Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kmtsefjtjha.exe

Overview

General Information

Sample name:kmtsefjtjha.exe
Analysis ID:1637342
MD5:a381c8fda83e98d25b7bc0dc8d2f6113
SHA1:f51a6b364d11047cbe38d70ad6179565ff69971e
SHA256:4a1ec80d6a3a9c63458730e025b12a050f7d73fb60eaaa39df3ac858e54280ff
Tags:exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • kmtsefjtjha.exe (PID: 6568 cmdline: "C:\Users\user\Desktop\kmtsefjtjha.exe" MD5: A381C8FDA83E98D25B7BC0DC8D2F6113)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["kbracketba.shop/Bdwo", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "201d0d2b07e9030ba7851ba8698f088067f24d831170161619b4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: kmtsefjtjha.exe PID: 6568JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    Process Memory Space: kmtsefjtjha.exe PID: 6568JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: kmtsefjtjha.exe PID: 6568JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.kmtsefjtjha.exe.4f0000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-13T14:51:23.156959+010020283713Unknown Traffic192.168.2.749681104.21.48.1443TCP
          2025-03-13T14:51:26.133983+010020283713Unknown Traffic192.168.2.749682104.21.48.1443TCP
          2025-03-13T14:51:28.522016+010020283713Unknown Traffic192.168.2.749683104.21.48.1443TCP
          2025-03-13T14:51:30.918211+010020283713Unknown Traffic192.168.2.749684104.21.48.1443TCP
          2025-03-13T14:51:34.144612+010020283713Unknown Traffic192.168.2.749685104.21.48.1443TCP
          2025-03-13T14:51:36.711139+010020283713Unknown Traffic192.168.2.749686104.21.48.1443TCP
          2025-03-13T14:51:40.707584+010020283713Unknown Traffic192.168.2.749689104.21.48.1443TCP
          2025-03-13T14:51:41.896496+010020283713Unknown Traffic192.168.2.749691188.114.97.3443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: kmtsefjtjha.exeAvira: detected
          Antivirus detection for URL or domain
          Source: https://jowinjoinery.icu/bdWUaAvira URL Cloud: Label: malware
          Source: https://jowinjoinery.icu/bdWUajAvira URL Cloud: Label: malware
          Source: https://mrodularmall.top/aNzSaEAvira URL Cloud: Label: malware
          Source: https://jowinjoinery.icu/pAvira URL Cloud: Label: malware
          Source: https://mrodularmall.top/aNzS_Avira URL Cloud: Label: malware
          Source: https://mrodularmall.top:443/aNzSAvira URL Cloud: Label: malware
          Source: https://jowinjoinery.icu/Avira URL Cloud: Label: malware
          Source: kbracketba.shop/BdwoAvira URL Cloud: Label: malware
          Source: https://mrodularmall.top/YAvira URL Cloud: Label: malware
          Source: https://mrodularmall.top/aNzSgAvira URL Cloud: Label: malware
          Source: https://mrodularmall.top/aNzSs=Avira URL Cloud: Label: malware
          Found malware configuration
          Source: 00000000.00000002.3317274612.00000000004F1000.00000040.00000001.01000000.00000003.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["kbracketba.shop/Bdwo", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "201d0d2b07e9030ba7851ba8698f088067f24d831170161619b4"}
          Multi AV Scanner detection for submitted file
          Source: kmtsefjtjha.exeVirustotal: Detection: 52%Perma Link
          Source: kmtsefjtjha.exeReversingLabs: Detection: 60%
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Sample uses string decryption to hide its real strings
          Source: 00000000.00000002.3317274612.00000000004F1000.00000040.00000001.01000000.00000003.sdmpString decryptor: kbracketba.shop/Bdwo
          Source: 00000000.00000002.3317274612.00000000004F1000.00000040.00000001.01000000.00000003.sdmpString decryptor: featureccus.shop/bdMAn
          Source: 00000000.00000002.3317274612.00000000004F1000.00000040.00000001.01000000.00000003.sdmpString decryptor: mrodularmall.top/aNzS
          Source: 00000000.00000002.3317274612.00000000004F1000.00000040.00000001.01000000.00000003.sdmpString decryptor: jowinjoinery.icu/bdWUa
          Source: 00000000.00000002.3317274612.00000000004F1000.00000040.00000001.01000000.00000003.sdmpString decryptor: legenassedk.top/bdpWO
          Source: 00000000.00000002.3317274612.00000000004F1000.00000040.00000001.01000000.00000003.sdmpString decryptor: htardwarehu.icu/Sbdsa
          Source: 00000000.00000002.3317274612.00000000004F1000.00000040.00000001.01000000.00000003.sdmpString decryptor: cjlaspcorne.icu/DbIps
          Source: 00000000.00000002.3317274612.00000000004F1000.00000040.00000001.01000000.00000003.sdmpString decryptor: bugildbett.top/bAuz
          Source: kmtsefjtjha.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49681 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49682 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49683 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49684 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49685 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49686 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49691 version: TLS 1.2
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00584490 FindFirstFileW,0_2_00584490
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 4x nop then dec ebx0_2_00536550
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]0_2_004FA1D0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_004FA1D0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-437B6EDCh]0_2_0053E1A0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 4x nop then mov dword ptr [esp+04h], 00000000h0_2_0053E1A0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-437B6EDCh]0_2_0053E230
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 4x nop then mov dword ptr [esp+04h], 00000000h0_2_0053E230
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 4x nop then mov dword ptr [esp+0Ch], edx0_2_005403F0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h0_2_0053A5D0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+000000C8h]0_2_00500F90
