Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:Setup.exe
Analysis ID:1663453
MD5:2150b3aacc55343610b33fc7a631f850
SHA1:881a7a3b6b0ce8442f27ef2a26efc163a41c7133
SHA256:49131afae4c561e078b6e6d47a98af6d22c839e584463fa6432b6ce7b924bf95
Tags:de-pumpedexeuser-abuse_ch
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Setup.exe (PID: 8176 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 2150B3AACC55343610B33FC7A631F850)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["freshenqew.digital/wpoo", "soursopsf.run/gsoiao", "changeaie.top/geps", "easyupgw.live/eosz", "liftally.top/xasj", "upmodini.digital/gokk", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "xcelmodo.run/nahd"], "Build id": "637b55279021aab33278188cfa638397"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000003.1627358157.0000000002B81000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
      00000001.00000003.1574080506.000000000102D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: Setup.exe PID: 8176JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
          Process Memory Space: Setup.exe PID: 8176JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-04-11T20:43:04.442285+020020283713Unknown Traffic192.168.2.54970289.169.54.153443TCP
            2025-04-11T20:43:30.053233+020020283713Unknown Traffic192.168.2.549694104.21.56.180443TCP
            2025-04-11T20:43:31.775935+020020283713Unknown Traffic192.168.2.549695104.21.56.180443TCP
            2025-04-11T20:43:33.234743+020020283713Unknown Traffic192.168.2.549696104.21.56.180443TCP
            2025-04-11T20:43:34.417178+020020283713Unknown Traffic192.168.2.549697104.21.56.180443TCP
            2025-04-11T20:43:38.175055+020020283713Unknown Traffic192.168.2.549698104.21.56.180443TCP
            2025-04-11T20:43:39.303180+020020283713Unknown Traffic192.168.2.549699104.21.56.180443TCP
            2025-04-11T20:43:40.701915+020020283713Unknown Traffic192.168.2.549700104.21.56.180443TCP
            2025-04-11T20:43:42.889194+020020283713Unknown Traffic192.168.2.549701104.21.56.180443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://freshenqew.digital/wpooHAvira URL Cloud: Label: malware
            Source: https://freshenqew.digital/Avira URL Cloud: Label: malware
            Source: https://freshenqew.digital:443/wpoocrosoftAvira URL Cloud: Label: malware
            Source: https://freshenqew.digital/wpooAvira URL Cloud: Label: malware
            Source: https://freshenqew.digital:443/wpooAvira URL Cloud: Label: malware
            Source: https://h1.mockupeastcoast.shop/shark.binAvira URL Cloud: Label: malware
            Source: https://freshenqew.digital/KAvira URL Cloud: Label: malware
            Source: https://freshenqew.digital/W:Avira URL Cloud: Label: malware
            Source: freshenqew.digital/wpooAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 00000001.00000003.1627358157.0000000002B81000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["freshenqew.digital/wpoo", "soursopsf.run/gsoiao", "changeaie.top/geps", "easyupgw.live/eosz", "liftally.top/xasj", "upmodini.digital/gokk", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "xcelmodo.run/nahd"], "Build id": "637b55279021aab33278188cfa638397"}
            Sample uses string decryption to hide its real strings
            Source: 00000001.00000003.1627358157.0000000002B81000.00000004.00000020.00020000.00000000.sdmpString decryptor: freshenqew.digital/wpoo
            Source: 00000001.00000003.1627358157.0000000002B81000.00000004.00000020.00020000.00000000.sdmpString decryptor: soursopsf.run/gsoiao
            Source: 00000001.00000003.1627358157.0000000002B81000.00000004.00000020.00020000.00000000.sdmpString decryptor: changeaie.top/geps
            Source: 00000001.00000003.1627358157.0000000002B81000.00000004.00000020.00020000.00000000.sdmpString decryptor: easyupgw.live/eosz
            Source: 00000001.00000003.1627358157.0000000002B81000.00000004.00000020.00020000.00000000.sdmpString decryptor: liftally.top/xasj
            Source: 00000001.00000003.1627358157.0000000002B81000.00000004.00000020.00020000.00000000.sdmpString decryptor: upmodini.digital/gokk
            Source: 00000001.00000003.1627358157.0000000002B81000.00000004.00000020.00020000.00000000.sdmpString decryptor: salaccgfa.top/gsooz
            Source: 00000001.00000003.1627358157.0000000002B81000.00000004.00000020.00020000.00000000.sdmpString decryptor: zestmodp.top/zeda
            Source: 00000001.00000003.1627358157.0000000002B81000.00000004.00000020.00020000.00000000.sdmpString decryptor: xcelmodo.run/nahd
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029EAB9E CryptUnprotectData,1_3_029EAB9E
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029EB8EC CryptUnprotectData,1_3_029EB8EC
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029EB64C CryptUnprotectData,1_3_029EB64C
            Source: Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49694 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49695 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49696 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49697 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49698 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49699 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49701 version: TLS 1.2
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-000000A2h]1_3_02A20080
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx]1_3_029E019A
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+02h]1_3_02A001E0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-06C7276Ch]1_3_02A001E0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx-7034E9ACh]1_3_02A001E0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+00A81E30h]1_3_029F01E0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+6E7547A8h]1_3_029F01E0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov eax, dword ptr [esi+ebp+44h]1_3_029F01E0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-50574108h]1_3_029E0E13
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+74E9E6AEh]1_3_029DD7F0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-023FE6F2h]1_3_029DD7F0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-7034E9A0h]1_3_029DD7F0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-360E00DAh]1_3_029E1702
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx+44h]1_3_02A14480
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then cmp dword ptr [edx+ebx*8], A0E666EBh1_3_02A18290
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov dword ptr [esp+04h], edx1_3_029E0AD0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov dword ptr [esp], eax1_3_029ED06E
