Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup_patched.exe

Overview

General Information

Sample name:Setup_patched.exe
Analysis ID:1663246
MD5:a777cd824f116304d488a7e4956435fd
SHA1:9428abbc995ab3a4472b24f82031809f29014924
SHA256:eb024d54ff30df641e51edec4dfdef380e7ccdd3475278497c95a5037afb2d22
Tags:de-pumpedexeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer
Score:76
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Yara detected LummaC Stealer
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • Setup_patched.exe (PID: 3308 cmdline: "C:\Users\user\Desktop\Setup_patched.exe" MD5: A777CD824F116304D488A7E4956435FD)
    • WerFault.exe (PID: 1604 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 732 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: Setup_patched.exe PID: 3308JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-04-11T16:18:31.406402+020020283713Unknown Traffic192.168.2.549695104.21.56.180443TCP
      2025-04-11T16:18:33.170698+020020283713Unknown Traffic192.168.2.549696104.21.56.180443TCP
      2025-04-11T16:18:34.428427+020020283713Unknown Traffic192.168.2.549697104.21.56.180443TCP
      2025-04-11T16:18:35.573232+020020283713Unknown Traffic192.168.2.549698104.21.56.180443TCP
      2025-04-11T16:18:39.125165+020020283713Unknown Traffic192.168.2.549699104.21.56.180443TCP
      2025-04-11T16:18:40.277827+020020283713Unknown Traffic192.168.2.549700104.21.56.180443TCP
      2025-04-11T16:18:41.684863+020020283713Unknown Traffic192.168.2.549701104.21.56.180443TCP
      2025-04-11T16:18:44.170870+020020283713Unknown Traffic192.168.2.549702104.21.56.180443TCP
      2025-04-11T16:18:45.250656+020020283713Unknown Traffic192.168.2.549703104.21.62.250443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: https://freshenqew.digital/wpooAvira URL Cloud: Label: malware
      Source: https://freshenqew.digital/wpoo08Avira URL Cloud: Label: malware
      Source: https://freshenqew.digital/f2?Avira URL Cloud: Label: malware
      Source: https://freshenqew.digital:443/wpooAvira URL Cloud: Label: malware
      Source: https://freshenqew.digital/Avira URL Cloud: Label: malware
      Source: https://freshenqew.digital/wpoo=Avira URL Cloud: Label: malware
      Source: https://freshenqew.digital/wpoo3Avira URL Cloud: Label: malware
      Source: https://freshenqew.digital/wpoo#Avira URL Cloud: Label: malware
      Source: https://freshenqew.digital/.2Avira URL Cloud: Label: malware
      Source: Setup_patched.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49695 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49696 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49697 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49698 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49699 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49700 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49701 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49702 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.62.250:443 -> 192.168.2.5:49703 version: TLS 1.2
      Source: global trafficHTTP traffic detected: GET /shark.bin HTTP/1.1Connection: Keep-AliveHost: h1.mockupeastcoast.shop
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49701 -> 104.21.56.180:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49696 -> 104.21.56.180:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49702 -> 104.21.56.180:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49703 -> 104.21.62.250:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49698 -> 104.21.56.180:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49697 -> 104.21.56.180:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49700 -> 104.21.56.180:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49695 -> 104.21.56.180:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49699 -> 104.21.56.180:443
      Source: global trafficHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 79Host: freshenqew.digital
      Source: global trafficHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=xKtdGp0fpCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 14879Host: freshenqew.digital
      Source: global trafficHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=tnGQC3rpS6p5MEA3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 15058Host: freshenqew.digital
      Source: global trafficHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1EhzhYSKnEQW2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20532Host: freshenqew.digital
      Source: global trafficHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=dQ3tKOGjWtGMU0flx8pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 7123Host: freshenqew.digital
      Source: global trafficHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=z2K6h1dvl63WW8n5AKjUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2533Host: freshenqew.digital
      Source: global trafficHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=x2Gznv4p4AvSYWpfUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 593909Host: freshenqew.digital
      Source: global trafficHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 117Host: freshenqew.digital
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /shark.bin HTTP/1.1Connection: Keep-AliveHost: h1.mockupeastcoast.shop
      Source: global trafficDNS traffic detected: DNS query: freshenqew.digital
      Source: global trafficDNS traffic detected: DNS query: h1.mockupeastcoast.shop
      Source: unknownHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 79Host: freshenqew.digital
      Source: Setup_patched.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
      Source: Setup_patched.exe, 00000000.00000003.1589081349.0000000003316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
      Source: Setup_patched.exe, 00000000.00000003.1589081349.0000000003316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
      Source: Setup_patched.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
      Source: Setup_patched.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
      Source: Setup_patched.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
      Source: Setup_patched.exe, 00000000.00000003.1589081349.0000000003316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
      Source: Setup_patched.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
      Source: Setup_patched.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
      Source: Setup_patched.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: Setup_patched.exe, 00000000.00000003.1589081349.0000000003316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
      Source: Setup_patched.exe, 00000000.00000003.1589081349.0000000003316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
      Source: Setup_patched.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
      Source: Setup_patched.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
      Source: Setup_patched.exe, 00000000.00000003.1589081349.0000000003316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
      Source: Setup_patched.exe, 00000000.00000003.1589081349.0000000003316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
      Source: Setup_patched.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
      Source: Setup_patched.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
