Edit tour

Windows Analysis Report
fpIGwanLZi.exe

Overview

General Information

Sample name:	fpIGwanLZi.exe renamed because original name is a hash value
Original sample name:	f22cf9dc92fc4eee3eb35b4cdb613f21fa285d5f7630d2a898e25d4c5c512e5e.exe
Analysis ID:	1588644
MD5:	b270344e0a2760f0faacbe25670635bc
SHA1:	2677ed82fcc97bc63ddba361d4c0052058d263c5
SHA256:	f22cf9dc92fc4eee3eb35b4cdb613f21fa285d5f7630d2a898e25d4c5c512e5e
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

AI detected suspicious sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

fpIGwanLZi.exe (PID: 7660 cmdline: "C:\Users\user\Desktop\fpIGwanLZi.exe" MD5: B270344E0A2760F0FAACBE25670635BC)

fpIGwanLZi.exe (PID: 7816 cmdline: "C:\Users\user\Desktop\fpIGwanLZi.exe" MD5: B270344E0A2760F0FAACBE25670635BC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "recruitment_ck@bprck.co.id", "Password": "@BPR.ck22!!", "Host": "mail.bprck.co.id", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdc75:$a1: get_encryptedPassword 0xdf50:$a2: get_encryptedUsername 0xda81:$a3: get_timePasswordChanged 0xdb7c:$a4: get_passwordField 0xdc8b:$a5: set_encryptedPassword 0xf26a:$a7: get_logins 0xf1cd:$a10: KeyLoggerEventArgs 0xee5c:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x11428:$x1: $%SMTPDV$ 0x1148e:$x2: $#TheHashHere%& 0x12ac5:$x3: %FTPDV$ 0x12baf:$x4: $%TelegramDv$ 0xee5c:$x5: KeyLoggerEventArgs 0xf1cd:$x5: KeyLoggerEventArgs 0x12ae9:$m2: Clipboard Logs ID 0x12cff:$m2: Screenshot Logs ID 0x12e0f:$m2: keystroke Logs ID 0x130e9:$m3: SnakePW 0x12cd7:$m4: \SnakeKeylogger\
00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4acad:$a1: get_encryptedPassword 0x616cd:$a1: get_encryptedPassword 0x77eed:$a1: get_encryptedPassword 0x4af88:$a2: get_encryptedUsername 0x619a8:$a2: get_encryptedUsername 0x781c8:$a2: get_encryptedUsername 0x4aab9:$a3: get_timePasswordChanged 0x614d9:$a3: get_timePasswordChanged 0x77cf9:$a3: get_timePasswordChanged 0x4abb4:$a4: get_passwordField 0x615d4:$a4: get_passwordField 0x77df4:$a4: get_passwordField 0x4acc3:$a5: set_encryptedPassword 0x616e3:$a5: set_encryptedPassword 0x77f03:$a5: set_encryptedPassword 0x4c2a2:$a7: get_logins 0x62cc2:$a7: get_logins 0x794e2:$a7: get_logins 0x4c205:$a10: KeyLoggerEventArgs 0x62c25:$a10: KeyLoggerEventArgs 0x79445:$a10: KeyLoggerEventArgs
00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4e460:$x1: $%SMTPDV$ 0x64e80:$x1: $%SMTPDV$ 0x7b6a0:$x1: $%SMTPDV$ 0x4e4c6:$x2: $#TheHashHere%& 0x64ee6:$x2: $#TheHashHere%& 0x7b706:$x2: $#TheHashHere%& 0x4fafd:$x3: %FTPDV$ 0x6651d:$x3: %FTPDV$ 0x7cd3d:$x3: %FTPDV$ 0x4fbe7:$x4: $%TelegramDv$ 0x66607:$x4: $%TelegramDv$ 0x7ce27:$x4: $%TelegramDv$ 0x4be94:$x5: KeyLoggerEventArgs 0x4c205:$x5: KeyLoggerEventArgs 0x628b4:$x5: KeyLoggerEventArgs 0x62c25:$x5: KeyLoggerEventArgs 0x790d4:$x5: KeyLoggerEventArgs 0x79445:$x5: KeyLoggerEventArgs 0x4fb21:$m2: Clipboard Logs ID 0x4fd37:$m2: Screenshot Logs ID 0x4fe47:$m2: keystroke Logs ID