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]0_2_0050B300
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 4x nop then mov word ptr [ebx], cx0_2_0050B3D0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 4x nop then mov word ptr [eax], cx0_2_0050B3D0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+04h]0_2_005376B0

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: kbracketba.shop/Bdwo
          Source: Malware configuration extractorURLs: featureccus.shop/bdMAn
          Source: Malware configuration extractorURLs: mrodularmall.top/aNzS
          Source: Malware configuration extractorURLs: jowinjoinery.icu/bdWUa
          Source: Malware configuration extractorURLs: legenassedk.top/bdpWO
          Source: Malware configuration extractorURLs: htardwarehu.icu/Sbdsa
          Source: Malware configuration extractorURLs: cjlaspcorne.icu/DbIps
          Source: Malware configuration extractorURLs: bugildbett.top/bAuz
          Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
          Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49681 -> 104.21.48.1:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49685 -> 104.21.48.1:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49682 -> 104.21.48.1:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49686 -> 104.21.48.1:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49684 -> 104.21.48.1:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49683 -> 104.21.48.1:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49689 -> 104.21.48.1:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49691 -> 188.114.97.3:443
          Source: global trafficHTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: mrodularmall.top
          Source: global trafficHTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=N9nIggHy64RmKxnUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14503Host: mrodularmall.top
          Source: global trafficHTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=D3YF4s19VwPae4CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15065Host: mrodularmall.top
          Source: global trafficHTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=stqIpY94Sm9a8Y5cWDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20405Host: mrodularmall.top
          Source: global trafficHTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SF96n15usQG1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2497Host: mrodularmall.top
          Source: global trafficHTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OyUBtKc2F6PKpUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 567974Host: mrodularmall.top
          Source: global trafficHTTP traffic detected: POST /bdWUa HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 99Host: jowinjoinery.icu
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: kbracketba.shop
          Source: global trafficDNS traffic detected: DNS query: featureccus.shop
          Source: global trafficDNS traffic detected: DNS query: mrodularmall.top
          Source: global trafficDNS traffic detected: DNS query: jowinjoinery.icu
          Source: unknownHTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: mrodularmall.top
          Source: kmtsefjtjha.exe, 00000000.00000003.945003384.0000000003D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
          Source: kmtsefjtjha.exe, 00000000.00000003.945003384.0000000003D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
          Source: kmtsefjtjha.exe, 00000000.00000003.945003384.0000000003D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
          Source: kmtsefjtjha.exe, 00000000.00000003.945003384.0000000003D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
          Source: kmtsefjtjha.exe, 00000000.00000003.945003384.0000000003D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: kmtsefjtjha.exe, 00000000.00000003.945003384.0000000003D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
          Source: kmtsefjtjha.exe, 00000000.00000003.945003384.0000000003D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
          Source: kmtsefjtjha.exe, 00000000.00000003.945003384.0000000003D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: kmtsefjtjha.exe, 00000000.00000003.945003384.0000000003D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
          Source: kmtsefjtjha.exe, 00000000.00000002.3317274612.0000000000553000.00000040.00000001.01000000.00000003.sdmp, kmtsefjtjha.exe, 00000000.00000002.3317274612.00000000006B8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/
          Source: kmtsefjtjha.exe, 00000000.00000002.3317274612.0000000000553000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/openU
          Source: kmtsefjtjha.exe, 00000000.00000003.945003384.0000000003D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
          Source: kmtsefjtjha.exe, 00000000.00000003.945003384.0000000003D2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
          Source: kmtsefjtjha.exe, 00000000.00000003.895951600.0000000003D4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
          Source: kmtsefjtjha.exe, 00000000.00000003.946475317.0000000000F02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
          Source: kmtsefjtjha.exe, 00000000.00000003.895951600.0000000003D4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: kmtsefjtjha.exe, 00000000.00000003.895951600.0000000003D4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: kmtsefjtjha.exe, 00000000.00000003.895951600.0000000003D4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: kmtsefjtjha.exe, 00000000.00000003.946475317.0000000000F02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
          Source: kmtsefjtjha.exe, 00000000.00000003.895951600.0000000003D4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: kmtsefjtjha.exe, 00000000.00000003.895951600.0000000003D4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
