer.exe (PID: 4928 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["GreehnVibe.top", "shiningrstars.help", "mercharena.biz", "generalmills.pro", "stormlegue.com", "blast-hubs.com", "blastikcn.com", "nestlecompany.pro"], "Build id": "jMw1IE--SHELLS"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1938547558.00000000067D0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000002.1930429118.0000000003AD9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
          00000008.00000002.2760063375.000000000502B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000000.00000002.1922043914.00000000028B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              00000004.00000002.2453406512.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                Click to see the 12 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.lumma_shredder.exe.67d0000.7.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.lumma_shredder.exe.67d0000.7.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    8.2.choice.exe.5031a8a.4.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      8.2.choice.exe.5031a8a.4.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                      • 0x62dd0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                      • 0x6305c:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                      • 0x62e5b:$s1: CoGetObject
                      • 0x630e7:$s1: CoGetObject
                      • 0x62db4:$s2: Elevation:Administrator!new:
                      • 0x63040:$s2: Elevation:Administrator!new:
                      31.2.explorer.exe.5467b57.5.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                        Click to see the 47 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-02-14T16:58:28.275472+010020283713Unknown Traffic192.168.2.449741104.21.64.1443TCP
                        2025-02-14T16:58:29.560395+010020283713Unknown Traffic192.168.2.449742104.21.64.1443TCP
                        2025-02-14T16:58:30.760040+010020283713Unknown Traffic192.168.2.449743104.21.64.1443TCP
                        2025-02-14T16:58:32.178858+010020283713Unknown Traffic192.168.2.449744104.21.64.1443TCP
                        2025-02-14T16:58:33.471707+010020283713Unknown Traffic192.168.2.449745104.21.64.1443TCP
                        2025-02-14T16:58:35.483998+010020283713Unknown Traffic192.168.2.449746104.21.64.1443TCP
                        2025-02-14T16:58:36.490270+010020283713Unknown Traffic192.168.2.449747104.21.64.1443TCP
                        2025-02-14T16:58:37.672064+010020283713Unknown Traffic192.168.2.449748104.21.64.1443TCP
                        2025-02-14T16:58:39.455108+010020283713Unknown Traffic192.168.2.449749157.180.25.156443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-02-14T16:58:29.084514+010020546531A Network Trojan was detected192.168.2.449741104.21.64.1443TCP
                        2025-02-14T16:58:30.075333+010020546531A Network Trojan was detected192.168.2.449742104.21.64.1443TCP
                        2025-02-14T16:58:38.300128+010020546531A Network Trojan was detected192.168.2.449748104.21.64.1443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-02-14T16:58:29.084514+010020498361A Network Trojan was detected192.168.2.449741104.21.64.1443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-02-14T16:58:37.191763+010020480941Malware Command and Control Activity Detected192.168.2.449747104.21.64.1443TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: lumma_shredder.exeAvira: detected
                        Antivirus detection for URL or domain
                        Source: shiningrstars.helpAvira URL Cloud: Label: malware
                        Source: https://cegu.shop/8574262446/ph.txtCAvira URL Cloud: Label: malware
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\txrsrgAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                        Source: C:\Users\user\AppData\Local\Temp\mhmdvAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
                        Found malware configuration
                        Source: 00000000.00000002.1930429118.0000000003AD9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["GreehnVibe.top", "shiningrstars.help", "mercharena.biz", "generalmills.pro", "stormlegue.com", "blast-hubs.com", "blastikcn.com", "nestlecompany.pro"], "Build id": "jMw1IE--SHELLS"}
                        Multi AV Scanner detection for submitted file
                        Source: lumma_shredder.exeVirustotal: Detection: 20%Perma Link
                        Source: lumma_shredder.exeReversingLabs: Detection: 24%
                        Joe Sandbox ML detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Sample uses string decryption to hide its real strings
                        Source: 00000000.00000002.1930429118.0000000003AD9000.00000004.00000800.00020000.00000000.sdmpString decryptor: GreehnVibe.top
                        Source: 00000000.00000002.1930429118.0000000003AD9000.00000004.00000800.00020000.00000000.sdmpString decryptor: shiningrstars.help
                        Source: 00000000.00000002.1930429118.0000000003AD9000.00000004.00000800.00020000.00000000.sdmpString decryptor: mercharena.biz
                        Source: 00000000.00000002.1930429118.0000000003AD9000.00000004.00000800.00020000.00000000.sdmpString decryptor: generalmills.pro
                        Source: 00000000.00000002.1930429118.0000000003AD9000.00000004.00000800.00020000.00000000.sdmpString decryptor: stormlegue.com
                        Source: 00000000.00000002.1930429118.0000000003AD9000.00000004.00000800.00020000.00000000.sdmpString decryptor: blast-hubs.com
                        Source: 00000000.00000002.1930429118.0000000003AD9000.00000004.00000800.00020000.00000000.sdmpString decryptor: blastikcn.com
                        Source: 00000000.00000002.1930429118.0000000003AD9000.00000004.00000800.00020000.00000000.sdmpString decryptor: nestlecompany.pro
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0041A491 CryptUnprotectData,4_2_0041A491

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 8.2.choice.exe.5031a8a.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.explorer.exe.5467b57.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.choice.exe.4a58b57.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.choice.exe.5341a8a.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.choice.exe.5387757.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.vcpkgsrv.exe.e4439ce.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.vcpkgsrv.exe.e06f9ce.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.vcpkgsrv.exe.e3fe901.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.vcpkgsrv.exe.e13d5ce.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.choice.exe.5076b57.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.choice.exe.5386b57.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.choice.exe.4a13a8a.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.vcpkgsrv.exe.e0705ce.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.vcpkgsrv.exe.e09a9ce.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.vcpkgsrv.exe.e4445ce.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.choice.exe.4a59757.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.vcpkgsrv.exe.e09b5ce.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.vcpkgsrv.exe.e02a901.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.vcpkgsrv.exe.e0f7901.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.vcpkgsrv.exe.e055901.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.explorer.exe.5468757.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 31.2.explorer.exe.5422a8a.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.vcpkgsrv.exe.e13c9ce.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.choice.exe.5077757.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000008.00000002.2760063375.000000000502B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.2682520863.000000000E3F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.2731910081.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.2826392849.000000000533B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000001F.00000002.2915260688.000000000541C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.2707747768.000000000E024000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.2749469425.000000000E0F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.2673919448.000000000E04F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.2732442474.0000000004A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: choice.exe PID: 4088, type: MEMORYSTR
                        Source: lumma_shredder.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 104.17.151.117:443 -> 192.168.2.4:49733 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 199.91.155.37:443 -> 192.168.2.4:49734 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49741 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49742 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49743 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49744 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49745 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49746 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49747 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49748 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 157.180.25.156:443 -> 192.168.2.4:49749 version: TLS 1.2
                        Source: lumma_shredder.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: D:\dbs\sh\ddvsm\1002_165500_0\cmd\e\out\binaries\x86ret\bin\i386\cpfe.pdb source: vcpkgsrv.exe, 00000005.00000002.2676644497.000000007D001000.00000020.00000001.01000000.0000000B.sdmp, vcpkgsrv.exe, 00000007.00000002.2685034544.000000007D001000.00000020.00000001.01000000.00000012.sdmp, vcpkgsrv.exe, 0000000A.00000002.2710234752.000000007D001000.00000020.00000001.01000000.00000012.sdmp, vcpkgsrv.exe, 00000011.00000002.2760750575.000000007D001000.00000020.00000001.01000000.00000012.sdmp
                        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: lumma_shredder.exe, 00000000.00000002.1936949820.0000000005F50000.00000004.08000000.00040000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.0000000003986000.00000004.00000800.00020000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdbUGP source: vcpkgsrv.exe, 00000005.00000002.2674710125.000000000E65A000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000005.00000002.2674952684.000000000E9B0000.00000004.00000800.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2683314675.000000000EA05000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2683843933.000000000F11E000.00000004.00000001.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2683538573.000000000ED60000.00000004.00000800.00020000.00000000.sdmp, choice.exe, 00000008.00000002.2760865994.0000000005630000.00000004.00001000.00020000.00000000.sdmp, choice.exe, 00000008.00000002.2759829017.0000000004C8D000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 0000000A.00000002.2708245479.000000000E621000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 0000000A.00000002.2708955763.000000000ED3D000.00000004.00000001.00020000.00000000.sdmp, vcpkgsrv.exe, 0000000A.00000002.2708510445.000000000E980000.00000004.00000800.00020000.00000000.sdmp, choice.exe, 0000000B.00000002.2733940086.0000000005010000.00000004.00001000.00020000.00000000.sdmp, choice.exe, 0000000B.00000002.2732112002.000000000466C000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000011.00000002.2753460644.000000000EE08000.00000004.00000001.00020000.00000000.sdmp, vcpkgsrv.exe, 00000011.00000002.2750166940.000000000E6FA000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000011.00000002.2751876755.000000000EA50000.00000004.00000800.00020000.00000000.sdmp, choice.exe, 00000012.00000002.2827084674.0000000005940000.00000004.00001000.00020000.00000000.sdmp, choice.exe, 00000012.00000002.2826169830.0000000004F9C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: lumma_shredder.exe, 00000000.00000002.1936949820.0000000005F50000.00000004.08000000.00040000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.0000000003986000.00000004.00000800.00020000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdb source: vcpkgsrv.exe, 00000005.00000002.2674710125.000000000E65A000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000005.00000002.2674952684.000000000E9B0000.00000004.00000800.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2683314675.000000000EA05000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2683843933.000000000F11E000.00000004.00000001.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2683538573.000000000ED60000.00000004.00000800.00020000.00000000.sdmp, choice.exe, 00000008.00000002.2760865994.0000000005630000.00000004.00001000.00020000.00000000.sdmp, choice.exe, 00000008.00000002.2759829017.0000000004C8D000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 0000000A.00000002.2708245479.000000000E621000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 0000000A.00000002.2708955763.000000000ED3D000.00000004.00000001.00020000.00000000.sdmp, vcpkgsrv.exe, 0000000A.00000002.2708510445.000000000E980000.00000004.00000800.00020000.00000000.sdmp, choice.exe, 0000000B.00000002.2733940086.0000000005010000.00000004.00001000.00020000.00000000.sdmp, choice.exe, 0000000B.00000002.2732112002.000000000466C000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000011.00000002.2753460644.000000000EE08000.00000004.00000001.00020000.00000000.sdmp, vcpkgsrv.exe, 00000011.00000002.2750166940.000000000E6FA000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000011.00000002.2751876755.000000000EA50000.00000004.00000800.00020000.00000000.sdmp, choice.exe, 00000012.00000002.2827084674.0000000005940000.00000004.00001000.00020000.00000000.sdmp, choice.exe, 00000012.00000002.2826169830.0000000004F9C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: vcpkgsrv.exe, 00000005.00000002.2675266796.000000006F851000.00000020.00000001.01000000.00000009.sdmp, vcpkgsrv.exe, 00000007.00000002.2684835349.000000006CB61000.00000020.00000001.01000000.0000000F.sdmp, vcpkgsrv.exe, 0000000A.00000002.2709917046.000000006F811000.00000020.00000001.01000000.0000000F.sdmp, vcpkgsrv.exe, 00000011.00000002.2760272456.000000006CAF1000.00000020.00000001.01000000.0000000F.sdmp