00000003.00000002.3846138474.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: fpIGwanLZi.exe PID: 7660	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: fpIGwanLZi.exe PID: 7660	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf2a31:$a1: get_encryptedPassword 0xf2d02:$a2: get_encryptedUsername 0xf2847:$a3: get_timePasswordChanged 0xf2942:$a4: get_passwordField 0xf2a47:$a5: set_encryptedPassword 0xf4e47:$a7: get_logins 0xf4daa:$a10: KeyLoggerEventArgs 0xf4a39:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: fpIGwanLZi.exe PID: 7660	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf4a39:$x5: KeyLoggerEventArgs 0xf4daa:$x5: KeyLoggerEventArgs 0xf58ff:$x5: KeyLoggerEventArgs 0xf5c3e:$x5: KeyLoggerEventArgs 0xf6f21:$m2: Clipboard Logs ID 0xf7013:$m2: Screenshot Logs ID 0xf7069:$m2: keystroke Logs ID 0xf719e:$m3: SnakePW 0xf6fff:$m4: \SnakeKeylogger\
Process Memory Space: fpIGwanLZi.exe PID: 7816	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: fpIGwanLZi.exe PID: 7816	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101af:$a1: get_encryptedPassword 0x10480:$a2: get_encryptedUsername 0xffc5:$a3: get_timePasswordChanged 0x100c0:$a4: get_passwordField 0x101c5:$a5: set_encryptedPassword 0x125c5:$a7: get_logins 0x12528:$a10: KeyLoggerEventArgs 0x121b7:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: fpIGwanLZi.exe PID: 7816	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x121b7:$x5: KeyLoggerEventArgs 0x12528:$x5: KeyLoggerEventArgs 0x1307d:$x5: KeyLoggerEventArgs 0x133bc:$x5: KeyLoggerEventArgs 0x1469f:$m2: Clipboard Logs ID 0x14791:$m2: Screenshot Logs ID 0x147e7:$m2: keystroke Logs ID 0x1491c:$m3: SnakePW 0x1477d:$m4: \SnakeKeylogger\
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.fpIGwanLZi.exe.3ae5e38.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.fpIGwanLZi.exe.3ae5e38.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc075:$a1: get_encryptedPassword 0xc350:$a2: get_encryptedUsername 0xbe81:$a3: get_timePasswordChanged 0xbf7c:$a4: get_passwordField 0xc08b:$a5: set_encryptedPassword 0xd66a:$a7: get_logins 0xd5cd:$a10: KeyLoggerEventArgs 0xd25c:$a11: KeyLoggerEventArgsEventHandler
0.2.fpIGwanLZi.exe.3ae5e38.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xcc0b:$s1: UnHook 0xcc12:$s2: SetHook 0xcc1a:$s3: CallNextHook 0xcc27:$s4: _hook
0.2.fpIGwanLZi.exe.3ae5e38.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf828:$x1: $%SMTPDV$ 0xf88e:$x2: $#TheHashHere%& 0x10ec5:$x3: %FTPDV$ 0x10faf:$x4: $%TelegramDv$ 0xd25c:$x5: KeyLoggerEventArgs 0xd5cd:$x5: KeyLoggerEventArgs 0x10ee9:$m2: Clipboard Logs ID 0x110ff:$m2: Screenshot Logs ID 0x1120f:$m2: keystroke Logs ID 0x114e9:$m3: SnakePW 0x110d7:$m4: \SnakeKeylogger\
3.2.fpIGwanLZi.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.fpIGwanLZi.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xde75:$a1: get_encryptedPassword 0xe150:$a2: get_encryptedUsername 0xdc81:$a3: get_timePasswordChanged 0xdd7c:$a4: get_passwordField 0xde8b:$a5: set_encryptedPassword 0xf46a:$a7: get_logins 0xf3cd:$a10: KeyLoggerEventArgs 0xf05c:$a11: KeyLoggerEventArgsEventHandler
3.2.fpIGwanLZi.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xea0b:$s1: UnHook 0xea12:$s2: SetHook 0xea1a:$s3: CallNextHook 0xea27:$s4: _hook