          Source: kmtsefjtjha.exe, 00000000.00000003.895951600.0000000003D4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: kmtsefjtjha.exe, 00000000.00000003.895951600.0000000003D4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
          Source: kmtsefjtjha.exe, 00000000.00000003.946475317.0000000000F02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
          Source: kmtsefjtjha.exe, 00000000.00000002.3318644135.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1520907570.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jowinjoinery.icu/
          Source: kmtsefjtjha.exe, 00000000.00000002.3318396242.0000000000E70000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000002.3318605138.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1521010303.0000000000ED4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jowinjoinery.icu/bdWUa
          Source: kmtsefjtjha.exe, 00000000.00000002.3318605138.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1521010303.0000000000ED4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jowinjoinery.icu/bdWUaj
          Source: kmtsefjtjha.exe, 00000000.00000002.3318644135.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1520907570.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://jowinjoinery.icu/p
          Source: kmtsefjtjha.exe, 00000000.00000003.1018790412.0000000000EED000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000002.3318644135.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1046969965.0000000000EED000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1002120476.0000000000EED000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.892987700.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1520907570.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodularmall.top/
          Source: kmtsefjtjha.exe, 00000000.00000003.1018790412.0000000000EED000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1046969965.0000000000EED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodularmall.top/Y
          Source: kmtsefjtjha.exe, 00000000.00000003.946475317.0000000000F02000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1002209756.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000002.3318396242.0000000000E70000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1018478950.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.945323244.0000000000F02000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1047266035.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1018478950.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1018790412.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.944484873.0000000000F02000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.892987700.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1018790412.0000000000E75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodularmall.top/aNzS
          Source: kmtsefjtjha.exe, 00000000.00000002.3318396242.0000000000E70000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1018478950.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1018790412.0000000000E75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodularmall.top/aNzS_
          Source: kmtsefjtjha.exe, 00000000.00000003.1520907570.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000002.3318644135.0000000000EF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodularmall.top/aNzSaE
          Source: kmtsefjtjha.exe, 00000000.00000002.3318396242.0000000000E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodularmall.top/aNzSg
          Source: kmtsefjtjha.exe, 00000000.00000003.1018267125.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1046969965.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1002309382.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1520907570.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1018790412.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000002.3318644135.0000000000EF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodularmall.top/aNzSs=
          Source: kmtsefjtjha.exe, 00000000.00000003.1018790412.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1018478950.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodularmall.top:443/aNzS
          Source: kmtsefjtjha.exe, 00000000.00000003.946162714.0000000003F05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
          Source: kmtsefjtjha.exe, 00000000.00000003.946162714.0000000003F05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
          Source: kmtsefjtjha.exe, 00000000.00000003.895951600.0000000003D4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
          Source: kmtsefjtjha.exe, 00000000.00000003.895951600.0000000003D4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
          Source: kmtsefjtjha.exe, 00000000.00000003.946475317.0000000000F02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
          Source: kmtsefjtjha.exe, 00000000.00000003.946162714.0000000003F05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
          Source: kmtsefjtjha.exe, 00000000.00000003.946162714.0000000003F05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
          Source: kmtsefjtjha.exe, 00000000.00000003.946162714.0000000003F05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
          Source: kmtsefjtjha.exe, 00000000.00000003.946162714.0000000003F05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
          Source: kmtsefjtjha.exe, 00000000.00000003.946162714.0000000003F05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
          Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
          Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49681 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49682 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49683 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49684 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49685 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49686 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49691 version: TLS 1.2