                        Source: Binary string: protobuf-net.pdbSHA256}Lq source: lumma_shredder.exe, 00000000.00000002.1938724886.0000000006850000.00000004.08000000.00040000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcpkgsrv.exe, 00000005.00000002.2676321456.000000006F911000.00000020.00000001.01000000.0000000A.sdmp, vcpkgsrv.exe, 00000005.00000003.2666411205.0000000005000000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2684944242.000000006F701000.00000020.00000001.01000000.00000010.sdmp, vcpkgsrv.exe, 0000000A.00000002.2709796045.000000006F7F1000.00000020.00000001.01000000.00000010.sdmp, vcpkgsrv.exe, 00000011.00000002.2760152948.000000006CAD1000.00000020.00000001.01000000.00000010.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\concrt140.i386.pdb source: vcpkgsrv.exe, vcpkgsrv.exe, 00000007.00000002.2684695158.000000006CB21000.00000020.00000001.01000000.00000011.sdmp, vcpkgsrv.exe, 0000000A.00000002.2710048159.000000006F881000.00000020.00000001.01000000.00000011.sdmp, vcpkgsrv.exe, 00000011.00000002.2760482274.000000006CB61000.00000020.00000001.01000000.00000011.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: vcpkgsrv.exe, 00000005.00000002.2675266796.000000006F851000.00000020.00000001.01000000.00000009.sdmp, vcpkgsrv.exe, 00000007.00000002.2684835349.000000006CB61000.00000020.00000001.01000000.0000000F.sdmp, vcpkgsrv.exe, 0000000A.00000002.2709917046.000000006F811000.00000020.00000001.01000000.0000000F.sdmp, vcpkgsrv.exe, 00000011.00000002.2760272456.000000006CAF1000.00000020.00000001.01000000.0000000F.sdmp
                        Source: Binary string: D:\dbs\sh\ddvsm\1002_165500_0\cmd\c\out\binaries\x86ret\bin\i386\VC7\VCPackages\VCPkgSrv.pdb source: vcpkgsrv.exe, vcpkgsrv.exe, 00000007.00000002.2677247079.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, vcpkgsrv.exe, 0000000A.00000000.2694178938.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, vcpkgsrv.exe, 00000011.00000000.2730890118.0000000000401000.00000020.00000001.01000000.0000000E.sdmp
                        Source: Binary string: protobuf-net.pdb source: lumma_shredder.exe, 00000000.00000002.1938724886.0000000006850000.00000004.08000000.00040000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\concrt140.i386.pdbGCTL source: vcpkgsrv.exe, 00000005.00000002.2675878579.000000006F8C1000.00000020.00000001.01000000.00000008.sdmp, vcpkgsrv.exe, 00000007.00000002.2684695158.000000006CB21000.00000020.00000001.01000000.00000011.sdmp, vcpkgsrv.exe, 0000000A.00000002.2710048159.000000006F881000.00000020.00000001.01000000.00000011.sdmp, vcpkgsrv.exe, 00000011.00000002.2760482274.000000006CB61000.00000020.00000001.01000000.00000011.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: vcpkgsrv.exe, 00000005.00000002.2676321456.000000006F911000.00000020.00000001.01000000.0000000A.sdmp, vcpkgsrv.exe, 00000005.00000003.2666411205.0000000005000000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2684944242.000000006F701000.00000020.00000001.01000000.00000010.sdmp, vcpkgsrv.exe, 0000000A.00000002.2709796045.000000006F7F1000.00000020.00000001.01000000.00000010.sdmp, vcpkgsrv.exe, 00000011.00000002.2760152948.000000006CAD1000.00000020.00000001.01000000.00000010.sdmp
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], CB8D7CB0h4_2_00446022
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov dword ptr [esp+3Ch], 00000101h4_2_00434958
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+2E39C7FBh]4_2_0040E9A1
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov byte ptr [esi], cl4_2_00433349
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx ebx, byte ptr [edi+ecx+23526198h]4_2_004104E6
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then lea ecx, dword ptr [eax+eax]4_2_00445530
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then cmp word ptr [edi+ebx], 0000h4_2_004475E0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then lea ecx, dword ptr [eax+eax]4_2_004456D2
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], esi4_2_00447700
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov ecx, edi4_2_0040CFCE
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov ebx, esi4_2_0040CFCE
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov byte ptr [ebx], cl4_2_00434044
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then lea edx, dword ptr [ecx+49h]4_2_0042E062
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov byte ptr [eax], cl4_2_0041C065
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx edx, byte ptr [esp+esi-000000E5h]4_2_00425866
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx ebx, bx4_2_0042C00F
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then jmp eax4_2_0042C00F
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+1Ch]4_2_0042C819
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], C6BF57D2h4_2_004438F0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-7FF3D20Ah]4_2_004198BF
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-7FF3D20Ah]4_2_004198BF
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-7FF3D20Ah]4_2_004198BF
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-7FF3D20Ah]4_2_004198BF
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+02h]4_2_00441950
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then jmp eax4_2_0042A970
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov byte ptr [esi], al4_2_00434919
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]4_2_00430920
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov ecx, dword ptr [esi+eax]4_2_0042E93C
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]4_2_004191E0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov edx, eax4_2_004469E6
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov edx, ecx4_2_0041D199
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov edx, ecx4_2_0041D199
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then jmp eax4_2_0042C278
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then jmp eax4_2_0042027D
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-5FE4ED9Ah]4_2_00426210
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx ebx, byte ptr [edx]4_2_0043D210
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov ebx, edx4_2_00443A20
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov ecx, edx4_2_00443AC0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov ecx, ebx4_2_00443AC0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov word ptr [edx], ax4_2_0041BACD
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov byte ptr [eax], cl4_2_0041BACD
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then jmp eax4_2_0041F4FE
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-4CB1DCE9h]4_2_004192A0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-7FF3D20Ah]4_2_004192A0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov word ptr [eax], cx4_2_0042C340
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov ebp, eax4_2_00408B60
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov ecx, eax4_2_0042FB60
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx ebp, word ptr [ecx]4_2_00447B00
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]4_2_0040A3E0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]4_2_0040A3E0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-000000D2h]4_2_00445B9B
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov ebx, edx4_2_0041E3A0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov eax, dword ptr [esi+ebp+44h]4_2_0041E3A0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx ebx, byte ptr [ecx+esi]4_2_0040B440
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov word ptr [eax], cx4_2_0040DC5C
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov byte ptr [ecx], al4_2_0041FC75
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movsx ecx, byte ptr [edi+eax]4_2_00446C00
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-798947D0h]4_2_0042D410
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then jmp ecx4_2_00412C30
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax-7FF3D206h]4_2_00412CD4
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx-3967FBA3h]4_2_004334B3
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then jmp ecx4_2_00411D53
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 2C331E1Fh4_2_00412555
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movsx ecx, byte ptr [edi+edx]4_2_0044655A
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movsx ecx, byte ptr [edi+eax]4_2_00446D10
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movsx ecx, byte ptr [edi+eax]4_2_00446D27
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movsx ecx, byte ptr [edi+eax]4_2_00446D29
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h4_2_00431D30
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then lea edx, dword ptr [ecx+49h]4_2_0042DDD2
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movsx ecx, byte ptr [edi+eax]4_2_00446DF0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then lea ecx, dword ptr [eax+eax]4_2_00445580
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx edx, byte ptr [ebp+eax+00h]4_2_00410650
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov edx, ecx4_2_00443E00
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov ecx, eax4_2_00410E30
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov ebx, eax4_2_00410E30
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], B130B035h4_2_00447E30
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-6E1567C7h]4_2_00447E30
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov byte ptr [esi], cl4_2_0043363E
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov byte ptr [esi], cl4_2_00433ED3
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx esi, byte ptr [esp+ebx+0Ah]4_2_00420EF0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx eax, byte ptr [esp+edi-67AEF108h]4_2_0040C680
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movsx ecx, byte ptr [edi+eax]4_2_00446E80
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax-7FF3D206h]4_2_0041269C
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+10h]4_2_0040EEB0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov edx, ecx4_2_0042A710
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then jmp eax4_2_0042A710
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov ecx, eax4_2_0040D71B
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then movsx ecx, byte ptr [edi+eax]4_2_00446F20
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then push esi4_2_00425733
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4x nop then mov eax, ebx4_2_004207F3

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49742 -> 104.21.64.1:443
                        Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49741 -> 104.21.64.1:443
                        Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 104.21.64.1:443
                        Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49748 -> 104.21.64.1:443
                        Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49747 -> 104.21.64.1:443
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 62.60.234.80 1466
                        Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 104.73.234.102 443
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: GreehnVibe.top
                        Source: Malware configuration extractorURLs: shiningrstars.help
                        Source: Malware configuration extractorURLs: mercharena.biz
                        Source: Malware configuration extractorURLs: generalmills.pro
                        Source: Malware configuration extractorURLs: stormlegue.com
                        Source: Malware configuration extractorURLs: blast-hubs.com
                        Source: Malware configuration extractorURLs: blastikcn.com
                        Source: Malware configuration extractorURLs: nestlecompany.pro
                        Source: global trafficTCP traffic: 192.168.2.4:50021 -> 62.60.234.80:1466
                        Source: global trafficHTTP traffic detected: GET /file_premium/3s2efjs3c6xzd9j/zeef.dat/file HTTP/1.1Host: www.mediafire.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /mfqgev8gj5egcWoF0DJM0EThsN3qMgecvbUGBbSOhCrrgK5iMejYcna7XX3cGfJEMk-xuIzce-HjlWIaohtMxdyDb67Uxz0PuHnIWi8rm31f-EbVlktSuKqg7GMbbgbnH0sSC9tLX5WEwuU63bm4SciCxIKCZTsKIAO-DP5JLw/3s2efjs3c6xzd9j/zeef.dat HTTP/1.1Host: download2296.mediafire.comCookie: ukey=xxgra79ixos0j444x0tq04cyoloo4qya; __cf_bm=Prl5O0QeqjqDtR.Qksd7MlBdIJXe8gB7mrwYc_j94yc-1739548683-1.0.1.1-qS4eyrEGCngfv6.FWHUae4SNNfx7Ind62nOOQ3lTWWb9SVKFDArczIFLeLXd6Y9dVKDdmQUIOGAWf.yGnPNMyAConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 62.60.234.80 62.60.234.80
