Windows Analysis Report
Setup.exe

Overview

General Information

Sample name: Setup.exe
Analysis ID: 1579289
MD5: a1c3164fd6b9950c543405e22b890ef4
SHA1: 0324f5d7bc8c0748ad6144b64a49a2c42e8989c5
SHA256: e8c8b44f2580765b01d7fb118b783b72c703c502feac7aebf8cfe412128de2fd
Tags: exeuser-aachum
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Found malware configuration
Source: Setup.exe.6984.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["necklacebudi.lat", "grannyejh.lat", "rapeflowwj.lat", "discokeyus.lat", "sustainskelet.lat", "energyaffai.lat", "crosshuaht.lat", "aspecteirs.lat", "beefshooti.click"], "Build id": "jMw1IE--BARNI"}
Multi AV Scanner detection for submitted file
Source: Setup.exe Virustotal: Detection: 21% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 95.3% probability
Uses 32bit PE files
Source: Setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: Setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\OlliXPShared\CASE\Projects\sly\AnyDVDVS2010\Loader\Release\Loader.pdb source: Setup.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax+04h] 0_2_02346277
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov edx, ecx 0_2_0232B278
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], E1CE25DBh 0_2_023602A8
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx edi, byte ptr [ebp+eax-36C2D23Bh] 0_2_023492D8
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov word ptr [ebx], ax 0_2_0233B303
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov edi, ebx 0_2_0235030B
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov edi, dword ptr [eax] 0_2_0235A368
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then push eax 0_2_0235A368
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx eax, byte ptr [esp+edx] 0_2_0235A368
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh 0_2_0233735B
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then add esi, edi 0_2_0234F292
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 3FE33C50h 0_2_023390AF
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov eax, dword ptr [edi+0Ch] 0_2_02324088
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then jmp dword ptr [0044524Ch] 0_2_02348118
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h] 0_2_023291B8
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 0_2_023291B8
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 36D9DBB9h 0_2_02360638
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then jmp ecx 0_2_0235C668
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov dword ptr [esp], ecx 0_2_0234B646
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_0234D748
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp al, 20h 0_2_0232442F
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov word ptr [ebx], cx 0_2_0232E4D4
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_0233E59D
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh 0_2_02338AA8
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov edx, eax 0_2_0235CA98
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx eax, byte ptr [esp+edx+00000098h] 0_2_0234FAD8
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov eax, dword ptr [004471C4h] 0_2_0235DAD8
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx eax, byte ptr [esp+edx-3Ah] 0_2_0234FB37
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov byte ptr [esi], al 0_2_0234EB73
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov byte ptr [esi], al 0_2_0234EB41
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov byte ptr [esi], al 0_2_0234EBD7
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+00000098h] 0_2_023508D5
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+00000098h] 0_2_023508DE
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-018FF572h] 0_2_023398CE
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then push eax 0_2_0235D918
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov ecx, edx 0_2_0233F96F
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp word ptr [esi+edx], 0000h 0_2_0233F96F
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov edi, eax 0_2_02324998
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-000000A6h] 0_2_023389DA
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx edi, byte ptr [eax] 0_2_0232CE39
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx eax, byte ptr [esp+edi+1E1E4EFFh] 0_2_0232AE78
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov byte ptr [edx], cl 0_2_0232AE78
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx ecx, word ptr [ebp+edx+02h] 0_2_0235AE8D
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 29FCC5D8h 0_2_02338E8A
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov byte ptr [esi], cl 0_2_0234EF32
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then jmp eax 0_2_02345F74
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+53E0EF23h] 0_2_0234EFA0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov byte ptr [esi], cl 0_2_0234EFA0
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh 0_2_02338FC4
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_02356C18
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+3Ch] 0_2_0233EC42
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov word ptr [edx], cx 0_2_0233ACBE
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then mov byte ptr [eax], cl 0_2_02337CD4
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then jmp dword ptr [00444794h] 0_2_02338CC8
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp word ptr [ebp+esi+00h], 0000h 0_2_0233FD38
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-5Ch] 0_2_0233FD38
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h 0_2_0235CD48
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h 0_2_0235CD48
Source: C:\Users\user\Desktop\Setup.exe Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], C72EB52Eh 0_2_0235CD48

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 104.21.18.185:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 104.21.18.185:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.18.185:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.18.185:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.18.185:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49740 -> 104.21.18.185:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: necklacebudi.lat
Source: Malware configuration extractor URLs: grannyejh.lat
Source: Malware configuration extractor URLs: rapeflowwj.lat
Source: Malware configuration extractor URLs: discokeyus.lat
Source: Malware configuration extractor URLs: sustainskelet.lat
Source: Malware configuration extractor URLs: energyaffai.lat
Source: Malware configuration extractor URLs: crosshuaht.lat
Source: Malware configuration extractor URLs: aspecteirs.lat
Source: Malware configuration extractor URLs: beefshooti.click