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_02F81000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,0_2_02F81000
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_02F81000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,0_2_02F81000
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_02F81000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,0_2_02F81000
          Source: Yara matchFile source: Process Memory Space: kmtsefjtjha.exe PID: 6568, type: MEMORYSTR

          System Summary

          barindex
          PE file has nameless sections
          Source: kmtsefjtjha.exeStatic PE information: section name:
          Source: kmtsefjtjha.exeStatic PE information: section name:
          Source: kmtsefjtjha.exeStatic PE information: section name:
          Source: kmtsefjtjha.exeStatic PE information: section name:
          Source: kmtsefjtjha.exeStatic PE information: section name:
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC650 NtSetInformationFile,0_2_005AC650
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC634 NtClose,0_2_005AC634
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC6B8 NtReadFile,0_2_005AC6B8
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC710 NtCreateFile,0_2_005AC710
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC7F0 NtProtectVirtualMemory,0_2_005AC7F0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC070 NtEnumerateKey,0_2_005AC070
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC028 NtCreateKey,0_2_005AC028
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC0B0 NtSetValueKey,0_2_005AC0B0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC1E0 NtQueryMultipleValueKey,0_2_005AC1E0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC180 NtNotifyChangeKey,0_2_005AC180
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC27C NtSetInformationKey,0_2_005AC27C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC2C4 NtTerminateProcess,0_2_005AC2C4
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC2E0 NtWriteFile,0_2_005AC2E0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC36C NtQueryDirectoryFile,0_2_005AC36C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC338 NtQueryObject,0_2_005AC338
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC3F4 NtDuplicateObject,0_2_005AC3F4
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC43C NtQueryVolumeInformationFile,0_2_005AC43C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC4EC NtUnlockFile,0_2_005AC4EC
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC48C NtLockFile,0_2_005AC48C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC558 NtQuerySection,0_2_005AC558
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC53C NtUnmapViewOfSection,0_2_005AC53C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC5EC NtCreateSection,0_2_005AC5EC
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC58C NtMapViewOfSection,0_2_005AC58C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC684 NtQueryInformationFile,0_2_005AC684
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AC778 NtOpenFile,0_2_005AC778
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005ABB50 NtDeviceIoControlFile,0_2_005ABB50
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005ABBE4 NtCreateThread,0_2_005ABBE4
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005ABBB0 NtQueryInformationProcess,0_2_005ABBB0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005ABC50 NtCreateProcess,0_2_005ABC50
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005ABCF8 NtCreateUserProcess,0_2_005ABCF8
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005ABCA0 NtCreateProcessEx,0_2_005ABCA0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005ABD60 NtOpenKeyEx,0_2_005ABD60
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005ABDE0 NtQuerySecurityObject,0_2_005ABDE0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005ABD8C NtSetVolumeInformationFile,0_2_005ABD8C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005ABE6C NtFsControlFile,0_2_005ABE6C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005ABE14 NtNotifyChangeDirectoryFile,0_2_005ABE14
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005ABF54 NtOpenKey,0_2_005ABF54
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005ABF74 NtEnumerateValueKey,0_2_005ABF74
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005ABF04 NtAccessCheck,0_2_005ABF04
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005ABFE8 NtQueryValueKey,0_2_005ABFE8
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005ABFB4 NtQueryKey,0_2_005ABFB4
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0060ACA4: CreateFileA,DeviceIoControl,0_2_0060ACA4
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0053A2500_2_0053A250
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005365500_2_00536550
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005406800_2_00540680
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005409A00_2_005409A0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00540EE00_2_00540EE0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005079900_2_00507990
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_004FA1D00_2_004FA1D0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0053E1A00_2_0053E1A0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0060A2640_2_0060A264
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005162300_2_00516230
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0053E2300_2_0053E230
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_006524340_2_00652434
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_004FE6700_2_004FE670