      Source: Setup_patched.exe, 00000000.00000003.1701396427.00000000034F3000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1700965394.00000000035A7000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1702740282.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1714841444.000000000361B000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1701724383.000000000365D000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1709463098.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1702283025.000000000367A000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1704258912.00000000035DC000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1698814979.000000000325F000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1701937716.00000000035B3000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1705581863.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1698917555.00000000034FE000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1700136263.0000000003590000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1702407009.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1718410115.00000000034FE000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1713825671.0000000003603000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1730615254.000000000364F000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1710867883.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1722428933.00000000034F2000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1729568877.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1704467193.00000000034FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
      Source: Setup_patched.exe, 00000000.00000003.1701396427.00000000034F3000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1700965394.00000000035A7000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1702740282.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1714841444.000000000361B000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1701724383.000000000365D000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1709463098.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1702283025.000000000367A000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1704258912.00000000035DC000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1698814979.000000000325F000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1701937716.00000000035B3000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1705581863.00000000036BE000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1698917555.00000000034FE000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1700136263.0000000003590000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1702407009.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1718410115.00000000034FE000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1713825671.0000000003603000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1730615254.000000000364F000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1710867883.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1722428933.00000000034F2000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1729568877.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1704467193.00000000034FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: Setup_patched.exeString found in binary or memory: http://ocsp.comodoca.com0
      Source: Setup_patched.exe, 00000000.00000003.1589081349.0000000003316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: Setup_patched.exeString found in binary or memory: http://ocsp.digicert.com0A
      Source: Setup_patched.exeString found in binary or memory: http://ocsp.digicert.com0C
      Source: Setup_patched.exeString found in binary or memory: http://ocsp.digicert.com0X
      Source: Setup_patched.exe, 00000000.00000003.1589081349.0000000003316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
      Source: Setup_patched.exeString found in binary or memory: http://ocsp.sectigo.com0
      Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
      Source: Setup_patched.exeString found in binary or memory: http://www.winzip.com
      Source: Setup_patched.exe, 00000000.00000003.1589081349.0000000003316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
      Source: Setup_patched.exe, 00000000.00000003.1589081349.0000000003316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
      Source: Setup_patched.exe, 00000000.00000003.1564872625.000000000334D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
      Source: Setup_patched.exe, 00000000.00000003.1564872625.000000000334D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: Setup_patched.exe, 00000000.00000003.1564872625.000000000334D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
      Source: Setup_patched.exe, 00000000.00000003.1564872625.000000000334D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
      Source: Setup_patched.exe, 00000000.00000003.1564872625.000000000334D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: Setup_patched.exe, 00000000.00000003.1564872625.000000000334D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
      Source: Setup_patched.exe, 00000000.00000003.1564872625.000000000334D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: Setup_patched.exe, 00000000.00000003.1647510147.0000000000FFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital/
      Source: Setup_patched.exe, 00000000.00000003.1655018229.0000000000FFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital/.2
      Source: Setup_patched.exe, 00000000.00000003.1651144889.0000000000FFF000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1647510147.0000000000FFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital/f2?
      Source: Setup_patched.exe, 00000000.00000003.1637209713.0000000000FFF000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1654705155.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1637209713.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1637278110.0000000000F85000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1647927518.0000000000FA1000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1647769535.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1655088082.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1647871604.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1651144889.0000000000FDB000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1636523721.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1636799734.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1647510147.0000000000FFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital/wpoo
      Source: Setup_patched.exe, 00000000.00000003.1655018229.0000000000FDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital/wpoo#
      Source: Setup_patched.exe, 00000000.00000003.1655018229.0000000000FFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital/wpoo08
      Source: Setup_patched.exe, 00000000.00000003.1559729763.0000000000F83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital/wpoo3
      Source: Setup_patched.exe, 00000000.00000003.1655018229.0000000000FDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital/wpoo=
      Source: Setup_patched.exe, 00000000.00000003.1676310045.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1647510147.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1654554102.0000000001014000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital:443/wpoo
      Source: Setup_patched.exe, 00000000.00000003.1564872625.000000000334D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
      Source: Setup_patched.exeString found in binary or memory: https://sectigo.com/CPS0
      Source: Setup_patched.exe, 00000000.00000003.1590440498.000000000351A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
      Source: Setup_patched.exe, 00000000.00000003.1590440498.000000000351A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
      Source: Setup_patched.exe, 00000000.00000003.1564872625.000000000334D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
      Source: Setup_patched.exe, 00000000.00000003.1564872625.000000000334D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
      Source: Setup_patched.exe, 00000000.00000003.1590440498.000000000351A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
      Source: Setup_patched.exe, 00000000.00000003.1590440498.000000000351A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
      Source: Setup_patched.exe, 00000000.00000003.1590440498.000000000351A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