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov word ptr [edx], cx1_3_029EB250
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+000001C6h]1_3_029F2A42
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]1_3_02A04A40
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov dword ptr [esp+04h], edx1_3_029E0B9B
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov dword ptr [esp+04h], edx1_3_029E0BA9
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx-0000009Eh]1_3_02A1EBE0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov word ptr [eax], dx1_3_029EA350
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov word ptr [ebx], cx1_3_02A03378
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov word ptr [ebx], cx1_3_02A03378
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h1_3_029FFB76
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-06C7276Ch]1_3_029FFB76
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then jmp eax1_3_029FE806
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-12312F0Ah]1_3_029F8800
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then cmp word ptr [edi+eax+02h], 0000h1_3_029F8800
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-4Ah]1_3_02A00800
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], A26ABC73h1_3_02A1F000
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000A2h]1_3_02A1F000
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]1_3_029D2030
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov dword ptr [esp], eax1_3_029ED06E
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov ecx, esi1_3_029EE116
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov word ptr [eax], cx1_3_02A0313A
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then jmp dword ptr [02A244BCh]1_3_029E017A
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ecx, word ptr [esi+eax]1_3_029F8E90
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ebx, byte ptr [eax+esi]1_3_029DC680
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movsx ecx, byte ptr [esi+eax]1_3_029E96A0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+000000E8h]1_3_029E26CA
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 032321CDh1_3_02A1BED0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-70877B26h]1_3_029F2EE0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-1EF56E08h]1_3_029F2EE0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+10h]1_3_02A02620
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx eax, byte ptr [edi]1_3_029DA620
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov edx, eax1_3_029D1E40
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], CFB79CE3h1_3_02A187A0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-58h]1_3_029FF781
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then dec ebp1_3_02A05F40
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+1Ah]1_3_029DBF60
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov byte ptr [ebx], cl1_3_029DBF60
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov byte ptr [edi], cl1_3_029DBF60
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]1_3_02A06420
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ebx, byte ptr [esi+01h]1_3_029D1C10
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]1_3_029D9C20
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]1_3_029D9C20
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ebp+02h]1_3_029F9420
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov ebx, ecx1_3_029DF450
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+00000300h]1_3_029EAC7C
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]1_3_029DADE0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+000000E8h]1_3_029E0510
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h1_3_029FFD2E
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-06C7276Ch]1_3_029FFD2E
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then mov dword ptr [esp], esi1_3_029EA55C
            Source: C:\Users\user\Desktop\Setup.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax]1_3_02A18570

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: freshenqew.digital/wpoo
            Source: Malware configuration extractorURLs: soursopsf.run/gsoiao
            Source: Malware configuration extractorURLs: changeaie.top/geps
            Source: Malware configuration extractorURLs: easyupgw.live/eosz
            Source: Malware configuration extractorURLs: liftally.top/xasj
            Source: Malware configuration extractorURLs: upmodini.digital/gokk
            Source: Malware configuration extractorURLs: salaccgfa.top/gsooz
            Source: Malware configuration extractorURLs: zestmodp.top/zeda
            Source: Malware configuration extractorURLs: xcelmodo.run/nahd
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49694 -> 104.21.56.180:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49697 -> 104.21.56.180:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49698 -> 104.21.56.180:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49695 -> 104.21.56.180:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49696 -> 104.21.56.180:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49701 -> 104.21.56.180:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49700 -> 104.21.56.180:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49699 -> 104.21.56.180:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49702 -> 89.169.54.153:443
            Source: global trafficHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 79Host: freshenqew.digital
            Source: global trafficHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5dI7hEOG1n2vn9SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 14904Host: freshenqew.digital
            Source: global trafficHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=rf35M10f2O520YzCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 15058Host: freshenqew.digital
            Source: global trafficHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1A7EEI3UtYItdUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20532Host: freshenqew.digital
            Source: global trafficHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=W6v3406CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 7068Host: freshenqew.digital
            Source: global trafficHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=nWxt4pOnf0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2393Host: freshenqew.digital