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0060A6000_2_0060A600
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_004F27500_2_004F2750
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0053A7F00_2_0053A7F0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0065880C0_2_0065880C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005D882C0_2_005D882C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0065C8C40_2_0065C8C4
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0060AA400_2_0060AA40
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_004F8A000_2_004F8A00
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0062AA040_2_0062AA04
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_004F2AF00_2_004F2AF0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005BCBB00_2_005BCBB0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005C6C0C0_2_005C6C0C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00664C380_2_00664C38
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0065ED680_2_0065ED68
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00650E4C0_2_00650E4C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_004F6F760_2_004F6F76
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0063EFF00_2_0063EFF0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00594FF00_2_00594FF0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00500F900_2_00500F90
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_006630480_2_00663048
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0065B05C0_2_0065B05C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0065F01C0_2_0065F01C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0065913C0_2_0065913C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005412300_2_00541230
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0050B3D00_2_0050B3D0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_004F93F00_2_004F93F0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_004F34F00_2_004F34F0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_006254980_2_00625498
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005155500_2_00515550
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005376B00_2_005376B0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005117D00_2_005117D0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0059F97C0_2_0059F97C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_006459580_2_00645958
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005159100_2_00515910
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0052D9F00_2_0052D9F0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0062DA180_2_0062DA18
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00607AC80_2_00607AC8
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00629AC80_2_00629AC8
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005E7C280_2_005E7C28
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_004F7CF00_2_004F7CF0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00503DC00_2_00503DC0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00529DB00_2_00529DB0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00607D940_2_00607D94
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00631EB00_2_00631EB0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00645E800_2_00645E80
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_006BFF400_2_006BFF40
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00607F240_2_00607F24
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: String function: 0055DD9C appears 123 times
          Source: kmtsefjtjha.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: kmtsefjtjha.exeStatic PE information: Section: ZLIB complexity 1.0003577796546546
          Source: kmtsefjtjha.exeStatic PE information: Section: ZLIB complexity 0.99951171875
          Source: kmtsefjtjha.exeStatic PE information: Section: ZLIB complexity 1.0012637867647058
          Source: kmtsefjtjha.exeStatic PE information: Section: .data ZLIB complexity 0.9970777428668478
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@5/2
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: kmtsefjtjha.exe, 00000000.00000003.896281471.0000000003D08000.00000004.00000800.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.921125693.0000000003D0F000.00000004.00000800.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.921340403.0000000003CE6000.00000004.00000800.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.895527818.0000000003D39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: kmtsefjtjha.exeVirustotal: Detection: 52%
          Source: kmtsefjtjha.exeReversingLabs: Detection: 60%
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile read: C:\Users\user\Desktop\kmtsefjtjha.exeJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: kmtsefjtjha.exeStatic file information: File size 1317888 > 1048576

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeUnpacked PE file: 0.2.kmtsefjtjha.exe.4f0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
          Source: kmtsefjtjha.exeStatic PE information: section name:
          Source: kmtsefjtjha.exeStatic PE information: section name:
          Source: kmtsefjtjha.exeStatic PE information: section name:
          Source: kmtsefjtjha.exeStatic PE information: section name:
          Source: kmtsefjtjha.exeStatic PE information: section name:
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005F99C4 push 005F9A51h; ret 0_2_005F9A49
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00568054 push 00568080h; ret 0_2_00568078
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_006040FC push 00604134h; ret 0_2_0060412C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0059C0F4 push 0059C120h; ret 0_2_0059C118
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0059C0BC push 0059C0E8h; ret 0_2_0059C0E0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005E2160 push 005E218Ch; ret 0_2_005E2184