3.2.fpIGwanLZi.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x11628:$x1: $%SMTPDV$ 0x1168e:$x2: $#TheHashHere%& 0x12cc5:$x3: %FTPDV$ 0x12daf:$x4: $%TelegramDv$ 0xf05c:$x5: KeyLoggerEventArgs 0xf3cd:$x5: KeyLoggerEventArgs 0x12ce9:$m2: Clipboard Logs ID 0x12eff:$m2: Screenshot Logs ID 0x1300f:$m2: keystroke Logs ID 0x132e9:$m3: SnakePW 0x12ed7:$m4: \SnakeKeylogger\
0.2.fpIGwanLZi.exe.3afc858.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.fpIGwanLZi.exe.3afc858.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc075:$a1: get_encryptedPassword 0xc350:$a2: get_encryptedUsername 0xbe81:$a3: get_timePasswordChanged 0xbf7c:$a4: get_passwordField 0xc08b:$a5: set_encryptedPassword 0xd66a:$a7: get_logins 0xd5cd:$a10: KeyLoggerEventArgs 0xd25c:$a11: KeyLoggerEventArgsEventHandler
0.2.fpIGwanLZi.exe.3afc858.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xcc0b:$s1: UnHook 0xcc12:$s2: SetHook 0xcc1a:$s3: CallNextHook 0xcc27:$s4: _hook
0.2.fpIGwanLZi.exe.3afc858.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf828:$x1: $%SMTPDV$ 0xf88e:$x2: $#TheHashHere%& 0x10ec5:$x3: %FTPDV$ 0x10faf:$x4: $%TelegramDv$ 0xd25c:$x5: KeyLoggerEventArgs 0xd5cd:$x5: KeyLoggerEventArgs 0x10ee9:$m2: Clipboard Logs ID 0x110ff:$m2: Screenshot Logs ID 0x1120f:$m2: keystroke Logs ID 0x114e9:$m3: SnakePW 0x110d7:$m4: \SnakeKeylogger\
0.2.fpIGwanLZi.exe.3afc858.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.fpIGwanLZi.exe.3afc858.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xde75:$a1: get_encryptedPassword 0x24695:$a1: get_encryptedPassword 0xe150:$a2: get_encryptedUsername 0x24970:$a2: get_encryptedUsername 0xdc81:$a3: get_timePasswordChanged 0x244a1:$a3: get_timePasswordChanged 0xdd7c:$a4: get_passwordField 0x2459c:$a4: get_passwordField 0xde8b:$a5: set_encryptedPassword 0x246ab:$a5: set_encryptedPassword 0xf46a:$a7: get_logins 0x25c8a:$a7: get_logins 0xf3cd:$a10: KeyLoggerEventArgs 0x25bed:$a10: KeyLoggerEventArgs 0xf05c:$a11: KeyLoggerEventArgsEventHandler 0x2587c:$a11: KeyLoggerEventArgsEventHandler
0.2.fpIGwanLZi.exe.3afc858.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xea0b:$s1: UnHook 0x2522b:$s1: UnHook 0xea12:$s2: SetHook 0x25232:$s2: SetHook 0xea1a:$s3: CallNextHook 0x2523a:$s3: CallNextHook 0xea27:$s4: _hook 0x25247:$s4: _hook
0.2.fpIGwanLZi.exe.3afc858.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x11628:$x1: $%SMTPDV$ 0x27e48:$x1: $%SMTPDV$ 0x1168e:$x2: $#TheHashHere%& 0x27eae:$x2: $#TheHashHere%& 0x12cc5:$x3: %FTPDV$ 0x294e5:$x3: %FTPDV$ 0x12daf:$x4: $%TelegramDv$ 0x295cf:$x4: $%TelegramDv$ 0xf05c:$x5: KeyLoggerEventArgs 0xf3cd:$x5: KeyLoggerEventArgs 0x2587c:$x5: KeyLoggerEventArgs 0x25bed:$x5: KeyLoggerEventArgs 0x12ce9:$m2: Clipboard Logs ID 0x12eff:$m2: Screenshot Logs ID 0x1300f:$m2: keystroke Logs ID 0x29509:$m2: Clipboard Logs ID 0x2971f:$m2: Screenshot Logs ID 0x2982f:$m2: keystroke Logs ID 0x132e9:$m3: SnakePW 0x29b09:$m3: SnakePW 0x12ed7:$m4: \SnakeKeylogger\