            Source: global trafficHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=f8rrACQESMlfUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 594267Host: freshenqew.digital
            Source: global trafficHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 117Host: freshenqew.digital
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: freshenqew.digital
            Source: global trafficDNS traffic detected: DNS query: h1.mockupeastcoast.shop
            Source: unknownHTTP traffic detected: POST /wpoo HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 79Host: freshenqew.digital
            Source: Setup.exe, 00000001.00000003.1524628327.0000000003290000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: Setup.exe, 00000001.00000003.1524628327.0000000003290000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: Setup.exe, 00000001.00000003.1524628327.0000000003290000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: Setup.exe, 00000001.00000003.1524628327.0000000003290000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: Setup.exe, 00000001.00000003.1524628327.0000000003290000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: Setup.exe, 00000001.00000003.1524628327.0000000003290000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: Setup.exe, 00000001.00000003.1524628327.0000000003290000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: Setup.exe, 00000001.00000003.1524628327.0000000003290000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: Setup.exe, 00000001.00000003.1524628327.0000000003290000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: Setup.exeString found in binary or memory: http://www.winzip.com
            Source: Setup.exe, 00000001.00000003.1524628327.0000000003290000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: Setup.exe, 00000001.00000003.1524628327.0000000003290000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: Setup.exe, 00000001.00000003.1498731167.0000000003278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
            Source: Setup.exe, 00000001.00000003.1498731167.0000000003278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: Setup.exe, 00000001.00000003.1498731167.0000000003278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: Setup.exe, 00000001.00000003.1498731167.0000000003278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: Setup.exe, 00000001.00000003.1498731167.0000000003278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: Setup.exe, 00000001.00000003.1498731167.0000000003278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
            Source: Setup.exe, 00000001.00000003.1498731167.0000000003278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: Setup.exe, 00000001.00000003.1587662280.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1592110079.0000000000FCD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1587775738.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.1631768838.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1591797918.0000000000FCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital/
            Source: Setup.exe, 00000001.00000003.1574204842.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1574414882.0000000000FCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital/K
            Source: Setup.exe, 00000001.00000002.1630080562.0000000000FA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital/W:
            Source: Setup.exe, 00000001.00000003.1591797918.0000000000FCD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1575037367.000000000105F000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1574369104.000000000105D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital/wpoo
            Source: Setup.exe, 00000001.00000003.1493327195.0000000000FCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital/wpooH
            Source: Setup.exe, 00000001.00000003.1493496256.0000000000FB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital:443/wpoo
            Source: Setup.exe, 00000001.00000002.1631768838.0000000000FB0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1610714224.0000000000FB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital:443/wpooCURQNKVOIX.docxPK
            Source: Setup.exe, 00000001.00000003.1574204842.0000000000FB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freshenqew.digital:443/wpoocrosoft
            Source: Setup.exe, 00000001.00000003.1498731167.0000000003278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
            Source: Setup.exe, 00000001.00000002.1631768838.0000000000FDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://h1.mockupeastcoast.shop/
            Source: Setup.exe, 00000001.00000002.1631768838.0000000000FDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://h1.mockupeastcoast.shop/shark.bin
            Source: Setup.exe, 00000001.00000002.1633671034.000000000103B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://h1.mockupeastcoast.shop/shark.binp
            Source: Setup.exe, 00000001.00000002.1631768838.0000000000FDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://h1.mockupeastcoast.shop/~L
            Source: Setup.exe, 00000001.00000002.1631768838.0000000000FB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://h1.mockupeastcoast.shop:443/shark.binge
            Source: Setup.exe, 00000001.00000003.1525988623.0000000003480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: Setup.exe, 00000001.00000003.1525988623.0000000003480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: Setup.exe, 00000001.00000003.1498731167.0000000003278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
            Source: Setup.exe, 00000001.00000003.1498731167.0000000003278000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
            Source: Setup.exe, 00000001.00000003.1525988623.0000000003480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
            Source: Setup.exe, 00000001.00000003.1525988623.0000000003480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
            Source: Setup.exe, 00000001.00000003.1525988623.0000000003480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: Setup.exe, 00000001.00000003.1525988623.0000000003480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: Setup.exe, 00000001.00000003.1525988623.0000000003480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
            Source: Setup.exe, 00000001.00000003.1525988623.0000000003480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
            Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
            Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
            Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
            Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49694 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49695 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49696 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49697 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49698 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49699 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.56.180:443 -> 192.168.2.5:49701 version: TLS 1.2
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A0F570 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,1_3_02A0F570
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A0F570 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,1_3_02A0F570
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_00F410E8 NtTerminateThread,1_3_00F410E8
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_00F40B72 NtGetContextThread,NtSetContextThread,NtResumeThread,1_3_00F40B72
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_00F40CD8 NtAllocateVirtualMemory,NtFreeVirtualMemory,1_3_00F40CD8
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_00F4066E NtProtectVirtualMemory,1_3_00F4066E
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_010F2018 NtProtectVirtualMemory,1_2_010F2018
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_010F1F87 NtAllocateVirtualMemory,1_2_010F1F87
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_010F1FDA NtFreeVirtualMemory,1_2_010F1FDA
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029DB2A01_3_029DB2A0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A06A4C1_3_02A06A4C
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A083E81_3_02A083E8
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A1F3C01_3_02A1F3C0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A200801_3_02A20080
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029E50031_3_029E5003
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A001E01_3_02A001E0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A1F9F01_3_02A1F9F0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029F01E01_3_029F01E0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A1E6901_3_02A1E690
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029F7E601_3_029F7E60
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029DD7F01_3_029DD7F0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A144801_3_02A14480
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A17D301_3_02A17D30
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A152801_3_02A15280
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A042891_3_02A04289
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A182901_3_02A18290
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A202901_3_02A20290
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A0F2E01_3_02A0F2E0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A1C2F01_3_02A1C2F0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029ED06E1_3_029ED06E
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A15A301_3_02A15A30
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029E62501_3_029E6250
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029F2A421_3_029F2A42
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029DD2601_3_029DD260
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029FFB801_3_029FFB80
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A1EBE01_3_02A1EBE0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029F53001_3_029F5300
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A09B101_3_02A09B10
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A1BB101_3_02A1BB10
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029EBB201_3_029EBB20
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A033781_3_02A03378
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029D88901_3_029D8890
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A138B01_3_02A138B0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029F68F21_3_029F68F2
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029E10E51_3_029E10E5
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029F88001_3_029F8800
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029FF03F1_3_029FF03F
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A1F0001_3_02A1F000
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029D38301_3_029D3830
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A028611_3_02A02861
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029ED06E1_3_029ED06E
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029FA9591_3_029FA959
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029D69661_3_029D6966
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029D2E901_3_029D2E90
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029F8E901_3_029F8E90
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029DC6801_3_029DC680
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029D76F01_3_029D76F0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A1BED01_3_02A1BED0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029FCE361_3_029FCE36
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029DA6201_3_029DA620
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029D8E401_3_029D8E40
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A19E401_3_02A19E40
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029F4E701_3_029F4E70
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A136501_3_02A13650
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029E57B21_3_029E57B2
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029E37C31_3_029E37C3
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029EE7FD1_3_029EE7FD
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029FFF731_3_029FFF73
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029DBF601_3_029DBF60
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029EECC31_3_029EECC3
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A07CC51_3_02A07CC5
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029D9C201_3_029D9C20
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029D84201_3_029D8420
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029DF4501_3_029DF450
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A02DA41_3_02A02DA4
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029F4DA01_3_029F4DA0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A0D5D01_3_02A0D5D0
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029F351F1_3_029F351F