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.18.185:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.18.185:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.18.185:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.18.185:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.18.185:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.18.185:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.18.185:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.18.185:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: beefshooti.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 79Host: beefshooti.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UWR8R0ZLOOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18115Host: beefshooti.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WLM76EKERNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8736Host: beefshooti.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OW6MLK98NRASK3JS3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20431Host: beefshooti.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=52XVOIWRBG3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1215Host: beefshooti.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SYRW8GCML8LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1076Host: beefshooti.click
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 114Host: beefshooti.click
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: beefshooti.click
Source: global traffic DNS traffic detected: DNS query: klipcatepiu0.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: beefshooti.click
Source: Setup.exe, 00000000.00000003.1872367891.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Setup.exe, 00000000.00000003.1872367891.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Setup.exe String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Setup.exe String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Setup.exe String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Setup.exe String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Setup.exe String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Setup.exe, 00000000.00000003.1872367891.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Setup.exe, 00000000.00000003.1872367891.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Setup.exe, 00000000.00000003.1872367891.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Setup.exe, 00000000.00000003.1872367891.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Setup.exe, 00000000.00000003.1872367891.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Setup.exe, 00000000.00000003.1872367891.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exe String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Setup.exe String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: Setup.exe String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Setup.exe String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: Setup.exe, 00000000.00000003.1872367891.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Setup.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Setup.exe String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Setup.exe String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Setup.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Setup.exe String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: Setup.exe, 00000000.00000003.1872367891.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: Setup.exe, 00000000.00000003.1872367891.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: Setup.exe, 00000000.00000003.1820757238.000000000356A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1820679032.000000000356C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Setup.exe, 00000000.00000003.1819729150.0000000000937000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1871753903.000000000352F000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1920087825.000000000352D000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1964838463.00000000008EA000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1894718119.0000000003530000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1965877626.000000000352E000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1953892510.000000000352E000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1920395415.000000000097A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1963648056.000000000097E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1898869229.0000000003530000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1871680309.000000000352B000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1819632856.0000000000934000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1953965346.000000000097A000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1965118218.000000000097E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1819729150.0000000000941000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1894491868.0000000003530000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://beefshooti.click/
Source: Setup.exe, 00000000.00000003.1819729150.0000000000941000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://beefshooti.click/04
Source: Setup.exe, 00000000.00000003.1953965346.000000000097A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://beefshooti.click/J
Source: Setup.exe, 00000000.00000003.1920087825.000000000352D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://beefshooti.click/M
Source: Setup.exe, 00000000.00000002.1965877626.000000000352E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://beefshooti.click/T
Source: Setup.exe, 00000000.00000003.1920395415.000000000097A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://beefshooti.click/a
Source: Setup.exe, 00000000.00000002.1964945087.0000000000941000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://beefshooti.click/api
Source: Setup.exe, 00000000.00000003.1819729150.0000000000941000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://beefshooti.click/api3
Source: Setup.exe, 00000000.00000003.1920350205.000000000099B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://beefshooti.click/api4
Source: Setup.exe, 00000000.00000003.1848405643.0000000003530000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1848575972.0000000003530000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://beefshooti.click/apik
Source: Setup.exe, 00000000.00000002.1964945087.0000000000920000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://beefshooti.click:443/api
Source: Setup.exe, 00000000.00000003.1899326140.0000000000920000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1963648056.0000000000920000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1819632856.0000000000920000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1964945087.0000000000920000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://beefshooti.click:443/api:
Source: Setup.exe, 00000000.00000003.1963648056.0000000000920000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1964945087.0000000000920000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://beefshooti.click:443/apitxtPK