                        Source: Joe Sandbox ViewIP Address: 104.17.151.117 104.17.151.117
                        Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                        Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                        Source: Joe Sandbox ViewASN Name: ASLINE-AS-APASLINELIMITEDHK ASLINE-AS-APASLINELIMITEDHK
                        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.64.1:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.64.1:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49748 -> 104.21.64.1:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 157.180.25.156:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.64.1:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 104.21.64.1:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.64.1:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49747 -> 104.21.64.1:443
                        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 104.21.64.1:443
                        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: greehnvibe.top
                        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 81Host: greehnvibe.top
                        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=V9UE1HZ8ZNG5GFMJ1QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18166Host: greehnvibe.top
                        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=G1BIZ5XPURKA9HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8763Host: greehnvibe.top
                        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=H2YOWME9ENKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20398Host: greehnvibe.top
                        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XC2SVTMUBJI0NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2405Host: greehnvibe.top
                        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RZCOVASEZT44G1YOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1102Host: greehnvibe.top
                        Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 115Host: greehnvibe.top
                        Source: global trafficHTTP traffic detected: GET /MmLFL.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: qu.ax
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
                        Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /file_premium/3s2efjs3c6xzd9j/zeef.dat/file HTTP/1.1Host: www.mediafire.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /mfqgev8gj5egcWoF0DJM0EThsN3qMgecvbUGBbSOhCrrgK5iMejYcna7XX3cGfJEMk-xuIzce-HjlWIaohtMxdyDb67Uxz0PuHnIWi8rm31f-EbVlktSuKqg7GMbbgbnH0sSC9tLX5WEwuU63bm4SciCxIKCZTsKIAO-DP5JLw/3s2efjs3c6xzd9j/zeef.dat HTTP/1.1Host: download2296.mediafire.comCookie: ukey=xxgra79ixos0j444x0tq04cyoloo4qya; __cf_bm=Prl5O0QeqjqDtR.Qksd7MlBdIJXe8gB7mrwYc_j94yc-1739548683-1.0.1.1-qS4eyrEGCngfv6.FWHUae4SNNfx7Ind62nOOQ3lTWWb9SVKFDArczIFLeLXd6Y9dVKDdmQUIOGAWf.yGnPNMyAConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /MmLFL.bin HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: qu.ax
                        Source: global trafficHTTP traffic detected: GET /profiles/76561198446647282 HTTP/1.1Host: steamcommunity.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                        Source: global trafficDNS traffic detected: DNS query: www.mediafire.com
                        Source: global trafficDNS traffic detected: DNS query: download2296.mediafire.com
                        Source: global trafficDNS traffic detected: DNS query: greehnvibe.top
                        Source: global trafficDNS traffic detected: DNS query: cegu.shop
                        Source: global trafficDNS traffic detected: DNS query: qu.ax
                        Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                        Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: greehnvibe.top
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0=
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0W
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                        Source: lumma_shredder.exe, 00000000.00000002.1922043914.00000000028B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                        Source: choice.exe, 00000008.00000002.2761552858.0000000005C10000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.2912955678.000000000359B000.00000002.00000001.01000000.00000000.sdmp, choice.exe, 00000012.00000002.2827430941.0000000005EF0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2912780687.0000000000B4B000.00000002.00000001.01000000.00000000.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtdtls:
                        Source: vcpkgsrv.exe, 00000005.00000002.2673919448.000000000DFF8000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2682520863.000000000E3A1000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000008.00000002.2760063375.0000000004FE2000.00000004.00000800.00020000.00000000.sdmp, vcpkgsrv.exe, 0000000A.00000002.2707747768.000000000DFCD000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000000B.00000002.2732442474.00000000049C4000.00000004.00000800.00020000.00000000.sdmp, vcpkgsrv.exe, 00000011.00000002.2749469425.000000000E09A000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000012.00000002.2826392849.00000000052F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                        Source: lumma_shredder.exe, 00000004.00000002.2457708952.000000000146D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://GreehnVibe.top/
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb.jpg
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_medium.jpg
                        Source: lumma_shredder.exe, 00000004.00000002.2457708952.000000000146D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/
                        Source: lumma_shredder.exe, 00000004.00000002.2457708952.000000000146D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txt
                        Source: lumma_shredder.exe, 00000004.00000002.2457708952.000000000146D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cegu.shop/8574262446/ph.txtC
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=N4H9vOOxi8kG&l=english&am
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=INiZALwvDIbb
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=EZbG2DEumYDH&l=engli
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=l1VAyDrxeeyo&l=en
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064EC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064FC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=kDTc
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064FC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=3W_ge11SZngF&l=englis
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&a
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=XfYrwi9zUC4b&l=
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=engli
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=47omfdMZRDiz&l=engli
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=iGFW_JMULCcZ&
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcD
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/cl
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&l=engl
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&l=
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=sd6kCnGQW5Ji&
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=n4_f9JKDa7wP&
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=L76dql3x7WI
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064FC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&
                        Source: lumma_shredder.exe, 00000000.00000002.1922043914.00000000028B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download2296.mediafire.com
                        Source: lumma_shredder.exe, 00000000.00000002.1922043914.00000000028B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download2296.mediafire.com/mfqgev8gj5egcWoF0DJM0EThsN3qMgecvbUGBbSOhCrrgK5iMejYcna7XX3cGfJEM
                        Source: lumma_shredder.exe, 00000000.00000002.1938724886.0000000006850000.00000004.08000000.00040000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.00000000038C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                        Source: lumma_shredder.exe, 00000000.00000002.1938724886.0000000006850000.00000004.08000000.00040000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.00000000038C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                        Source: lumma_shredder.exe, 00000000.00000002.1938724886.0000000006850000.00000004.08000000.00040000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.00000000038C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                        Source: lumma_shredder.exe, 00000004.00000002.2457708952.000000000146D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greehnvibe.top/
                        Source: lumma_shredder.exe, 00000004.00000002.2457708952.000000000147A000.00000004.00000020.00020000.00000000.sdmp, lumma_shredder.exe, 00000004.00000002.2457708952.000000000146D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://qu.ax/MmLFL.bin
                        Source: lumma_shredder.exe, 00000004.00000002.2457708952.000000000147A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://qu.ax/MmLFL.bino
                        Source: lumma_shredder.exe, 00000004.00000002.2457838498.0000000001480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://qu.ax/vG
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://shared.cloudflare.steamstatic.com/store_item_assets/steam/apps/297750/capsule_184x69.jpg?t=1
                        Source: lumma_shredder.exe, 00000000.00000002.1938724886.0000000006850000.00000004.08000000.00040000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.00000000038C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                        Source: lumma_shredder.exe, 00000000.00000002.1938724886.0000000006850000.00000004.08000000.00040000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1922043914.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.00000000038C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                        Source: lumma_shredder.exe, 00000000.00000002.1938724886.0000000006850000.00000004.08000000.00040000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.00000000038C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/app/297750
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/comment/Profile/
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064EC000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2945617884.00000000064E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064EC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561198446647282
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064EC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561198446647282https://community.cloudflare
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561198446647282/games/
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064EC000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001F.00000002.2945617884.00000000064E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561198446647282/games/?tab=all
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064EC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561198446647282/games/?tab=allhttps://steamcommunity.com/linkf
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561198446647282/inventory/
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199003164182
                        Source: explorer.exe, 0000001F.00000002.2945617884.00000000064E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
                        Source: lumma_shredder.exe, 00000000.00000002.1922043914.00000000028B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mediafire.com
                        Source: lumma_shredder.exe, 00000000.00000002.1922043914.00000000028B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mediafire.com/file_premium/3s2efjs3c6xzd9j/zeef.dat/file
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 50020 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50020
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                        Source: unknownHTTPS traffic detected: 104.17.151.117:443 -> 192.168.2.4:49733 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 199.91.155.37:443 -> 192.168.2.4:49734 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49741 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49742 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49743 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49744 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49745 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49746 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49747 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49748 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 157.180.25.156:443 -> 192.168.2.4:49749 version: TLS 1.2
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0043AF00 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,4_2_0043AF00
