Edit tour

Windows Analysis Report
EasyWay.exe

Overview

General Information

Sample name:	EasyWay.exe
Analysis ID:	1630777
MD5:	8c40e1b46c424cff6504ef00ae2da835
SHA1:	f9dfa95368e73e702206c81705c57bac6b1b1cc1
SHA256:	88a50f28710dfe08f6ca8f47f44b8689ba38edacdf92e32b0ae705fbf8faf97a
Tags:	exeLummaStealertrojanuser-edv
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

EasyWay.exe (PID: 3704 cmdline: "C:\Users\user\Desktop\EasyWay.exe" MD5: 8C40E1B46C424CFF6504EF00AE2DA835)

EasyWay.exe (PID: 7140 cmdline: "C:\Users\user\Desktop\EasyWay.exe" MD5: 8C40E1B46C424CFF6504EF00AE2DA835)

WerFault.exe (PID: 7092 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 784 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["sdfwfsdf.icu", "explorebieology.run", "moderzysics.top", "seedsxouts.shop", "codxefusion.top", "farfinable.top", "techspherxe.top"], "Build id": "LPnhqo--qnhtzqcrazyg"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.3400846481.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2223996706.0000000003829000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: EasyWay.exe PID: 7140	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
1.2.EasyWay.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
1.2.EasyWay.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.EasyWay.exe.3829550.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T09:26:32.672032+0100	2028371	3	Unknown Traffic	192.168.2.6	49710	149.154.167.99	443	TCP
2025-03-06T09:26:34.654997+0100	2028371	3	Unknown Traffic	192.168.2.6	49713	188.114.97.3	443	TCP
2025-03-06T09:26:36.273445+0100	2028371	3	Unknown Traffic	192.168.2.6	49715	188.114.97.3	443	TCP
2025-03-06T09:26:38.508992+0100	2028371	3	Unknown Traffic	192.168.2.6	49723	188.114.97.3	443	TCP
2025-03-06T09:26:41.420886+0100	2028371	3	Unknown Traffic	192.168.2.6	49729	188.114.97.3	443	TCP
2025-03-06T09:26:44.300501+0100	2028371	3	Unknown Traffic	192.168.2.6	49735	188.114.97.3	443	TCP
2025-03-06T09:26:47.102970+0100	2028371	3	Unknown Traffic	192.168.2.6	49742	188.114.97.3	443	TCP
2025-03-06T09:26:49.996841+0100	2028371	3	Unknown Traffic	192.168.2.6	49749	188.114.97.3	443	TCP
2025-03-06T09:26:52.941602+0100	2028371	3	Unknown Traffic	192.168.2.6	49755	188.114.97.3	443	TCP
2025-03-06T09:26:57.164673+0100	2028371	3	Unknown Traffic	192.168.2.6	49763	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T09:26:36.725078+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49715	188.114.97.3	443	TCP
2025-03-06T09:26:39.488598+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49723	188.114.97.3	443	TCP
2025-03-06T09:26:58.066502+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49763	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T09:26:36.725078+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49715	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (sdfwfsdf .icu in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T09:26:34.654997+0100	2060623	1	Domain Observed Used for C2 Detected	192.168.2.6	49713	188.114.97.3	443	TCP
2025-03-06T09:26:36.273445+0100	2060623	1	Domain Observed Used for C2 Detected	192.168.2.6	49715	188.114.97.3	443	TCP
2025-03-06T09:26:38.508992+0100	2060623	1	Domain Observed Used for C2 Detected	192.168.2.6	49723	188.114.97.3	443	TCP
2025-03-06T09:26:41.420886+0100	2060623	1	Domain Observed Used for C2 Detected	192.168.2.6	49729	188.114.97.3	443	TCP
2025-03-06T09:26:44.300501+0100	2060623	1	Domain Observed Used for C2 Detected	192.168.2.6	49735	188.114.97.3	443	TCP
2025-03-06T09:26:47.102970+0100	2060623	1	Domain Observed Used for C2 Detected	192.168.2.6	49742	188.114.97.3	443	TCP
2025-03-06T09:26:49.996841+0100	2060623	1	Domain Observed Used for C2 Detected	192.168.2.6	49749	188.114.97.3	443	TCP
2025-03-06T09:26:52.941602+0100	2060623	1	Domain Observed Used for C2 Detected	192.168.2.6	49755	188.114.97.3	443	TCP
2025-03-06T09:26:57.164673+0100	2060623	1	Domain Observed Used for C2 Detected	192.168.2.6	49763	188.114.97.3	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sdfwfsdf .icu)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T09:26:33.659536+0100	2060622	1	Domain Observed Used for C2 Detected	192.168.2.6	61362	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T09:26:42.410317+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49729	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: EasyWay.exe