Source: Setup.exe, 00000000.00000003.1820757238.000000000356A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1820679032.000000000356C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Setup.exe, 00000000.00000003.1820757238.000000000356A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1820679032.000000000356C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Setup.exe, 00000000.00000003.1820757238.000000000356A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1820679032.000000000356C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Setup.exe, 00000000.00000003.1820757238.000000000356A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1820679032.000000000356C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Setup.exe, 00000000.00000003.1820757238.000000000356A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1820679032.000000000356C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Setup.exe, 00000000.00000003.1820757238.000000000356A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1820679032.000000000356C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Setup.exe, 00000000.00000002.1965118218.000000000097E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://klipcatepiu0.shop/
Source: Setup.exe, 00000000.00000003.1963648056.000000000097E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1965118218.000000000097E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://klipcatepiu0.shop/Z
Source: Setup.exe, 00000000.00000003.1963648056.0000000000941000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1964182119.0000000000941000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1965234192.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1964945087.0000000000941000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://klipcatepiu0.shop/int_clp_ldr_sha.txt
Source: Setup.exe, 00000000.00000003.1963896889.000000000099C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1965200398.000000000099C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://klipcatepiu0.shop/int_clp_ldr_sha.txt3
Source: Setup.exe, 00000000.00000003.1963648056.0000000000941000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1964182119.0000000000941000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1964945087.0000000000941000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://klipcatepiu0.shop/int_clp_ldr_sha.txtMy
Source: Setup.exe, 00000000.00000003.1963648056.0000000000920000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1964945087.0000000000920000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://klipcatepiu0.shop:443/int_clp_ldr_sha.txtZChrome/dp.txtPK
Source: Setup.exe, 00000000.00000003.1821418039.0000000003581000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: Setup.exe, 00000000.00000003.1873278682.000000000364A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Setup.exe, 00000000.00000003.1873278682.000000000364A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Setup.exe, 00000000.00000003.1821418039.000000000357F000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1821538973.0000000003578000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1848362704.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Setup.exe, 00000000.00000003.1821538973.0000000003553000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Setup.exe, 00000000.00000003.1821418039.000000000357F000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1821538973.0000000003578000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1848362704.0000000003578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Setup.exe, 00000000.00000003.1821538973.0000000003553000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Setup.exe, 00000000.00000003.1820757238.000000000356A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1820679032.000000000356C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Setup.exe String found in binary or memory: https://www.globalsign.com/repository/0
Source: Setup.exe, 00000000.00000003.1820757238.000000000356A000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1820679032.000000000356C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Setup.exe, 00000000.00000003.1873278682.000000000364A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Setup.exe, 00000000.00000003.1873278682.000000000364A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Setup.exe, 00000000.00000003.1873278682.000000000364A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Setup.exe, 00000000.00000003.1873278682.000000000364A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Setup.exe, 00000000.00000003.1873278682.000000000364A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.18.185:443 -> 192.168.2.4:49743 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1965353086.0000000002320000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0236E70B NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread, 0_2_0236E70B
Detected potential crypto function
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00035AA0 0_2_00035AA0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00035380 0_2_00035380
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_000356F7 0_2_000356F7
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00035AFC 0_2_00035AFC
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00034B02 0_2_00034B02
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00035760 0_2_00035760
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00035BFB 0_2_00035BFB
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0236E70B 0_2_0236E70B
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0232094B 0_2_0232094B
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0232B278 0_2_0232B278
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02341278 0_2_02341278
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023602A8 0_2_023602A8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0234F297 0_2_0234F297
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0234B2D4 0_2_0234B2D4
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023502C9 0_2_023502C9
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02334308 0_2_02334308
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02330375 0_2_02330375
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0235A368 0_2_0235A368
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0233C358 0_2_0233C358
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0233F3B3 0_2_0233F3B3
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023503A0 0_2_023503A0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0235839E 0_2_0235839E
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02342398 0_2_02342398
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023503FC 0_2_023503FC
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023503E9 0_2_023503E9
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023283D8 0_2_023283D8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0234F292 0_2_0234F292
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02341068 0_2_02341068