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0043AF00 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,4_2_0043AF00

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 8.2.choice.exe.5031a8a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 31.2.explorer.exe.5467b57.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 11.2.choice.exe.4a58b57.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 18.2.choice.exe.5341a8a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 18.2.choice.exe.5387757.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 7.2.vcpkgsrv.exe.e4439ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 10.2.vcpkgsrv.exe.e06f9ce.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 7.2.vcpkgsrv.exe.e3fe901.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 17.2.vcpkgsrv.exe.e13d5ce.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 8.2.choice.exe.5076b57.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 18.2.choice.exe.5386b57.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 11.2.choice.exe.4a13a8a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 10.2.vcpkgsrv.exe.e0705ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 5.2.vcpkgsrv.exe.e09a9ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 7.2.vcpkgsrv.exe.e4445ce.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 11.2.choice.exe.4a59757.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 5.2.vcpkgsrv.exe.e09b5ce.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 10.2.vcpkgsrv.exe.e02a901.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 17.2.vcpkgsrv.exe.e0f7901.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 5.2.vcpkgsrv.exe.e055901.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 31.2.explorer.exe.5468757.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 31.2.explorer.exe.5422a8a.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 17.2.vcpkgsrv.exe.e13c9ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 8.2.choice.exe.5077757.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_05F3DC40 NtResumeThread,0_2_05F3DC40
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_00C144F90_2_00C144F9
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_00C148B00_2_00C148B0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_00C119D00_2_00C119D0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_00C11D700_2_00C11D70
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_00C13E200_2_00C13E20
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_00C1240B0_2_00C1240B
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_00C145EA0_2_00C145EA
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_00C1489A0_2_00C1489A
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_00C128280_2_00C12828
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_00C11DAA0_2_00C11DAA
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_00C11D600_2_00C11D60
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_00C11E530_2_00C11E53
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_00C13E110_2_00C13E11
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_071200060_2_07120006
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_071200400_2_07120040
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_0713E8800_2_0713E880
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042A0304_2_0042A030
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004258F04_2_004258F0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004401E04_2_004401E0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0040E9A14_2_0040E9A1
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004481B04_2_004481B0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0041AADA4_2_0041AADA
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004333494_2_00433349
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0040CB004_2_0040CB00
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0040BB204_2_0040BB20
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004164104_2_00416410
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0041A4914_2_0041A491
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00414DC14_2_00414DC1
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004456D24_2_004456D2
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0043FE904_2_0043FE90
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004436B04_2_004436B0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004477004_2_00447700
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042CF304_2_0042CF30
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004117BF4_2_004117BF
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004220604_2_00422060
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0043F8604_2_0043F860
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0041C0654_2_0041C065
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042F8004_2_0042F800
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042C00F4_2_0042C00F
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004048124_2_00404812
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004410104_2_00441010
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004070164_2_00407016
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042C8194_2_0042C819
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004198BF4_2_004198BF
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004331424_2_00433142
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004419504_2_00441950
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004159664_2_00415966
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042A9704_2_0042A970
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0041C97B4_2_0041C97B
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004219004_2_00421900
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004389204_2_00438920
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004021304_2_00402130
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042E93C4_2_0042E93C
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0043A9D04_2_0043A9D0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042B9E04_2_0042B9E0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0041D1994_2_0041D199
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0043E1B04_2_0043E1B0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004132004_2_00413200
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004262104_2_00426210
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00443AC04_2_00443AC0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0041BACD4_2_0041BACD
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042AAD24_2_0042AAD2
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0043C2F84_2_0043C2F8
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004192A04_2_004192A0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042F2B54_2_0042F2B5
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00408B604_2_00408B60
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042FB604_2_0042FB60
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00447B004_2_00447B00
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004223204_2_00422320
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042F3304_2_0042F330
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00420B384_2_00420B38
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0040A3E04_2_0040A3E0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004473F04_2_004473F0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00402B904_2_00402B90
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00423B904_2_00423B90
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0041E3A04_2_0041E3A0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00427C4E4_2_00427C4E
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0041347C4_2_0041347C
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00446C004_2_00446C00
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042D4104_2_0042D410
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00438C204_2_00438C20
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0043ACC04_2_0043ACC0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0041FCDA4_2_0041FCDA
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00433CE74_2_00433CE7
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042E4E54_2_0042E4E5
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0043CC9A4_2_0043CC9A
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004354B04_2_004354B0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0041DCB94_2_0041DCB9
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042CCBA4_2_0042CCBA
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0044655A4_2_0044655A
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0040FD784_2_0040FD78
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00446D104_2_00446D10
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00446D274_2_00446D27
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042D52E4_2_0042D52E
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00446D294_2_00446D29
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00431D304_2_00431D30
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0043EDF74_2_0043EDF7
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00446DF04_2_00446DF0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004035904_2_00403590
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004325A04_2_004325A0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00433E434_2_00433E43
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00407E504_2_00407E50
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004106504_2_00410650
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004096004_2_00409600
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0043F6004_2_0043F600
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00443E004_2_00443E00
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00410E304_2_00410E30
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00447E304_2_00447E30
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0043363E4_2_0043363E
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00437ED14_2_00437ED1
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004416D04_2_004416D0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00420EF04_2_00420EF0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0040C6804_2_0040C680
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00446E804_2_00446E80
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0040BEA04_2_0040BEA0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004296A84_2_004296A8
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0040EEB04_2_0040EEB0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004267504_2_00426750
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004447004_2_00444700
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_0042A7104_2_0042A710
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00446F204_2_00446F20
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00403F304_2_00403F30
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004027E04_2_004027E0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004207F34_2_004207F3
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeCode function: 5_2_00408D6E5_2_00408D6E
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeCode function: 5_2_004010045_2_00401004
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeCode function: 5_2_004064145_2_00406414
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeCode function: 5_2_0040129F5_2_0040129F
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_00408D6E7_2_00408D6E
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_004010047_2_00401004
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_004064147_2_00406414
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_0040129F7_2_0040129F
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_6CB39DF57_2_6CB39DF5
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_6CB214D97_2_6CB214D9
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_6CB3960B7_2_6CB3960B
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_6CB400C77_2_6CB400C7
                        Source: Joe Sandbox ViewDropped File: C:\ProgramData\FNPLicensingService\concrt140.dll 0A3894DD420ED6B4C7EBBDE463DBBDE69CDB032E290B1C86C21CCDAA4DA95526
                        Source: Joe Sandbox ViewDropped File: C:\ProgramData\FNPLicensingService\cpfe.dll 4FDCAC3F2019FC7E98A60373E4B263A605DBABE2965FDC7CC5348523C24F8D35
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: String function: 00419290 appears 107 times
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: String function: 0040B3D0 appears 51 times
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: String function: 00C10970 appears 35 times
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: String function: 6CB290FB appears 50 times
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: String function: 6CB49ECE appears 148 times
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: String function: 6CB49E2F appears 39 times
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 324
                        Source: lumma_shredder.exeStatic PE information: invalid certificate
                        Source: lumma_shredder.exe, 00000000.00000002.1938724886.0000000006850000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs lumma_shredder.exe