Avira: detected

Antivirus detection for URL or domain

Source: moderzysics.top	Avira URL Cloud: Label: malware
Source: https://sdfwfsdf.icu/&	Avira URL Cloud: Label: malware
Source: https://sdfwfsdf.icu/api	Avira URL Cloud: Label: malware
Source: https://sdfwfsdf.icu/ckG	Avira URL Cloud: Label: malware
Source: https://sdfwfsdf.icu/apiIgm	Avira URL Cloud: Label: malware
Source: https://sdfwfsdf.icu/apiZ	Avira URL Cloud: Label: malware
Source: https://sdfwfsdf.icu/P	Avira URL Cloud: Label: malware
Source: https://sdfwfsdf.icu/	Avira URL Cloud: Label: malware
Source: sdfwfsdf.icu	Avira URL Cloud: Label: malware
Source: https://sdfwfsdf.icu/apiG	Avira URL Cloud: Label: malware
Source: https://sdfwfsdf.icu/L	Avira URL Cloud: Label: malware
Source: seedsxouts.shop	Avira URL Cloud: Label: malware
Source: https://sdfwfsdf.icu/apiUj	Avira URL Cloud: Label: malware
Source: farfinable.top	Avira URL Cloud: Label: malware
Source: https://sdfwfsdf.icu/3	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2223996706.0000000003829000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["sdfwfsdf.icu", "explorebieology.run", "moderzysics.top", "seedsxouts.shop", "codxefusion.top", "farfinable.top", "techspherxe.top"], "Build id": "LPnhqo--qnhtzqcrazyg"}

Multi AV Scanner detection for submitted file

Source: EasyWay.exe	Virustotal: Detection: 52%			Perma Link
Source: EasyWay.exe	ReversingLabs: Detection: 57%

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2223996706.0000000003829000.00000004.00000800.00020000.00000000.sdmp	String decryptor: sdfwfsdf.icu
Source: 00000000.00000002.2223996706.0000000003829000.00000004.00000800.00020000.00000000.sdmp	String decryptor: explorebieology.run
Source: 00000000.00000002.2223996706.0000000003829000.00000004.00000800.00020000.00000000.sdmp	String decryptor: moderzysics.top
Source: 00000000.00000002.2223996706.0000000003829000.00000004.00000800.00020000.00000000.sdmp	String decryptor: seedsxouts.shop
Source: 00000000.00000002.2223996706.0000000003829000.00000004.00000800.00020000.00000000.sdmp	String decryptor: codxefusion.top
Source: 00000000.00000002.2223996706.0000000003829000.00000004.00000800.00020000.00000000.sdmp	String decryptor: farfinable.top
Source: 00000000.00000002.2223996706.0000000003829000.00000004.00000800.00020000.00000000.sdmp	String decryptor: techspherxe.top

Source: C:\Users\user\Desktop\EasyWay.exe

Code function: 1_2_0041BBD9 CryptUnprotectData,

1_2_0041BBD9

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49763 version: TLS 1.2

Source: EasyWay.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WEREB0E.tmp.dmp.5.dr
Source:	Binary string: Thrones.pdb source: WEREB0E.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WEREB0E.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WEREB0E.tmp.dmp.5.dr
Source:	Binary string: C:\Users\Event\source\repos\Thrones\Thrones\obj\Release\Thrones.pdb source: EasyWay.exe
Source:	Binary string: System.pdb) source: WEREB0E.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WEREB0E.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WEREB0E.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WEREB0E.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WEREB0E.tmp.dmp.5.dr

Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0Ch]	1_2_0040C8E0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-67915A82h]	1_2_0044989A
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F7D6D3F6h	1_2_0044D0B0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx-2DA3129Fh]	1_2_0042B920
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_0042B920
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+741DDFE2h]	1_2_00447AC0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+778E6F5Ch]	1_2_00412AEF
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000268h]	1_2_00412AEF
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0043633B
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	1_2_00443BD0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-144FFED6h]	1_2_0042EDB0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx esi, byte ptr [edi+eax]	1_2_0040FFFC
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov word ptr [esi], cx	1_2_0042E030
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	1_2_0044B030
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	1_2_004260D0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx edx, byte ptr [edi+ecx-19ACD460h]	1_2_0042C8E5
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax+0Ah]	1_2_0042C8E5
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then push ebp	1_2_00432093
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov word ptr [ebx], cx	1_2_0041D898
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then jmp eax	1_2_00444940
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+18h]	1_2_0040D167
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	1_2_0041F176
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov dword ptr [esp+28h], ecx	1_2_00436103
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+10h]	1_2_00421900
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00421900
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+08h]	1_2_00432100
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	1_2_0044B120
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+0Eh]	1_2_0040C130
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	1_2_0044B139
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	1_2_0044B13B
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_00436986
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0043633B
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax+00h]	1_2_00410A60
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	1_2_0040A220
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	1_2_0040A220
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then cmp byte ptr [esi+eax+01h], 00000000h	1_2_00430220
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebp+02h]	1_2_00428AC0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0CFF799Ah]	1_2_004482C0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0CFF799Ah]	1_2_004482C0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax-03FFFFF3h]	1_2_00426A80
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	1_2_0044B2A0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movsx eax, byte ptr [ebp+ecx+00h]	1_2_0044AAB1
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+34h]	1_2_0042F340
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ebx]	1_2_00445B1F
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00431BC6
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-467C15BAh]	1_2_004353CF
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	1_2_0044B3E0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov word ptr [edx], ax	1_2_0042E3ED
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+14h]	1_2_0040C440
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov byte ptr [ebx], cl	1_2_0042241C
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	1_2_00444CD0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+74h]	1_2_00435CAD
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h	1_2_00447D60
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	1_2_0041AD70
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	1_2_00428570
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 7A542AABh	1_2_0044C500
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-56h]	1_2_0041FDD0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+09h]	1_2_0041FDD0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov byte ptr [esi], al	1_2_004375E8
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov byte ptr [esi], al	1_2_004375EE
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00431D9A
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov eax, dword ptr [esp+50h]	1_2_00422E60
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov word ptr [ecx], di	1_2_00422E60
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then cmp word ptr [eax+ecx+02h], 0000h	1_2_0041E6F5
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov byte ptr [ebx], cl	1_2_00436F43
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-66C9643Ah]	1_2_0040EF50
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movsx eax, byte ptr [edx+ecx]	1_2_0040EF50
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0CFF798Ah]	1_2_00420750
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0CFF7966h]	1_2_00420750
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 93A82FD1h	1_2_00447F70
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi+6BB68D3Fh]	1_2_00425F10
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then cmp word ptr [eax+ecx+02h], 0000h	1_2_0041DCC1
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+000002A0h]	1_2_00427F20
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov word ptr [esi], cx	1_2_00427F20
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_00432F20
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_0041C7C0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2060622 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sdfwfsdf .icu) : 192.168.2.6:61362 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060623 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sdfwfsdf .icu in TLS SNI) : 192.168.2.6:49723 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060623 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sdfwfsdf .icu in TLS SNI) : 192.168.2.6:49729 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060623 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sdfwfsdf .icu in TLS SNI) : 192.168.2.6:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060623 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sdfwfsdf .icu in TLS SNI) : 192.168.2.6:49735 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060623 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sdfwfsdf .icu in TLS SNI) : 192.168.2.6:49713 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060623 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sdfwfsdf .icu in TLS SNI) : 192.168.2.6:49749 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060623 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sdfwfsdf .icu in TLS SNI) : 192.168.2.6:49755 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060623 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sdfwfsdf .icu in TLS SNI) : 192.168.2.6:49763 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060623 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sdfwfsdf .icu in TLS SNI) : 192.168.2.6:49715 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49715 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49715 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49723 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49729 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49763 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: sdfwfsdf.icu
Source: Malware configuration extractor	URLs: explorebieology.run
Source: Malware configuration extractor	URLs: moderzysics.top
Source: Malware configuration extractor	URLs: seedsxouts.shop
Source: Malware configuration extractor	URLs: codxefusion.top
Source: Malware configuration extractor	URLs: farfinable.top
Source: Malware configuration extractor	URLs: techspherxe.top