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029E5D371_3_029E5D37
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A06D531_3_02A06D53
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_010F057D1_2_010F057D
            Source: C:\Users\user\Desktop\Setup.exeCode function: String function: 029E9760 appears 51 times
            Source: C:\Users\user\Desktop\Setup.exeCode function: String function: 029DACD0 appears 65 times
            Source: Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/2
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_010F0C8D CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,CloseHandle,1_2_010F0C8D
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A14480 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,GetVolumeInformationW,1_3_02A14480
            Source: Setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Setup.exe, 00000001.00000003.1498623284.0000000003289000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1511807571.0000000003299000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1498124189.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1512244526.0000000003280000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\user\Desktop\Setup.exeJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: acgenral.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: Setup.exeStatic file information: File size 10866688 > 1048576
            Source: Setup.exeStatic PE information: Raw size of _winzip_ is bigger than: 0x100000 < 0xa45000
            Source: Setup.exeStatic PE information: section name: _winzip_
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029E2090 push ecx; retf 1_3_029E2091
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_029EDD5E push ds; retf 0002h1_3_029EDD5F
            Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\Setup.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\Setup.exe TID: 3672Thread sleep time: -210000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Setup.exe TID: 3672Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: Setup.exe, 00000001.00000003.1587662280.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1592110079.0000000000FCD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.1631768838.0000000000FCD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1574204842.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1587775738.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1493327195.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1574414882.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1591797918.0000000000FCD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: Setup.exe, 00000001.00000003.1587662280.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1592110079.0000000000FCD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.1631768838.0000000000FCD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1574204842.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1587775738.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1493327195.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1574414882.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1591797918.0000000000FCD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnO
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: Setup.exe, 00000001.00000002.1630080562.0000000000FA1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXy
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: Setup.exe, 00000001.00000003.1512481734.00000000032C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Users\user\Desktop\Setup.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_3_02A1A780 LdrInitializeThunk,1_3_02A1A780
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_010F057D mov edx, dword ptr fs:[00000030h]1_2_010F057D
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_010F0B3D mov eax, dword ptr fs:[00000030h]1_2_010F0B3D
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_010F118D mov eax, dword ptr fs:[00000030h]1_2_010F118D
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_010F118C mov eax, dword ptr fs:[00000030h]1_2_010F118C
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_010F1B7B mov eax, dword ptr fs:[00000030h]1_2_010F1B7B
            Source: C:\Users\user\Desktop\Setup.exeCode function: 1_2_010F0EED mov eax, dword ptr fs:[00000030h]1_2_010F0EED
            Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Setup.exe, 00000001.00000003.1587662280.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1587454863.000000000105B000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1592110079.0000000000FCD000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.1636235660.0000000003260000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1587775738.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1588022550.000000000105D000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000002.1631768838.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1591797918.0000000000FCD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\Setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: 00000001.00000003.1627358157.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 8176, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\CURQNKVOIXJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
            Source: C:\Users\user\Desktop\Setup.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
            Source: Yara matchFile source: 00000001.00000003.1574080506.000000000102D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 8176, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: 00000001.00000003.1627358157.0000000002B81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 8176, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		21
            Virtualization/Sandbox Evasion            		2
            OS Credential Dumping            		221
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		21
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Deobfuscate/Decode Files or Information            		LSASS Memory21
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol31
            Data from Local System            		2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
            Obfuscated Files or Information            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin Shares2
            Clipboard Data            		113
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS1
            File and Directory Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets22
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.