                        Source: lumma_shredder.exe, 00000000.00000000.1668490675.00000000004EC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBdeqvdh.exe0 vs lumma_shredder.exe
                        Source: lumma_shredder.exe, 00000000.00000002.1921659660.0000000000C3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs lumma_shredder.exe
                        Source: lumma_shredder.exe, 00000000.00000002.1922043914.00000000028B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs lumma_shredder.exe
                        Source: lumma_shredder.exe, 00000000.00000002.1936949820.0000000005F50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs lumma_shredder.exe
                        Source: lumma_shredder.exe, 00000000.00000002.1930429118.0000000003986000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs lumma_shredder.exe
                        Source: lumma_shredder.exe, 00000000.00000002.1937233232.00000000063C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameChpyed.dll" vs lumma_shredder.exe
                        Source: lumma_shredder.exe, 00000000.00000002.1930429118.00000000038C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs lumma_shredder.exe
                        Source: lumma_shredder.exe, 00000000.00000002.1930429118.00000000038C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs lumma_shredder.exe
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedbxinf.dllP vs lumma_shredder.exe
                        Source: lumma_shredder.exe, 00000004.00000002.2459686579.0000000003A68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedbxint.dllP vs lumma_shredder.exe
                        Source: lumma_shredder.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        Source: 8.2.choice.exe.5031a8a.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 31.2.explorer.exe.5467b57.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 11.2.choice.exe.4a58b57.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 18.2.choice.exe.5341a8a.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 18.2.choice.exe.5387757.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 7.2.vcpkgsrv.exe.e4439ce.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 10.2.vcpkgsrv.exe.e06f9ce.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 7.2.vcpkgsrv.exe.e3fe901.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 17.2.vcpkgsrv.exe.e13d5ce.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 8.2.choice.exe.5076b57.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 18.2.choice.exe.5386b57.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 11.2.choice.exe.4a13a8a.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 10.2.vcpkgsrv.exe.e0705ce.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 5.2.vcpkgsrv.exe.e09a9ce.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 7.2.vcpkgsrv.exe.e4445ce.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 11.2.choice.exe.4a59757.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 5.2.vcpkgsrv.exe.e09b5ce.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 10.2.vcpkgsrv.exe.e02a901.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 17.2.vcpkgsrv.exe.e0f7901.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 5.2.vcpkgsrv.exe.e055901.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 31.2.explorer.exe.5468757.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 31.2.explorer.exe.5422a8a.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 17.2.vcpkgsrv.exe.e13c9ce.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 8.2.choice.exe.5077757.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.2.lumma_shredder.exe.3935fb0.3.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                        Source: 0.2.lumma_shredder.exe.3935fb0.3.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                        Source: 0.2.lumma_shredder.exe.3935fb0.3.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                        Source: 0.2.lumma_shredder.exe.3935fb0.3.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                        Source: 0.2.lumma_shredder.exe.3a3a910.1.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                        Source: 0.2.lumma_shredder.exe.3a3a910.1.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                        Source: 0.2.lumma_shredder.exe.3935fb0.3.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                        Source: 0.2.lumma_shredder.exe.3a3a910.1.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                        Source: 0.2.lumma_shredder.exe.3a3a910.1.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                        Source: 0.2.lumma_shredder.exe.3a3a910.1.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.lumma_shredder.exe.3a3a910.1.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                        Source: 0.2.lumma_shredder.exe.3a3a910.1.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                        Source: 0.2.lumma_shredder.exe.5f50000.4.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                        Source: 0.2.lumma_shredder.exe.5f50000.4.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                        Source: 0.2.lumma_shredder.exe.3935fb0.3.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                        Source: 0.2.lumma_shredder.exe.5f50000.4.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                        Source: 0.2.lumma_shredder.exe.5f50000.4.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                        Source: 0.2.lumma_shredder.exe.3935fb0.3.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.lumma_shredder.exe.3935fb0.3.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                        Source: 0.2.lumma_shredder.exe.3935fb0.3.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                        Source: 0.2.lumma_shredder.exe.5f50000.4.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                        Source: 0.2.lumma_shredder.exe.3935fb0.3.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                        Source: 0.2.lumma_shredder.exe.3a3a910.1.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                        Source: 0.2.lumma_shredder.exe.5f50000.4.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: lumma_shredder.exe, 00000000.00000002.1921659660.0000000000CE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.VBP
                        Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@27/42@6/6
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004401E0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,4_2_004401E0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4336:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1184:120:WilError_03
                        Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\3630303063323934326663653464303636363339363966353332653435643161
                        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1816
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2112:120:WilError_03
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\choice.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\choice.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: lumma_shredder.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: lumma_shredder.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                        Source: C:\Users\user\Desktop\lumma_shredder.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: vcpkgsrv.exe, 00000005.00000002.2667906508.0000000000401000.00000020.00000001.01000000.00000007.sdmp, vcpkgsrv.exe, 00000007.00000002.2677247079.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, vcpkgsrv.exe, 0000000A.00000000.2694178938.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, vcpkgsrv.exe, 00000011.00000000.2730890118.0000000000401000.00000020.00000001.01000000.0000000E.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                        Source: vcpkgsrv.exe, vcpkgsrv.exe, 00000007.00000002.2677247079.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, vcpkgsrv.exe, 0000000A.00000000.2694178938.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, vcpkgsrv.exe, 00000011.00000000.2730890118.0000000000401000.00000020.00000001.01000000.0000000E.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                        Source: lumma_shredder.exeVirustotal: Detection: 20%
                        Source: lumma_shredder.exeReversingLabs: Detection: 24%
                        Source: unknownProcess created: C:\Users\user\Desktop\lumma_shredder.exe "C:\Users\user\Desktop\lumma_shredder.exe"
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess created: C:\Users\user\Desktop\lumma_shredder.exe "C:\Users\user\Desktop\lumma_shredder.exe"
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exe "C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exe"
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeProcess created: C:\ProgramData\FNPLicensingService\vcpkgsrv.exe C:\ProgramData\FNPLicensingService\vcpkgsrv.exe
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeProcess created: C:\Windows\SysWOW64\choice.exe C:\Windows\SysWOW64\choice.exe
                        Source: C:\Windows\SysWOW64\choice.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\ProgramData\FNPLicensingService\vcpkgsrv.exe C:\ProgramData\FNPLicensingService\vcpkgsrv.exe
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeProcess created: C:\Windows\SysWOW64\choice.exe C:\Windows\SysWOW64\choice.exe
                        Source: C:\Windows\SysWOW64\choice.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\choice.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: unknownProcess created: C:\ProgramData\FNPLicensingService\vcpkgsrv.exe "C:\ProgramData\FNPLicensingService\vcpkgsrv.exe"
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeProcess created: C:\Windows\SysWOW64\choice.exe C:\Windows\SysWOW64\choice.exe
                        Source: C:\Windows\SysWOW64\choice.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 324
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 332
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 376
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 384
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 348
                        Source: C:\Windows\SysWOW64\choice.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess created: C:\Users\user\Desktop\lumma_shredder.exe "C:\Users\user\Desktop\lumma_shredder.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exe "C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeProcess created: C:\ProgramData\FNPLicensingService\vcpkgsrv.exe C:\ProgramData\FNPLicensingService\vcpkgsrv.exeJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeProcess created: C:\Windows\SysWOW64\choice.exe C:\Windows\SysWOW64\choice.exeJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeProcess created: C:\Windows\SysWOW64\choice.exe C:\Windows\SysWOW64\choice.exeJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeProcess created: C:\Windows\SysWOW64\choice.exe C:\Windows\SysWOW64\choice.exeJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: concrt140.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: msvcp140.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: cpfe.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: msvcp140.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: pla.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: pdh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: tdh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: wevtapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: concrt140.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: msvcp140.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: cpfe.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: pla.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: pdh.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: tdh.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: wevtapi.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: concrt140.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: msvcp140.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: cpfe.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: msvcp140.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: pla.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: pdh.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: tdh.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: wevtapi.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: msftedit.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: comsvcs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: cmlua.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: cmutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: concrt140.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: msvcp140.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: cpfe.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: pla.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: pdh.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: tdh.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: wevtapi.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: shdocvw.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dll