Source: global traffic

TCP traffic: 192.168.2.6:64940 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49729 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49723 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49735 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49713 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49710 -> 149.154.167.99:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49749 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49755 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49763 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49715 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET /kz_prokla1 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: t.me
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sdfwfsdf.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=i5mW1fATjs4MUxlnPduqj21Ft4eT24RjB1JhZQyWRc4-1741249596-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 55Host: sdfwfsdf.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RHDT08YSTOFJ95FUZCookie: __cf_mw_byp=i5mW1fATjs4MUxlnPduqj21Ft4eT24RjB1JhZQyWRc4-1741249596-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12862Host: sdfwfsdf.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YUF9CS4AKWV1Cookie: __cf_mw_byp=i5mW1fATjs4MUxlnPduqj21Ft4eT24RjB1JhZQyWRc4-1741249596-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15078Host: sdfwfsdf.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=S3TS9Q87ETI5OOWTWCookie: __cf_mw_byp=i5mW1fATjs4MUxlnPduqj21Ft4eT24RjB1JhZQyWRc4-1741249596-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19966Host: sdfwfsdf.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RXKYOMADS0OQFQJUCookie: __cf_mw_byp=i5mW1fATjs4MUxlnPduqj21Ft4eT24RjB1JhZQyWRc4-1741249596-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2414Host: sdfwfsdf.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0B789H4H37Cookie: __cf_mw_byp=i5mW1fATjs4MUxlnPduqj21Ft4eT24RjB1JhZQyWRc4-1741249596-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 587930Host: sdfwfsdf.icu
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=i5mW1fATjs4MUxlnPduqj21Ft4eT24RjB1JhZQyWRc4-1741249596-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: sdfwfsdf.icu

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /kz_prokla1 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: t.me

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: sdfwfsdf.icu

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sdfwfsdf.icu

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 06 Mar 2025 08:26:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WgyLBGjlo4feIpm34hq6oN4nqFpM%2FbxlabtmvsRMdox8ctX84ZLekqk%2Fh3x%2FaOh1l5ow3FUHCO%2FF7z5vYoWAtYXqGcU7EBbfwwYRzepdVNQzGIzF4Y0Pq%2Bdl3cgB6xI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91c0781a5c189ad2-MIA

Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: EasyWay.exe, 00000001.00000002.3401387170.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sdfwfsdf.icu/
Source: EasyWay.exe, 00000001.00000002.3401387170.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sdfwfsdf.icu/&
Source: EasyWay.exe, 00000001.00000002.3401387170.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sdfwfsdf.icu/3
Source: EasyWay.exe, 00000001.00000002.3401387170.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sdfwfsdf.icu/L
Source: EasyWay.exe, 00000001.00000002.3401387170.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sdfwfsdf.icu/P
Source: EasyWay.exe, 00000001.00000002.3401424007.000000000138B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sdfwfsdf.icu/api
Source: EasyWay.exe, 00000001.00000002.3401424007.000000000138B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sdfwfsdf.icu/apiG
Source: EasyWay.exe, 00000001.00000002.3401449424.00000000013A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sdfwfsdf.icu/apiIgm
Source: EasyWay.exe, 00000001.00000002.3401449424.00000000013A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sdfwfsdf.icu/apiUj
Source: EasyWay.exe, 00000001.00000002.3401424007.000000000138B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sdfwfsdf.icu/apiZ
Source: EasyWay.exe, 00000001.00000002.3401387170.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sdfwfsdf.icu/ckG