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023260A8 0_2_023260A8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0233A0FB 0_2_0233A0FB
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02338123 0_2_02338123
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02344168 0_2_02344168
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023291B8 0_2_023291B8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02360638 0_2_02360638
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023256F8 0_2_023256F8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023336FC 0_2_023336FC
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023276E8 0_2_023276E8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0233B6D6 0_2_0233B6D6
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023386CD 0_2_023386CD
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02349718 0_2_02349718
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02354748 0_2_02354748
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0234E4B8 0_2_0234E4B8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0232A4D8 0_2_0232A4D8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0232C538 0_2_0232C538
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02359508 0_2_02359508
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023405C8 0_2_023405C8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02338AA8 0_2_02338AA8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02361A98 0_2_02361A98
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0232FB29 0_2_0232FB29
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02332B2C 0_2_02332B2C
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02361898 0_2_02361898
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023378EC 0_2_023378EC
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023508DE 0_2_023508DE
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023598D8 0_2_023598D8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023398CE 0_2_023398CE
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02340908 0_2_02340908
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0233F96F 0_2_0233F96F
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0233B9FC 0_2_0233B9FC
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023609E8 0_2_023609E8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023449C8 0_2_023449C8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02352E28 0_2_02352E28
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0232AE78 0_2_0232AE78
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02357E52 0_2_02357E52
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0232EE8E 0_2_0232EE8E
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02358EF8 0_2_02358EF8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02333F00 0_2_02333F00
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02327F48 0_2_02327F48
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0233DC18 0_2_0233DC18
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0233EC42 0_2_0233EC42
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02358C98 0_2_02358C98
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02324CE8 0_2_02324CE8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02339CC4 0_2_02339CC4
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02338CC8 0_2_02338CC8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0233FD38 0_2_0233FD38
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02340D18 0_2_02340D18
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02344D78 0_2_02344D78
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0235CD48 0_2_0235CD48
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02360DB8 0_2_02360DB8
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0234BD80 0_2_0234BD80
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Setup.exe Code function: String function: 023367B8 appears 57 times
Source: C:\Users\user\Desktop\Setup.exe Code function: String function: 02329D48 appears 77 times
PE / OLE file has an invalid certificate
Source: Setup.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Setup.exe, 00000000.00000003.1768413257.000000000290F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAnyDVD.exe0 vs Setup.exe
Source: Setup.exe, 00000000.00000001.1668969182.000000000003C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAnyDVD.exe0 vs Setup.exe
Source: Setup.exe, 00000000.00000002.1964570876.000000000003C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAnyDVD.exe0 vs Setup.exe
Source: Setup.exe Binary or memory string: OriginalFilenameAnyDVD.exe0 vs Setup.exe
Uses 32bit PE files
Source: Setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.1965353086.0000000002320000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/0@2/1
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0232105B CreateToolhelp32Snapshot,Thread32First,CloseHandle, 0_2_0232105B
Source: C:\Users\user\Desktop\Setup.exe Command line argument: kernel32.dll 0_2_00031240
Source: C:\Users\user\Desktop\Setup.exe Command line argument: AnyDVDsentinel1 0_2_00031240
Source: C:\Users\user\Desktop\Setup.exe Command line argument: AnyDVDsentinel1 0_2_00031240
Source: C:\Users\user\Desktop\Setup.exe Command line argument: AnyDVDshow 0_2_00031240
Source: C:\Users\user\Desktop\Setup.exe Command line argument: -iso 0_2_00031240
Source: C:\Users\user\Desktop\Setup.exe Command line argument: AnyDVDtray.exe 0_2_00031240
Source: C:\Users\user\Desktop\Setup.exe Command line argument: VDtray.exe 0_2_00031240
Source: C:\Users\user\Desktop\Setup.exe Command line argument: ay.exe 0_2_00031240
Source: Setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Setup.exe, 00000000.00000003.1821778706.0000000003525000.00000004.00000800.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1821237326.0000000003557000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Setup.exe Virustotal: Detection: 21%
Source: C:\Users\user\Desktop\Setup.exe File read: C:\Users\user\Desktop\Setup.exe Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: Setup.exe Static file information: File size 73822344 > 1048576
Source: Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\OlliXPShared\CASE\Projects\sly\AnyDVDVS2010\Loader\Release\Loader.pdb source: Setup.exe
Source: Setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0003121E LoadLibraryA,GetProcAddress,FreeLibrary,GetVersionExA,OpenEventA,GetCommandLineA,CloseHandle, 0_2_0003121E
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00032E65 push ecx; ret 0_2_00032E78
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0235F7C8 push eax; mov dword ptr [esp], F9F8F7A6h 0_2_0235F7CA
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0235CA08 push eax; mov dword ptr [esp], E2E3E4E5h 0_2_0235CA16