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dll
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dll
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: msasn1.dll
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\SysWOW64\explorer.exeSection loaded: gpapi.dll
                        Source: C:\Users\user\Desktop\lumma_shredder.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: lumma_shredder.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: lumma_shredder.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: D:\dbs\sh\ddvsm\1002_165500_0\cmd\e\out\binaries\x86ret\bin\i386\cpfe.pdb source: vcpkgsrv.exe, 00000005.00000002.2676644497.000000007D001000.00000020.00000001.01000000.0000000B.sdmp, vcpkgsrv.exe, 00000007.00000002.2685034544.000000007D001000.00000020.00000001.01000000.00000012.sdmp, vcpkgsrv.exe, 0000000A.00000002.2710234752.000000007D001000.00000020.00000001.01000000.00000012.sdmp, vcpkgsrv.exe, 00000011.00000002.2760750575.000000007D001000.00000020.00000001.01000000.00000012.sdmp
                        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: lumma_shredder.exe, 00000000.00000002.1936949820.0000000005F50000.00000004.08000000.00040000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.0000000003986000.00000004.00000800.00020000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdbUGP source: vcpkgsrv.exe, 00000005.00000002.2674710125.000000000E65A000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000005.00000002.2674952684.000000000E9B0000.00000004.00000800.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2683314675.000000000EA05000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2683843933.000000000F11E000.00000004.00000001.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2683538573.000000000ED60000.00000004.00000800.00020000.00000000.sdmp, choice.exe, 00000008.00000002.2760865994.0000000005630000.00000004.00001000.00020000.00000000.sdmp, choice.exe, 00000008.00000002.2759829017.0000000004C8D000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 0000000A.00000002.2708245479.000000000E621000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 0000000A.00000002.2708955763.000000000ED3D000.00000004.00000001.00020000.00000000.sdmp, vcpkgsrv.exe, 0000000A.00000002.2708510445.000000000E980000.00000004.00000800.00020000.00000000.sdmp, choice.exe, 0000000B.00000002.2733940086.0000000005010000.00000004.00001000.00020000.00000000.sdmp, choice.exe, 0000000B.00000002.2732112002.000000000466C000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000011.00000002.2753460644.000000000EE08000.00000004.00000001.00020000.00000000.sdmp, vcpkgsrv.exe, 00000011.00000002.2750166940.000000000E6FA000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000011.00000002.2751876755.000000000EA50000.00000004.00000800.00020000.00000000.sdmp, choice.exe, 00000012.00000002.2827084674.0000000005940000.00000004.00001000.00020000.00000000.sdmp, choice.exe, 00000012.00000002.2826169830.0000000004F9C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: lumma_shredder.exe, 00000000.00000002.1936949820.0000000005F50000.00000004.08000000.00040000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.0000000003986000.00000004.00000800.00020000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: wntdll.pdb source: vcpkgsrv.exe, 00000005.00000002.2674710125.000000000E65A000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000005.00000002.2674952684.000000000E9B0000.00000004.00000800.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2683314675.000000000EA05000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2683843933.000000000F11E000.00000004.00000001.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2683538573.000000000ED60000.00000004.00000800.00020000.00000000.sdmp, choice.exe, 00000008.00000002.2760865994.0000000005630000.00000004.00001000.00020000.00000000.sdmp, choice.exe, 00000008.00000002.2759829017.0000000004C8D000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 0000000A.00000002.2708245479.000000000E621000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 0000000A.00000002.2708955763.000000000ED3D000.00000004.00000001.00020000.00000000.sdmp, vcpkgsrv.exe, 0000000A.00000002.2708510445.000000000E980000.00000004.00000800.00020000.00000000.sdmp, choice.exe, 0000000B.00000002.2733940086.0000000005010000.00000004.00001000.00020000.00000000.sdmp, choice.exe, 0000000B.00000002.2732112002.000000000466C000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000011.00000002.2753460644.000000000EE08000.00000004.00000001.00020000.00000000.sdmp, vcpkgsrv.exe, 00000011.00000002.2750166940.000000000E6FA000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000011.00000002.2751876755.000000000EA50000.00000004.00000800.00020000.00000000.sdmp, choice.exe, 00000012.00000002.2827084674.0000000005940000.00000004.00001000.00020000.00000000.sdmp, choice.exe, 00000012.00000002.2826169830.0000000004F9C000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: vcpkgsrv.exe, 00000005.00000002.2675266796.000000006F851000.00000020.00000001.01000000.00000009.sdmp, vcpkgsrv.exe, 00000007.00000002.2684835349.000000006CB61000.00000020.00000001.01000000.0000000F.sdmp, vcpkgsrv.exe, 0000000A.00000002.2709917046.000000006F811000.00000020.00000001.01000000.0000000F.sdmp, vcpkgsrv.exe, 00000011.00000002.2760272456.000000006CAF1000.00000020.00000001.01000000.0000000F.sdmp
                        Source: Binary string: protobuf-net.pdbSHA256}Lq source: lumma_shredder.exe, 00000000.00000002.1938724886.0000000006850000.00000004.08000000.00040000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcpkgsrv.exe, 00000005.00000002.2676321456.000000006F911000.00000020.00000001.01000000.0000000A.sdmp, vcpkgsrv.exe, 00000005.00000003.2666411205.0000000005000000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2684944242.000000006F701000.00000020.00000001.01000000.00000010.sdmp, vcpkgsrv.exe, 0000000A.00000002.2709796045.000000006F7F1000.00000020.00000001.01000000.00000010.sdmp, vcpkgsrv.exe, 00000011.00000002.2760152948.000000006CAD1000.00000020.00000001.01000000.00000010.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\concrt140.i386.pdb source: vcpkgsrv.exe, vcpkgsrv.exe, 00000007.00000002.2684695158.000000006CB21000.00000020.00000001.01000000.00000011.sdmp, vcpkgsrv.exe, 0000000A.00000002.2710048159.000000006F881000.00000020.00000001.01000000.00000011.sdmp, vcpkgsrv.exe, 00000011.00000002.2760482274.000000006CB61000.00000020.00000001.01000000.00000011.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: vcpkgsrv.exe, 00000005.00000002.2675266796.000000006F851000.00000020.00000001.01000000.00000009.sdmp, vcpkgsrv.exe, 00000007.00000002.2684835349.000000006CB61000.00000020.00000001.01000000.0000000F.sdmp, vcpkgsrv.exe, 0000000A.00000002.2709917046.000000006F811000.00000020.00000001.01000000.0000000F.sdmp, vcpkgsrv.exe, 00000011.00000002.2760272456.000000006CAF1000.00000020.00000001.01000000.0000000F.sdmp
                        Source: Binary string: D:\dbs\sh\ddvsm\1002_165500_0\cmd\c\out\binaries\x86ret\bin\i386\VC7\VCPackages\VCPkgSrv.pdb source: vcpkgsrv.exe, vcpkgsrv.exe, 00000007.00000002.2677247079.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, vcpkgsrv.exe, 0000000A.00000000.2694178938.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, vcpkgsrv.exe, 00000011.00000000.2730890118.0000000000401000.00000020.00000001.01000000.0000000E.sdmp
                        Source: Binary string: protobuf-net.pdb source: lumma_shredder.exe, 00000000.00000002.1938724886.0000000006850000.00000004.08000000.00040000.00000000.sdmp, lumma_shredder.exe, 00000000.00000002.1930429118.00000000038C1000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\concrt140.i386.pdbGCTL source: vcpkgsrv.exe, 00000005.00000002.2675878579.000000006F8C1000.00000020.00000001.01000000.00000008.sdmp, vcpkgsrv.exe, 00000007.00000002.2684695158.000000006CB21000.00000020.00000001.01000000.00000011.sdmp, vcpkgsrv.exe, 0000000A.00000002.2710048159.000000006F881000.00000020.00000001.01000000.00000011.sdmp, vcpkgsrv.exe, 00000011.00000002.2760482274.000000006CB61000.00000020.00000001.01000000.00000011.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: vcpkgsrv.exe, 00000005.00000002.2676321456.000000006F911000.00000020.00000001.01000000.0000000A.sdmp, vcpkgsrv.exe, 00000005.00000003.2666411205.0000000005000000.00000004.00000020.00020000.00000000.sdmp, vcpkgsrv.exe, 00000007.00000002.2684944242.000000006F701000.00000020.00000001.01000000.00000010.sdmp, vcpkgsrv.exe, 0000000A.00000002.2709796045.000000006F7F1000.00000020.00000001.01000000.00000010.sdmp, vcpkgsrv.exe, 00000011.00000002.2760152948.000000006CAD1000.00000020.00000001.01000000.00000010.sdmp

                        Data Obfuscation

                        barindex
                        .NET source code contains potential unpacker
                        Source: 0.2.lumma_shredder.exe.6850000.8.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                        Source: 0.2.lumma_shredder.exe.6850000.8.raw.unpack, ListDecorator.cs.Net Code: Read
                        Source: 0.2.lumma_shredder.exe.6850000.8.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                        Source: 0.2.lumma_shredder.exe.6850000.8.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                        Source: 0.2.lumma_shredder.exe.6850000.8.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                        Source: 0.2.lumma_shredder.exe.3935fb0.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                        Source: 0.2.lumma_shredder.exe.3935fb0.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                        Source: 0.2.lumma_shredder.exe.3935fb0.3.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                        Source: 0.2.lumma_shredder.exe.3a3a910.1.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                        Source: 0.2.lumma_shredder.exe.3a3a910.1.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                        Source: 0.2.lumma_shredder.exe.3a3a910.1.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                        Source: 0.2.lumma_shredder.exe.5f50000.4.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                        Source: 0.2.lumma_shredder.exe.5f50000.4.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                        Source: 0.2.lumma_shredder.exe.5f50000.4.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                        Yara detected Costura Assembly Loader
                        Source: Yara matchFile source: 0.2.lumma_shredder.exe.67d0000.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.lumma_shredder.exe.67d0000.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1938547558.00000000067D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1922043914.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: lumma_shredder.exe PID: 4480, type: MEMORYSTR
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_6CB47FB7 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_6CB47FB7
                        Source: lumma_shredder.exeStatic PE information: real checksum: 0x180b6e8 should be: 0x181dc
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_02682A5F pushfd ; iretd 0_2_02682A60
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 0_2_071235BC push edi; retf 0_2_071235C2
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00450365 push esp; iretd 4_2_0045039F
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_00446BB0 push eax; mov dword ptr [esp], F1F0F7A6h4_2_00446BB2
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeCode function: 5_2_00401B4C push eax; retf 0009h5_2_00401B4D
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeCode function: 5_2_00401B50 pushad ; retf 0009h5_2_00401B51
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeCode function: 5_2_0040311A push eax; retf 0049h5_2_00403151
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeCode function: 5_2_00401BD8 pushad ; iretd 5_2_00401BD9
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_00401B4C push eax; retf 0009h7_2_00401B4D
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_00401B50 pushad ; retf 0009h7_2_00401B51
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_0040311A push eax; retf 0049h7_2_00403151
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_00401BD8 pushad ; iretd 7_2_00401BD9
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_6CB49E9C push ecx; ret 7_2_6CB49EAF
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_6CB4CFA2 pushfd ; iretd 7_2_6CB4CFAD
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_6CB21386 pushad ; retf 7_2_6CB21387
                        Source: 0.2.lumma_shredder.exe.63c0000.5.raw.unpack, Hwvvd6b3l69mmC2pjMY.csHigh entropy of concatenated method names: 'z0abewZfyO', 'eq4butfnIl', 'cYlbCjiWKK', 'egZbEOgPOm', 'fASbU78TFg', 'w20bcddJOM', 'T1fbPKa32e', 'iFxb1pBDHp', 'wn3bBh3G57', 'Pu7bO29bU5'
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vclimg290.bplJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vclhie290.bplJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcldb290.bplJump to dropped file