0.2.fpIGwanLZi.exe.3ae5e38.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.fpIGwanLZi.exe.3ae5e38.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xde75:$a1: get_encryptedPassword 0x24895:$a1: get_encryptedPassword 0x3b0b5:$a1: get_encryptedPassword 0xe150:$a2: get_encryptedUsername 0x24b70:$a2: get_encryptedUsername 0x3b390:$a2: get_encryptedUsername 0xdc81:$a3: get_timePasswordChanged 0x246a1:$a3: get_timePasswordChanged 0x3aec1:$a3: get_timePasswordChanged 0xdd7c:$a4: get_passwordField 0x2479c:$a4: get_passwordField 0x3afbc:$a4: get_passwordField 0xde8b:$a5: set_encryptedPassword 0x248ab:$a5: set_encryptedPassword 0x3b0cb:$a5: set_encryptedPassword 0xf46a:$a7: get_logins 0x25e8a:$a7: get_logins 0x3c6aa:$a7: get_logins 0xf3cd:$a10: KeyLoggerEventArgs 0x25ded:$a10: KeyLoggerEventArgs 0x3c60d:$a10: KeyLoggerEventArgs
0.2.fpIGwanLZi.exe.3ae5e38.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xea0b:$s1: UnHook 0x2542b:$s1: UnHook 0x3bc4b:$s1: UnHook 0xea12:$s2: SetHook 0x25432:$s2: SetHook 0x3bc52:$s2: SetHook 0xea1a:$s3: CallNextHook 0x2543a:$s3: CallNextHook 0x3bc5a:$s3: CallNextHook 0xea27:$s4: _hook 0x25447:$s4: _hook 0x3bc67:$s4: _hook
0.2.fpIGwanLZi.exe.3ae5e38.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x11628:$x1: $%SMTPDV$ 0x28048:$x1: $%SMTPDV$ 0x3e868:$x1: $%SMTPDV$ 0x1168e:$x2: $#TheHashHere%& 0x280ae:$x2: $#TheHashHere%& 0x3e8ce:$x2: $#TheHashHere%& 0x12cc5:$x3: %FTPDV$ 0x296e5:$x3: %FTPDV$ 0x3ff05:$x3: %FTPDV$ 0x12daf:$x4: $%TelegramDv$ 0x297cf:$x4: $%TelegramDv$ 0x3ffef:$x4: $%TelegramDv$ 0xf05c:$x5: KeyLoggerEventArgs 0xf3cd:$x5: KeyLoggerEventArgs 0x25a7c:$x5: KeyLoggerEventArgs 0x25ded:$x5: KeyLoggerEventArgs 0x3c29c:$x5: KeyLoggerEventArgs 0x3c60d:$x5: KeyLoggerEventArgs 0x12ce9:$m2: Clipboard Logs ID 0x12eff:$m2: Screenshot Logs ID 0x1300f:$m2: keystroke Logs ID
Click to see the 15 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T03:36:50.633385+0100	2803305	3	Unknown Traffic	192.168.2.9	49757	104.21.48.1	443	TCP
2025-01-11T03:36:52.200851+0100	2803305	3	Unknown Traffic	192.168.2.9	49769	104.21.48.1	443	TCP
2025-01-11T03:36:55.059425+0100	2803305	3	Unknown Traffic	192.168.2.9	49795	104.21.48.1	443	TCP
2025-01-11T03:36:57.958539+0100	2803305	3	Unknown Traffic	192.168.2.9	49819	104.21.48.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T03:36:49.084489+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49744	193.122.6.168	80	TCP
2025-01-11T03:36:50.037614+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49744	193.122.6.168	80	TCP
2025-01-11T03:36:51.585532+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49763	193.122.6.168	80	TCP
2025-01-11T03:36:53.068894+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49776	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "recruitment_ck@bprck.co.id", "Password": "@BPR.ck22!!", "Host": "mail.bprck.co.id", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: fpIGwanLZi.exe	ReversingLabs: Detection: 63%
Source: fpIGwanLZi.exe	Virustotal: Detection: 79%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: fpIGwanLZi.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: fpIGwanLZi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.9:49750 version: TLS 1.0