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0063C124 push 0063C150h; ret 0_2_0063C148
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0057E12C push 0057E1D7h; ret 0_2_0057E1CF
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0057E1DC push 0057E26Ch; ret 0_2_0057E264
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005D4194 push 005D41C0h; ret 0_2_005D41B8
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005A0194 push 005A01CCh; ret 0_2_005A01C4
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005C02F0 push 005C031Ch; ret 0_2_005C0314
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005C0290 push 005C02C3h; ret 0_2_005C02BB
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0063E348 push 0063E394h; ret 0_2_0063E38C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005C033C push 005C0388h; ret 0_2_005C0380
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0063E3A0 push 0063E3CCh; ret 0_2_0063E3C4
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005C0394 push 005C03DFh; ret 0_2_005C03D7
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00636388 push 0063643Ch; ret 0_2_00636434
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00608394 push 006083C0h; ret 0_2_006083B8
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005703A0 push 00570400h; ret 0_2_005703F8
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0060247C push 006024C8h; ret 0_2_006024C0
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0065841C push 0065845Ah; ret 0_2_00658452
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005E055C push 005E05B6h; ret 0_2_005E05AE
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005BE578 push ecx; mov dword ptr [esp], ecx0_2_005BE57D
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_006C4548 push 006C457Bh; ret 0_2_006C4573
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00570578 push 005705A4h; ret 0_2_0057059C
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005825C4 push 005825F0h; ret 0_2_005825E8
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00570664 push ecx; mov dword ptr [esp], ecx0_2_00570667
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0056E62C push 0056E6A2h; ret 0_2_0056E69A
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005E86DC push 005E8747h; ret 0_2_005E873F
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00570684 push ecx; mov dword ptr [esp], ecx0_2_00570687
          Source: kmtsefjtjha.exeStatic PE information: section name: entropy: 7.998938586076429
          Source: kmtsefjtjha.exeStatic PE information: section name: entropy: 7.937973897727381
          Source: kmtsefjtjha.exeStatic PE information: section name: entropy: 7.916709176135772
          Source: kmtsefjtjha.exeStatic PE information: section name: entropy: 7.980093047845968
          Source: kmtsefjtjha.exeStatic PE information: section name: .data entropy: 7.980455978563004
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
          Query firmware table information (likely to detect VMs)
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeSystem information queried: FirmwareTableInformationJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeWindow / User API: threadDelayed 771Jump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeWindow / User API: threadDelayed 1748Jump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeWindow / User API: threadDelayed 1759Jump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeWindow / User API: threadDelayed 2150Jump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeWindow / User API: threadDelayed 2735Jump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exe TID: 6564Thread sleep count: 104 > 30Jump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exe TID: 6564Thread sleep count: 771 > 30Jump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exe TID: 6912Thread sleep count: 1748 > 30Jump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exe TID: 6912Thread sleep time: -1748000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exe TID: 6836Thread sleep count: 1759 > 30Jump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exe TID: 6836Thread sleep time: -1759000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exe TID: 6776Thread sleep time: -150000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exe TID: 6084Thread sleep count: 2150 > 30Jump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exe TID: 6836Thread sleep count: 2735 > 30Jump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exe TID: 6836Thread sleep time: -2735000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00584490 FindFirstFileW,0_2_00584490
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
          Source: kmtsefjtjha.exe, 00000000.00000003.892897986.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1018478950.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000002.3318396242.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1047266035.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1002209756.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.976051031.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.976927684.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1018790412.0000000000E8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: kmtsefjtjha.exe, 00000000.00000003.892897986.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1018478950.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000002.3318396242.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1047266035.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1002209756.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.976051031.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.976927684.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1018790412.0000000000E8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWA5q
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