                        Source: C:\Windows\SysWOW64\choice.exeFile created: C:\Users\user\AppData\Local\Temp\txrsrgJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\dbxase.dllJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\dbxfb.dllJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\concrt140.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\choice.exeFile created: C:\Users\user\AppData\Local\Temp\mhmdvJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcl290.bplJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\DbxDb2.dllJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\dbxasa.dllJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vclie290.bplJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\cpfe.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeFile created: C:\ProgramData\FNPLicensingService\concrt140.dllJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcldbx290.bplJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeFile created: C:\ProgramData\FNPLicensingService\cpfe.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeFile created: C:\ProgramData\FNPLicensingService\concrt140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeFile created: C:\ProgramData\FNPLicensingService\cpfe.dllJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcldbx290.bplJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vclimg290.bplJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vclie290.bplJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vclhie290.bplJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcldb290.bplJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile created: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcl290.bplJump to dropped file
                        Source: C:\Windows\SysWOW64\choice.exeFile created: C:\Users\user\AppData\Local\Temp\txrsrgJump to dropped file
                        Source: C:\Windows\SysWOW64\choice.exeFile created: C:\Users\user\AppData\Local\Temp\mhmdvJump to dropped file

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Found hidden mapped module (file has been removed from disk)
                        Source: C:\Windows\SysWOW64\choice.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\TXRSRG
                        Source: C:\Windows\SysWOW64\choice.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\MHMDV
                        Source: C:\Users\user\Desktop\lumma_shredder.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: lumma_shredder.exe PID: 4480, type: MEMORYSTR
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\lumma_shredder.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                        Query firmware table information (likely to detect VMs)
                        Source: C:\Users\user\Desktop\lumma_shredder.exeSystem information queried: FirmwareTableInformationJump to behavior
                        Switches to a custom stack to bypass stack traces
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeAPI/Special instruction interceptor: Address: 6C297C44
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeAPI/Special instruction interceptor: Address: 6C297C44
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeAPI/Special instruction interceptor: Address: 6C297945
                        Source: C:\Windows\SysWOW64\choice.exeAPI/Special instruction interceptor: Address: 6C293B54
                        Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: F7A317
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: lumma_shredder.exe, 00000000.00000002.1922043914.00000000028B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                        Source: C:\Users\user\Desktop\lumma_shredder.exeMemory allocated: C10000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeMemory allocated: 28B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeMemory allocated: 2700000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 599280Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 599169Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 599022Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 598900Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 598784Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 598656Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 598539Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 598417Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 598310Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 598203Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 598094Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597984Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597875Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597765Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597656Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597547Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597437Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597328Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597219Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597094Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596984Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596875Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596766Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596656Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596547Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596436Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596328Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596203Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596085Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 595936Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 595779Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 595541Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 595437Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 595328Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeWindow / User API: threadDelayed 2252Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeWindow / User API: threadDelayed 7533Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vclimg290.bplJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vclhie290.bplJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcldb290.bplJump to dropped file
                        Source: C:\Windows\SysWOW64\choice.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\txrsrgJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\dbxase.dllJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\dbxfb.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\choice.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mhmdvJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcl290.bplJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\DbxDb2.dllJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\dbxasa.dllJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vclie290.bplJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcldbx290.bplJump to dropped file
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep count: 35 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 4432Thread sleep count: 2252 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 4432Thread sleep count: 7533 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -99889s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -99781s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -99672s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -99563s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -99438s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -99328s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -99219s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -99094s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -98984s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -98875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -98744s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -98640s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -98521s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -98354s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -599280s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -599169s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -599022s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -598900s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -598784s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -598656s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -598539s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -598417s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -598310s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -598203s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -598094s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -597984s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -597875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -597765s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -597656s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -597547s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -597437s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -597328s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -597219s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -597094s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -596984s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -596875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -596766s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -596656s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -596547s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -596436s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -596328s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -596203s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -596085s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -595936s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -595779s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -595541s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -595437s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5480Thread sleep time: -595328s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exe TID: 5084Thread sleep time: -150000s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeFile opened: PhysicalDrive0
                        Source: C:\Users\user\Desktop\lumma_shredder.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 99889Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 99781Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 99672Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 99563Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 99438Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 99328Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 99219Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 99094Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 98984Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 98875Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 98744Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 98640Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 98521Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 98354Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 599280Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 599169Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 599022Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 598900Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 598784Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 598656Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 598539Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 598417Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 598310Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 598203Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 598094Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597984Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597875Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597765Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597656Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597547Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597437Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597328Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597219Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 597094Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596984Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596875Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596766Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596656Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596547Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596436Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596328Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596203Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 596085Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 595936Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 595779Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 595541Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 595437Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeThread delayed: delay time: 595328Jump to behavior
                        Source: lumma_shredder.exe, 00000000.00000002.1921659660.0000000000CE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
                        Source: lumma_shredder.exe, 00000000.00000002.1922043914.00000000028B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                        Source: lumma_shredder.exe, 00000004.00000002.2455910260.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, lumma_shredder.exe, 00000004.00000002.2456886088.0000000001400000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: lumma_shredder.exe, 00000004.00000002.2456886088.0000000001400000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWxi