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49763 version: TLS 1.2

Source: C:\Users\user\Desktop\EasyWay.exe

Code function: 1_2_0043E2F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

1_2_0043E2F0

Source: C:\Users\user\Desktop\EasyWay.exe

Code function: 1_2_039F1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

1_2_039F1000

Source: C:\Users\user\Desktop\EasyWay.exe

Code function: 1_2_0043E2F0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

1_2_0043E2F0

Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 0_2_02602608	0_2_02602608
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0044A006	1_2_0044A006
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0044C880	1_2_0044C880
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0043D897	1_2_0043D897
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0040B940	1_2_0040B940
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0042B920	1_2_0042B920
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00410277	1_2_00410277
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00447AC0	1_2_00447AC0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00415AE4	1_2_00415AE4
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00443BD0	1_2_00443BD0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0041BBD9	1_2_0041BBD9
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_004364D9	1_2_004364D9
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0044BCF0	1_2_0044BCF0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_004275D0	1_2_004275D0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0042EDB0	1_2_0042EDB0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0041167D	1_2_0041167D
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00417620	1_2_00417620
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0041AE30	1_2_0041AE30
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00443740	1_2_00443740
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00449FFF	1_2_00449FFF
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0040F78A	1_2_0040F78A
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0040E7B0	1_2_0040E7B0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00401040	1_2_00401040
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0043C060	1_2_0043C060
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00416815	1_2_00416815
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0043581A	1_2_0043581A
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0042E030	1_2_0042E030
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0044B030	1_2_0044B030
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0042C0C0	1_2_0042C0C0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0043B0C1	1_2_0043B0C1
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_004260D0	1_2_004260D0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_004418E1	1_2_004418E1
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0042C8E5	1_2_0042C8E5
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_004258F0	1_2_004258F0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0041D898	1_2_0041D898
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_004358A5	1_2_004358A5
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00444940	1_2_00444940
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0044C160	1_2_0044C160
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0041F176	1_2_0041F176
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0044B120	1_2_0044B120
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00442935	1_2_00442935
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0044B139	1_2_0044B139
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0044B13B	1_2_0044B13B
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_004111C0	1_2_004111C0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_004239C0	1_2_004239C0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_004491C6	1_2_004491C6
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_004421F8	1_2_004421F8
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00436986	1_2_00436986
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0041718D	1_2_0041718D
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0044B9B0	1_2_0044B9B0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00410A60	1_2_00410A60
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_004499BC	1_2_004499BC
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0040A220	1_2_0040A220
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00430220	1_2_00430220
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00408A30	1_2_00408A30
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_004482C0	1_2_004482C0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00426A80	1_2_00426A80
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0044B2A0	1_2_0044B2A0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0041D2AF	1_2_0041D2AF
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0040DAB0	1_2_0040DAB0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0044AAB1	1_2_0044AAB1
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0042F340	1_2_0042F340
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00434350	1_2_00434350
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00424360	1_2_00424360
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00437B70	1_2_00437B70
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00402B10	1_2_00402B10
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00445B1F	1_2_00445B1F
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00449B3B	1_2_00449B3B
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0044B3E0	1_2_0044B3E0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0042E3ED	1_2_0042E3ED
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0043ABEC	1_2_0043ABEC
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0040BBF0	1_2_0040BBF0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00445390	1_2_00445390
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00409440	1_2_00409440
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0040C440	1_2_0040C440
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0042E444	1_2_0042E444
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00442C60	1_2_00442C60
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0042AC0E	1_2_0042AC0E
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00444CD0	1_2_00444CD0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0042DCF2	1_2_0042DCF2
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0041CC89	1_2_0041CC89
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00428570	1_2_00428570
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00423D00	1_2_00423D00
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0044C500	1_2_0044C500
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00403510	1_2_00403510
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00407D30	1_2_00407D30
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_004245E0	1_2_004245E0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_004395AB	1_2_004395AB
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0041E64E	1_2_0041E64E
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00421E59	1_2_00421E59
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00422E60	1_2_00422E60
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00445670	1_2_00445670
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0043A601	1_2_0043A601
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00423620	1_2_00423620
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00442EC0	1_2_00442EC0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0043168D	1_2_0043168D
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0042F69C	1_2_0042F69C
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00408EA0	1_2_00408EA0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00403EB0	1_2_00403EB0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0040EF50	1_2_0040EF50
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00420750	1_2_00420750
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0043576D	1_2_0043576D
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00447F70	1_2_00447F70
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00427F20	1_2_00427F20
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0044B730	1_2_0044B730
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00430FC0	1_2_00430FC0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_004327C0	1_2_004327C0
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0041BFD9	1_2_0041BFD9
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_004307DB	1_2_004307DB
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00406F86	1_2_00406F86
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0044278C	1_2_0044278C
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00404792	1_2_00404792

Source: C:\Users\user\Desktop\EasyWay.exe	Code function: String function: 0040B210 appears 50 times
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: String function: 0041AE20 appears 105 times

Source: C:\Users\user\Desktop\EasyWay.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 784

Source: EasyWay.exe, 00000000.00000000.2155592214.00000000002C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameThrones.exe0 vs EasyWay.exe
Source: EasyWay.exe, 00000000.00000002.2222563227.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs EasyWay.exe
Source: EasyWay.exe, 00000000.00000002.2223996706.0000000003829000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameThrones.exe0 vs EasyWay.exe
Source: EasyWay.exe	Binary or memory string: OriginalFilenameThrones.exe0 vs EasyWay.exe

Source: EasyWay.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: EasyWay.exe

Static PE information: Section: .CSS ZLIB complexity 1.0003245881088825

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/5@2/2

Source: C:\Users\user\Desktop\EasyWay.exe

Code function: 1_2_00443BD0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

1_2_00443BD0

Source: C:\Users\user\Desktop\EasyWay.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3704

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3098a526-7007-4096-90fb-e3f4164e5f56