          Source: kmtsefjtjha.exe, 00000000.00000002.3317274612.0000000000553000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: &VBoxService.exe
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696492231p
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
          Source: kmtsefjtjha.exe, 00000000.00000002.3318396242.0000000000E4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP3
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
          Source: kmtsefjtjha.exe, 00000000.00000002.3317274612.0000000000553000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VBoxService.exe
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
          Source: kmtsefjtjha.exe, 00000000.00000002.3317274612.000000000069D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ~VirtualMachineTypes
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
          Source: kmtsefjtjha.exe, 00000000.00000002.3317274612.000000000069D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
          Source: kmtsefjtjha.exe, 00000000.00000002.3317274612.0000000000553000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMWare
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
          Source: kmtsefjtjha.exe, 00000000.00000002.3317274612.000000000069D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
          Source: kmtsefjtjha.exe, 00000000.00000003.921427786.0000000003D3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Hides threads from debuggers
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_0053C210 LdrInitializeThunk,0_2_0053C210
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_02C57F4E mov eax, dword ptr fs:[00000030h]0_2_02C57F4E
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_02C57C77 mov eax, dword ptr fs:[00000030h]0_2_02C57C77
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00609268 cpuid 0_2_00609268
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,GetLocaleInfoA,0_2_006BB208
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_00563958 GetLocalTime,0_2_00563958
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeCode function: 0_2_005AACC0 GetTimeZoneInformation,0_2_005AACC0
          Source: kmtsefjtjha.exe, 00000000.00000003.1520784581.0000000003D02000.00000004.00000800.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1018743537.0000000003D02000.00000004.00000800.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1002435027.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1002209756.0000000000E8F000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1002309382.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp, kmtsefjtjha.exe, 00000000.00000003.1002416644.0000000000F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected LummaC Stealer
          Source: Yara matchFile source: Process Memory Space: kmtsefjtjha.exe PID: 6568, type: MEMORYSTR
          Source: Yara matchFile source: 0.2.kmtsefjtjha.exe.4f0000.0.unpack, type: UNPACKEDPE
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: kmtsefjtjha.exe, 00000000.00000003.1002209756.0000000000E72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
          Source: kmtsefjtjha.exe, 00000000.00000003.1002209756.0000000000E72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
          Source: kmtsefjtjha.exe, 00000000.00000003.976288040.0000000000E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
          Source: kmtsefjtjha.exe, 00000000.00000003.1002209756.0000000000E72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
          Source: kmtsefjtjha.exe, 00000000.00000003.976051031.0000000000E8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
          Source: kmtsefjtjha.exe, 00000000.00000003.1002209756.0000000000E72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
          Source: kmtsefjtjha.exe, 00000000.00000003.1018478950.0000000000E8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
          Source: kmtsefjtjha.exe, 00000000.00000003.976288040.0000000000E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
          Source: kmtsefjtjha.exe, 00000000.00000003.976051031.0000000000E72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
          Tries to harvest and steal ftp login credentials
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
          Tries to steal Crypto Currency Wallets
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeDirectory queried: C:\Users\user\Documents\GLTYDMDUSTJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeDirectory queried: C:\Users\user\Documents\GLTYDMDUSTJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
          Source: C:\Users\user\Desktop\kmtsefjtjha.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
          Source: Yara matchFile source: Process Memory Space: kmtsefjtjha.exe PID: 6568, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected LummaC Stealer
          Source: Yara matchFile source: Process Memory Space: kmtsefjtjha.exe PID: 6568, type: MEMORYSTR
          Source: Yara matchFile source: 0.2.kmtsefjtjha.exe.4f0000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		31
          Virtualization/Sandbox Evasion          		2
          OS Credential Dumping          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Deobfuscate/Decode Files or Information          		LSASS Memory321
          Security Software Discovery          		Remote Desktop Protocol41
          Data from Local System          		2
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)4
          Obfuscated Files or Information          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		113
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
          Software Packing          		NTDS1
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
          File and Directory Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync42
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.