                        Source: lumma_shredder.exe, 00000000.00000002.1922043914.00000000028B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeCode function: 4_2_004452F0 LdrInitializeThunk,4_2_004452F0
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_6CB4AC3B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6CB4AC3B
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_6CB47FB7 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_6CB47FB7
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_6CB4AC3B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6CB4AC3B
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_6CB4A908 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6CB4A908
                        Source: C:\Users\user\Desktop\lumma_shredder.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 62.60.234.80 1466
                        Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 104.73.234.102 443
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\lumma_shredder.exeMemory written: C:\Users\user\Desktop\lumma_shredder.exe base: 400000 value starts with: 4D5AJump to behavior
                        Injects code into the Windows Explorer (explorer.exe)
                        Source: C:\Windows\SysWOW64\choice.exeMemory written: PID: 1816 base: F779C0 value: 55Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeMemory written: PID: 1816 base: A8F008 value: 00Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeMemory written: PID: 1816 base: 32E0000 value: 00Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeMemory written: PID: 4928 base: F779C0 value: 55Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeMemory written: PID: 4928 base: 7E8008 value: 00Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeMemory written: PID: 4928 base: 890000 value: 00Jump to behavior
                        Maps a DLL or memory area into another process
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: NULL target: C:\Windows\SysWOW64\choice.exe protection: read writeJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: NULL target: C:\Windows\SysWOW64\choice.exe protection: read writeJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeSection loaded: NULL target: C:\Windows\SysWOW64\choice.exe protection: read writeJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Windows\SysWOW64\choice.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: F779C0Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: A8F008Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 32E0000Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: F779C0Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 7E8008Jump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 890000Jump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeProcess created: C:\Users\user\Desktop\lumma_shredder.exe "C:\Users\user\Desktop\lumma_shredder.exe"Jump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeProcess created: C:\Windows\SysWOW64\choice.exe C:\Windows\SysWOW64\choice.exeJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeProcess created: C:\Windows\SysWOW64\choice.exe C:\Windows\SysWOW64\choice.exeJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeProcess created: C:\Windows\SysWOW64\choice.exe C:\Windows\SysWOW64\choice.exeJump to behavior
                        Source: C:\Windows\SysWOW64\choice.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_6CB4AA5B cpuid 7_2_6CB4AA5B
                        Source: C:\Users\user\Desktop\lumma_shredder.exeQueries volume information: C:\Users\user\Desktop\lumma_shredder.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\2LTJBEKAV7FOFQHB9\vcpkgsrv.exeCode function: 5_2_0049DDF0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_0049DDF0
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_6CB3C409 GetVersionExW,Concurrency::details::WinRT::Initialize,??0unsupported_os@Concurrency@@QAE@XZ,_CxxThrowException,7_2_6CB3C409
                        Source: C:\Users\user\Desktop\lumma_shredder.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: lumma_shredder.exe, 00000004.00000002.2456886088.0000000001400000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: lumma_shredder.exe, 00000004.00000002.2456886088.0000000001400000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: amFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Users\user\Desktop\lumma_shredder.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected LummaC Stealer
                        Source: Yara matchFile source: 4.2.lumma_shredder.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.lumma_shredder.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1930429118.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.2453406512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Source: Yara matchFile source: Process Memory Space: lumma_shredder.exe PID: 5180, type: MEMORYSTR
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: lumma_shredder.exe, 00000004.00000002.2456886088.0000000001400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
                        Source: lumma_shredder.exe, 00000004.00000002.2456886088.0000000001400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                        Source: lumma_shredder.exe, 00000000.00000002.1937233232.00000000063C0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: dhHjaxX891ansTkPtCI
                        Source: lumma_shredder.exe, 00000004.00000002.2456886088.0000000001400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                        Source: lumma_shredder.exe, 00000004.00000002.2457708952.000000000146D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: *exodus*
                        Source: lumma_shredder.exe, 00000004.00000002.2456886088.0000000001400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                        Source: lumma_shredder.exe, 00000000.00000002.1937233232.00000000063C0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                        Source: C:\Users\user\Desktop\lumma_shredder.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior

                        Remote Access Functionality

                        barindex
                        Yara detected LummaC Stealer
                        Source: Yara matchFile source: 4.2.lumma_shredder.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.lumma_shredder.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1930429118.0000000003AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.2453406512.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Source: Yara matchFile source: Process Memory Space: lumma_shredder.exe PID: 5180, type: MEMORYSTR
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_6CB36D70 ?EnableTracing@Concurrency@@YAJXZ,Concurrency::details::ContextBase::TraceContextEvent,?EnableTracing@Concurrency@@YAJXZ,Concurrency::details::SchedulerBase::GetInternalContext,?EnableTracing@Concurrency@@YAJXZ,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,?EnableTracing@Concurrency@@YAJXZ,7_2_6CB36D70
                        Source: C:\ProgramData\FNPLicensingService\vcpkgsrv.exeCode function: 7_2_6CB3607C ?EnableTracing@Concurrency@@YAJXZ,Concurrency::details::SchedulerBase::GetInternalContext,?EnableTracing@Concurrency@@YAJXZ,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,7_2_6CB3607C

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                        Windows Management Instrumentation                        		11
                        DLL Side-Loading                        		11
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Native API                        		11
                        Scheduled Task/Job                        		511
                        Process Injection                        		1
                        Deobfuscate/Decode Files or Information                        		LSASS Memory1
                        File and Directory Discovery                        		Remote Desktop Protocol41
                        Data from Local System                        		21
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts11
                        Scheduled Task/Job                        		Logon Script (Windows)11
                        Scheduled Task/Job                        		3
                        Obfuscated Files or Information                        		Security Account Manager144
                        System Information Discovery                        		SMB/Windows Admin Shares2
                        Clipboard Data                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        Software Packing                        		NTDS1
                        Query Registry                        		Distributed Component Object ModelInput Capture3
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                        DLL Side-Loading                        		LSA Secrets451
                        Security Software Discovery                        		SSHKeylogging114
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Masquerading                        		Cached Domain Credentials1
                        Process Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items251
                        Virtualization/Sandbox Evasion                        		DCSync251
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job511
                        Process Injection                        		Proc Filesystem1
                        Application Window Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1615221 Sample: lumma_shredder.exe Startdate: 14/02/2025 Architecture: WINDOWS Score: 100 80 greehnvibe.top 2->80 82 www.mediafire.com 2->82 84 4 other IPs or domains 2->84 94 Suricata IDS alerts for network traffic 2->94 96 Found malware configuration 2->96 98 Malicious sample detected (through community Yara rule) 2->98 100 12 other signatures 2->100 12 lumma_shredder.exe 15 2 2->12         started        16 vcpkgsrv.exe 1 2->16         started        18 vcpkgsrv.exe 1 2->18         started        signatures3 process4 dnsIp5 90 download2296.mediafire.com 199.91.155.37, 443, 49734 MEDIAFIREUS United States 12->90 92 www.mediafire.com 104.17.151.117, 443, 49733 CLOUDFLARENETUS United States 12->92 126 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->126 128 Found many strings related to Crypto-Wallets (likely being stolen) 12->128 130 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->130 132 Injects a PE file into a foreign processes 12->132 20 lumma_shredder.exe 23 12->20         started        134 Maps a DLL or memory area into another process 16->134 25 choice.exe 2 16->25         started        27 choice.exe 1 18->27         started        signatures6 process7 dnsIp8 86 greehnvibe.top 104.21.64.1, 443, 49741, 49742 CLOUDFLARENETUS United States 20->86 88 qu.ax 157.180.25.156, 443, 49749 SSHENETUS Sweden 20->88 60 C:\Users\user\AppData\Local\...\vclimg290.bpl, PE32 20->60 dropped 62 C:\Users\user\AppData\Local\...\vclie290.bpl, PE32 20->62 dropped 64 C:\Users\user\AppData\Local\...\vclhie290.bpl, PE32 20->64 dropped 68 9 other malicious files 20->68 dropped 102 Query firmware table information (likely to detect VMs) 20->102 104 Found many strings related to Crypto-Wallets (likely being stolen) 20->104 106 Tries to harvest and steal ftp login credentials 20->106 112 2 other signatures 20->112 29 vcpkgsrv.exe 8 20->29         started        66 C:\Users\user\AppData\Local\Temp\mhmdv, PE32 25->66 dropped 108 Injects code into the Windows Explorer (explorer.exe) 25->108 110 Writes to foreign memory regions 25->110 33 explorer.exe 25->33         started        36 conhost.exe 25->36         started        38 conhost.exe 27->38         started        file9 signatures10 process11 dnsIp12 72 C:\ProgramData\FNPLicensingService\cpfe.dll, PE32 29->72 dropped 74 C:\ProgramData\...\concrt140.dll, PE32 29->74 dropped 136 Switches to a custom stack to bypass stack traces 29->136 40 vcpkgsrv.exe 1 29->40         started        76 62.60.234.80, 1466, 50021 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 33->76 78 steamcommunity.com 104.73.234.102, 443, 50020 AKAMAI-ASUS United States 33->78 138 System process connects to network (likely due to code injection or exploit) 33->138 file13 signatures14 process15 signatures16 114 Maps a DLL or memory area into another process 40->114 116 Switches to a custom stack to bypass stack traces 40->116 43 choice.exe 2 40->43         started        process17 file18 70 C:\Users\user\AppData\Local\Temp\txrsrg, PE32 43->70 dropped 118 Injects code into the Windows Explorer (explorer.exe) 43->118 120 Writes to foreign memory regions 43->120 122 Found hidden mapped module (file has been removed from disk) 43->122 124 Switches to a custom stack to bypass stack traces 43->124 47 explorer.exe 43->47         started        50 conhost.exe 43->50         started        signatures19 process20 signatures21 140 Switches to a custom stack to bypass stack traces 47->140 52 WerFault.exe 16 47->52         started        54 WerFault.exe 47->54         started        56 WerFault.exe 47->56         started        58 2 other processes 47->58 process22

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.