Jump to behavior

Source: EasyWay.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: EasyWay.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\EasyWay.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EasyWay.exe	Virustotal: Detection: 52%
Source: EasyWay.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\EasyWay.exe

File read: C:\Users\user\Desktop\EasyWay.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\EasyWay.exe "C:\Users\user\Desktop\EasyWay.exe"
Source: C:\Users\user\Desktop\EasyWay.exe	Process created: C:\Users\user\Desktop\EasyWay.exe "C:\Users\user\Desktop\EasyWay.exe"
Source: C:\Users\user\Desktop\EasyWay.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 784
Source: C:\Users\user\Desktop\EasyWay.exe	Process created: C:\Users\user\Desktop\EasyWay.exe "C:\Users\user\Desktop\EasyWay.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: EasyWay.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: EasyWay.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: EasyWay.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Windows.Forms.pdb source: WEREB0E.tmp.dmp.5.dr
Source:	Binary string: Thrones.pdb source: WEREB0E.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WEREB0E.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WEREB0E.tmp.dmp.5.dr
Source:	Binary string: C:\Users\Event\source\repos\Thrones\Thrones\obj\Release\Thrones.pdb source: EasyWay.exe
Source:	Binary string: System.pdb) source: WEREB0E.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WEREB0E.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WEREB0E.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WEREB0E.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WEREB0E.tmp.dmp.5.dr

Source: EasyWay.exe

Static PE information: 0xC12B1A4D [Sun Sep 11 13:51:09 2072 UTC]

Source: EasyWay.exe

Static PE information: section name: .CSS

Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00455894 push ds; iretd	1_2_0045589F
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_0044F443 push cs; iretd	1_2_0044F446
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 1_2_00451C66 push 00000000h; retf	1_2_00451C6C

Source: C:\Users\user\Desktop\EasyWay.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\EasyWay.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\EasyWay.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\EasyWay.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Memory allocated: 2820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\EasyWay.exe

Window / User API: threadDelayed 5758

Jump to behavior

Source: C:\Users\user\Desktop\EasyWay.exe TID: 2104	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe TID: 6532	Thread sleep count: 5758 > 30			Jump to behavior

Source: C:\Users\user\Desktop\EasyWay.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\EasyWay.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\EasyWay.exe	Last function: Thread delayed

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: EasyWay.exe, 00000001.00000002.3401245063.000000000131A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: EasyWay.exe, 00000001.00000002.3401065793.00000000012DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpV2
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\EasyWay.exe

API call chain: ExitProcess graph end node

graph_1-22833

Source: C:\Users\user\Desktop\EasyWay.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\EasyWay.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\EasyWay.exe

Code function: 1_2_00449770 LdrInitializeThunk,

1_2_00449770

Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 0_2_02822159 mov edi, dword ptr fs:[00000030h]		0_2_02822159
Source: C:\Users\user\Desktop\EasyWay.exe	Code function: 0_2_028222D6 mov edi, dword ptr fs:[00000030h]		0_2_028222D6

Source: C:\Users\user\Desktop\EasyWay.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\EasyWay.exe

Code function: 0_2_02822159 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02822159

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\EasyWay.exe

Memory written: C:\Users\user\Desktop\EasyWay.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\EasyWay.exe

Process created: C:\Users\user\Desktop\EasyWay.exe "C:\Users\user\Desktop\EasyWay.exe"

Jump to behavior

Source: C:\Users\user\Desktop\EasyWay.exe	Queries volume information: C:\Users\user\Desktop\EasyWay.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\EasyWay.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\EasyWay.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 1.2.EasyWay.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.EasyWay.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EasyWay.exe.3829550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3400846481.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2223996706.0000000003829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: EasyWay.exe PID: 7140, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: EasyWay.exe, 00000001.00000002.3401387170.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"
Source: EasyWay.exe, 00000001.00000002.3401387170.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Walle<
Source: EasyWay.exe, 00000001.00000002.3401387170.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tore.json",".finger-print.fp","simple-storage.json","window-state.json"],"z"
Source: EasyWay.exe, 00000001.00000002.3401387170.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\Indt
Source: EasyWay.exe, 00000001.00000002.3401270371.000000000132A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\EasyWay.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\Desktop\EasyWay.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 1.2.EasyWay.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.EasyWay.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EasyWay.exe.3829550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3400846481.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2223996706.0000000003829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: EasyWay.exe PID: 7140, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	31 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	23 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EasyWay.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
EasyWay.exe