Source: fpIGwanLZi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: hEdIE.pdb source: fpIGwanLZi.exe
Source:	Binary string: hEdIE.pdbSHA256K source: fpIGwanLZi.exe

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49776 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49763 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49744 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49819 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49769 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49757 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49795 -> 104.21.48.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.9:49750 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CCD000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CCD000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C28000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: fpIGwanLZi.exe, 00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CCD000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C52000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CCD000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: fpIGwanLZi.exe, 00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CCD000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.fpIGwanLZi.exe.3ae5e38.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.fpIGwanLZi.exe.3ae5e38.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.fpIGwanLZi.exe.3ae5e38.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.fpIGwanLZi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.fpIGwanLZi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.fpIGwanLZi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.fpIGwanLZi.exe.3afc858.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.fpIGwanLZi.exe.3afc858.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.fpIGwanLZi.exe.3afc858.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.fpIGwanLZi.exe.3afc858.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.fpIGwanLZi.exe.3afc858.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.fpIGwanLZi.exe.3afc858.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.fpIGwanLZi.exe.3ae5e38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.fpIGwanLZi.exe.3ae5e38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.fpIGwanLZi.exe.3ae5e38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: fpIGwanLZi.exe PID: 7660, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: fpIGwanLZi.exe PID: 7660, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: fpIGwanLZi.exe PID: 7816, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: fpIGwanLZi.exe PID: 7816, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_0290D584	0_2_0290D584
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_06C7B760	0_2_06C7B760
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_06C7B328	0_2_06C7B328
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_06C7CFA0	0_2_06C7CFA0
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_06C7CB68	0_2_06C7CB68
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_02B0B328	3_2_02B0B328
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_02B0C190	3_2_02B0C190
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_02B06108	3_2_02B06108
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_02B0C752	3_2_02B0C752
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_02B0C470	3_2_02B0C470
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_02B04AD9	3_2_02B04AD9
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_02B0CA32	3_2_02B0CA32
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_02B0BBD2	3_2_02B0BBD2
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_02B06880	3_2_02B06880
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_02B09858	3_2_02B09858
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_02B0BEB2	3_2_02B0BEB2
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_02B0B4F2	3_2_02B0B4F2
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_02B03572	3_2_02B03572
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_0696C254	3_2_0696C254
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_0696F308	3_2_0696F308