      Source: Setup_patched.exe, 00000000.00000003.1590440498.000000000351A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
      Source: Setup_patched.exe, 00000000.00000003.1590440498.000000000351A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
      Source: Setup_patched.exe, 00000000.00000003.1590440498.000000000351A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
      Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
      Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
      Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
      Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
      Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49695 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49696 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49697 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49698 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49699 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49700 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49701 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49702 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.62.250:443 -> 192.168.2.5:49703 version: TLS 1.2
      Source: C:\Users\user\Desktop\Setup_patched.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 732
      Source: Setup_patched.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal76.troj.spyw.evad.winEXE@2/5@2/2
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3308
      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\53d71295-8401-49f2-9dca-e9e5f6020e3cJump to behavior
      Source: Setup_patched.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Setup_patched.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Setup_patched.exe, 00000000.00000003.1564464091.000000000333A000.00000004.00000800.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1577695909.000000000330C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
      Source: C:\Users\user\Desktop\Setup_patched.exeFile read: C:\Users\user\Desktop\Setup_patched.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Setup_patched.exe "C:\Users\user\Desktop\Setup_patched.exe"
      Source: C:\Users\user\Desktop\Setup_patched.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 732
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: aclayers.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: Setup_patched.exeStatic file information: File size 11538432 > 1048576
      Source: Setup_patched.exeStatic PE information: Raw size of _winzip_ is bigger than: 0x100000 < 0xa45000
      Source: Setup_patched.exeStatic PE information: section name: _winzip_
      Source: C:\Users\user\Desktop\Setup_patched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\Setup_patched.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
      Query firmware table information (likely to detect VMs)
      Source: C:\Users\user\Desktop\Setup_patched.exeSystem information queried: FirmwareTableInformationJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exe TID: 7596Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exe TID: 7596Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
      Source: Amcache.hve.6.drBinary or memory string: VMware
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
      Source: Setup_patched.exe, 00000000.00000003.1578012295.0000000003332000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
      Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Setup_patched.exe, 00000000.00000003.1654705155.0000000000F85000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1637278110.0000000000F85000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1647769535.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1647871604.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1676400961.0000000000F85000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1559729763.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1636799734.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1676485201.0000000000F8B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
      Source: Setup_patched.exe, 00000000.00000003.1540499193.00000000010B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ZTNvMCiW7.exep
      Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
      Source: Amcache.hve.6.drBinary or memory string: vmci.sys
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
      Source: Amcache.hve.6.drBinary or memory string: VMware20,1
      Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
      Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.24224532.B64.2408191502,BiosReleaseDate:08/19/2024,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
      Source: Setup_patched.exe, 00000000.00000003.1540964743.00000000028B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZTNvMCiW7.exe
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
      Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
      Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
      Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
      Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
      Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
      Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
      Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAMX
      Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 d9 2e dc 89 72 dd-92 e8 86 9f a5 a6 64 93
      Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
      Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
      Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
      Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Setup_patched.exe, 00000000.00000003.1578012295.000000000332D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
      Source: C:\Users\user\Desktop\Setup_patched.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Setup_patched.exe, 00000000.00000003.1654705155.0000000000F85000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1655018229.0000000000FDB000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1647510147.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1647769535.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1647510147.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1676400961.0000000000F85000.00000004.00000020.00020000.00000000.sdmp, Setup_patched.exe, 00000000.00000003.1651144889.0000000000FDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
      Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe
      Source: C:\Users\user\Desktop\Setup_patched.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: Process Memory Space: Setup_patched.exe PID: 3308, type: MEMORYSTR
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
      Tries to harvest and steal ftp login credentials
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
      Tries to steal Crypto Currency Wallets
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
      Source: C:\Users\user\Desktop\Setup_patched.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior

      Remote Access Functionality

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: Process Memory Space: Setup_patched.exe PID: 3308, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      Process Injection      		22
      Virtualization/Sandbox Evasion      		2
      OS Credential Dumping      		231
      Security Software Discovery      		Remote Services31
      Data from Local System      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		1
      Process Injection      		LSASS Memory22
      Virtualization/Sandbox Evasion      		Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading      		Security Account Manager1
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
      File and Directory Discovery      		Distributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets22
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.