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Setup.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\Setup.exe System information queried: FirmwareTableInformation Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Setup.exe TID: 1744 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe TID: 3156 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Setup.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: Setup.exe, 00000000.00000002.1964945087.0000000000911000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1964182119.0000000000910000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1963648056.000000000090F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: Setup.exe, 00000000.00000003.1963648056.0000000000941000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1899467167.0000000000941000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1964182119.0000000000941000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1819729150.0000000000941000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1964945087.0000000000941000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWXm
Source: Setup.exe, 00000000.00000003.1963648056.0000000000941000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1899467167.0000000000941000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1964182119.0000000000941000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.1819729150.0000000000941000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1964945087.0000000000941000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\Setup.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_000334EB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000334EB
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0003121E LoadLibraryA,GetProcAddress,FreeLibrary,GetVersionExA,OpenEventA,GetCommandLineA,CloseHandle, 0_2_0003121E
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0232094B mov edx, dword ptr fs:[00000030h] 0_2_0232094B
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_02320F0B mov eax, dword ptr fs:[00000030h] 0_2_02320F0B
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_023212BB mov eax, dword ptr fs:[00000030h] 0_2_023212BB
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0232155A mov eax, dword ptr fs:[00000030h] 0_2_0232155A
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0232155B mov eax, dword ptr fs:[00000030h] 0_2_0232155B
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_000334EB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000334EB
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0003171D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0003171D

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: Setup.exe String found in binary or memory: aspecteirs.lat
Source: Setup.exe String found in binary or memory: energyaffai.lat
Source: Setup.exe String found in binary or memory: necklacebudi.lat
Source: Setup.exe String found in binary or memory: discokeyus.lat
Source: Setup.exe String found in binary or memory: rapeflowwj.lat
Source: Setup.exe String found in binary or memory: crosshuaht.lat
Source: Setup.exe String found in binary or memory: sustainskelet.lat
Source: Setup.exe String found in binary or memory: grannyejh.lat
Source: Setup.exe String found in binary or memory: beefshooti.click
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Setup.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0003301F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0003301F
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0003121E LoadLibraryA,GetProcAddress,FreeLibrary,GetVersionExA,OpenEventA,GetCommandLineA,CloseHandle, 0_2_0003121E
Source: C:\Users\user\Desktop\Setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Setup.exe, 00000000.00000003.1953965346.00000000009AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Setup.exe, 00000000.00000002.1965234192.00000000009AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\Setup.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: Setup.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Setup.exe, 00000000.00000003.1920350205.00000000009AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s/Electrum-LTC
Source: Setup.exe, 00000000.00000002.1965145083.000000000098A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\
Source: Setup.exe, 00000000.00000003.1899073722.0000000000997000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: Setup.exe, 00000000.00000002.1965145083.000000000098A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 0971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberZ
Source: Setup.exe, 00000000.00000003.1899467167.0000000000941000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Setup.exe, 00000000.00000003.1954019053.000000000099A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *exodus*
Source: Setup.exe, 00000000.00000003.1954019053.000000000099A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *ethereum*
Source: Setup.exe, 00000000.00000003.1899073722.0000000000997000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Setup.exe, 00000000.00000003.1899073722.0000000000997000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\Setup.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Directory queried: C:\Users\user\Documents\ZTGJILHXQB Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000003.1899073722.0000000000997000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1899467167.0000000000941000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1899326140.0000000000941000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Setup.exe PID: 6984, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: Setup.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579289 Sample: Setup.exe Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 10 klipcatepiu0.shop 2->10 12 beefshooti.click 2->12 16 Suricata IDS alerts for network traffic 2->16 18 Found malware configuration 2->18 20 Malicious sample detected (through community Yara rule) 2->20 22 5 other signatures 2->22 6 Setup.exe 2->6         started        signatures3 process4 dnsIp5 14 beefshooti.click 104.21.18.185, 443, 49730, 49731 CLOUDFLARENETUS United States 6->14 24 Query firmware table information (likely to detect VMs) 6->24 26 Found many strings related to Crypto-Wallets (likely being stolen) 6->26 28 Tries to harvest and steal browser information (history, passwords, etc) 6->28 30 Tries to steal Crypto Currency Wallets 6->30 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.18.185
 beefshooti.click United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
beefshooti.click 104.21.18.185 true
klipcatepiu0.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
necklacebudi.lat false
    		high
    aspecteirs.lat false
      		high
      beefshooti.click true
        		unknown
        sustainskelet.lat false
          		high
          crosshuaht.lat false
            		high
            rapeflowwj.lat false
              		high
              energyaffai.lat false
                		high
                https://beefshooti.click/api true
                  		unknown
                  grannyejh.lat false
                    		high
                    discokeyus.lat false
                      		high