Source: fpIGwanLZi.exe, 00000000.00000000.1364389373.00000000007CC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehEdIE.exe< vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000002.1376889034.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000002.1385537496.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000002.1383192228.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000002.1383192228.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000002.1389781295.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000002.1390816772.0000000007CB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000003.00000002.3844962097.0000000000D37000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe	Binary or memory string: OriginalFilenamehEdIE.exe< vs fpIGwanLZi.exe

Source: fpIGwanLZi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.fpIGwanLZi.exe.3ae5e38.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.fpIGwanLZi.exe.3ae5e38.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.fpIGwanLZi.exe.3ae5e38.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.fpIGwanLZi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.fpIGwanLZi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.fpIGwanLZi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.fpIGwanLZi.exe.3afc858.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.fpIGwanLZi.exe.3afc858.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.fpIGwanLZi.exe.3afc858.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.fpIGwanLZi.exe.3afc858.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.fpIGwanLZi.exe.3afc858.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.fpIGwanLZi.exe.3afc858.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.fpIGwanLZi.exe.3ae5e38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.fpIGwanLZi.exe.3ae5e38.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.fpIGwanLZi.exe.3ae5e38.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: fpIGwanLZi.exe PID: 7660, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: fpIGwanLZi.exe PID: 7660, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: fpIGwanLZi.exe PID: 7816, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: fpIGwanLZi.exe PID: 7816, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: fpIGwanLZi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal88.troj.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fpIGwanLZi.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

Mutant created: NULL

Source: fpIGwanLZi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: fpIGwanLZi.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: fpIGwanLZi.exe	ReversingLabs: Detection: 63%
Source: fpIGwanLZi.exe	Virustotal: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\fpIGwanLZi.exe "C:\Users\user\Desktop\fpIGwanLZi.exe"
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process created: C:\Users\user\Desktop\fpIGwanLZi.exe "C:\Users\user\Desktop\fpIGwanLZi.exe"
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process created: C:\Users\user\Desktop\fpIGwanLZi.exe "C:\Users\user\Desktop\fpIGwanLZi.exe"	Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: fpIGwanLZi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: fpIGwanLZi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: fpIGwanLZi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: hEdIE.pdb source: fpIGwanLZi.exe
Source:	Binary string: hEdIE.pdbSHA256K source: fpIGwanLZi.exe

Source: fpIGwanLZi.exe

Static PE information: 0x9A1BCFA6 [Wed Dec 6 22:18:14 2051 UTC]

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_02B024B9 push 8BFFFFFFh; retf	3_2_02B024BF
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_06960040 push es; retf	3_2_06960EC0
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_06960EC1 push es; retf	3_2_06961240
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 3_2_06961241 push es; iretd	3_2_06961414

Source: fpIGwanLZi.exe

Static PE information: section name: .text entropy: 6.958210174643718

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: 2900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: 2AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: 4AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: 93B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: A3B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: A5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: B5E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: 10D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: 4B70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 598686	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 598544	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 598103	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597124	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596358	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596249	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 594390	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 594281	Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Window / User API: threadDelayed 1709			Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Window / User API: threadDelayed 8135			Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7680	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7916	Thread sleep count: 1709 > 30	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7916	Thread sleep count: 8135 > 30	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -599452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -598686s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -598544s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -598103s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -597671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -597124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -596796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -596358s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -596249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -595921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -595593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -595046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -594500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -594390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7912	Thread sleep time: -594281s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 598686	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 598544	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 598103	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597124	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596358	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596249	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 594390	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 594281	Jump to behavior

Source: fpIGwanLZi.exe, 00000003.00000002.3845374292.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

Memory written: C:\Users\user\Desktop\fpIGwanLZi.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

Process created: C:\Users\user\Desktop\fpIGwanLZi.exe "C:\Users\user\Desktop\fpIGwanLZi.exe"

Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Users\user\Desktop\fpIGwanLZi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Users\user\Desktop\fpIGwanLZi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.fpIGwanLZi.exe.3ae5e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fpIGwanLZi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fpIGwanLZi.exe.3afc858.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fpIGwanLZi.exe.3afc858.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fpIGwanLZi.exe.3ae5e38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3846138474.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fpIGwanLZi.exe PID: 7660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fpIGwanLZi.exe PID: 7816, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.fpIGwanLZi.exe.3ae5e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fpIGwanLZi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fpIGwanLZi.exe.3afc858.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fpIGwanLZi.exe.3afc858.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fpIGwanLZi.exe.3ae5e38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3846138474.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fpIGwanLZi.exe PID: 7660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fpIGwanLZi.exe PID: 7816, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
fpIGwanLZi.exe	63%	ReversingLabs	Win32.Trojan.Jalapeno
fpIGwanLZi.exe	79%	Virustotal		Browse
fpIGwanLZi.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CCD000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CCD000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C28000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CCD000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	fpIGwanLZi.exe, 00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CCD000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CCD000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C52000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	fpIGwanLZi.exe, 00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000003.00000002.3846138474.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588644
Start date and time:	2025-01-11 03:35:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	fpIGwanLZi.exe renamed because original name is a hash value
Original Sample Name:	f22cf9dc92fc4eee3eb35b4cdb613f21fa285d5f7630d2a898e25d4c5c512e5e.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 103 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 20.109.210.53
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:36:46	API Interceptor	10963221x Sleep call for process: fpIGwanLZi.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
193.122.6.168	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
reallyfreegeoip.org	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	4AMVusDMPP.exe	Get hash	malicious	GuLoader	Browse	193.122.130.0
CLOUDFLARENETUS	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	1SxKeB4u0c.exe	Get hash	malicious	FormBook	Browse	104.21.95.160
	SpCuEoekPa.exe	Get hash	malicious	FormBook	Browse	104.21.64.1
	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	AxKxwW9WGa.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	104.21.96.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fpIGwanLZi.exe.log

Download File

Process:	C:\Users\user\Desktop\fpIGwanLZi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.950802950730529
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	fpIGwanLZi.exe
File size:	757'760 bytes
MD5:	b270344e0a2760f0faacbe25670635bc
SHA1:	2677ed82fcc97bc63ddba361d4c0052058d263c5
SHA256:	f22cf9dc92fc4eee3eb35b4cdb613f21fa285d5f7630d2a898e25d4c5c512e5e
SHA512:	9cb8c9e211e28b9d989993fce4b93429c24f1db7a57c54a594888489568b4f42dee6c8fbadf189978d117e76bf6a85f710484892ecfb3d55ab6cffdde81cf59d
SSDEEP:	12288:npZsS4aTEaFP2BHykEW+7CGpfxNuWro8wFiQ4Cg0:nzsHaTEw7Jl7FpruWro8wF9g
TLSH:	A1F4933D29BD222BA175C3A7CBDBF427F138986F3115AD6498D343A94346A4734C326E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............f.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4ba566
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9A1BCFA6 [Wed Dec 6 22:18:14 2051 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba511	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x5ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb8c08	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb856c	0xb8600	82e60ee3e19305397cc2f5935f919b74	False	0.7003138241525424	data	6.958210174643718	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x5ac	0x600	1fefeea52d892dd9bb08ebb0534bae89	False	0.4231770833333333	data	4.111005504871255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbe000	0xc	0x200	c09020cb67e1caded6bd0125e1440504	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xbc090	0x31c	data			0.4396984924623116
RT_MANIFEST	0xbc3bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T03:36:49.084489+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49744	193.122.6.168	80	TCP
2025-01-11T03:36:50.037614+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49744	193.122.6.168	80	TCP
2025-01-11T03:36:50.633385+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49757	104.21.48.1	443	TCP
2025-01-11T03:36:51.585532+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49763	193.122.6.168	80	TCP
2025-01-11T03:36:52.200851+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49769	104.21.48.1	443	TCP
2025-01-11T03:36:53.068894+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49776	193.122.6.168	80	TCP
2025-01-11T03:36:55.059425+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49795	104.21.48.1	443	TCP
2025-01-11T03:36:57.958539+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49819	104.21.48.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:36:48.206996918 CET	49744	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:48.213515043 CET	80	49744	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:48.217147112 CET	49744	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:48.298548937 CET	49744	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:48.304794073 CET	80	49744	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:48.850562096 CET	80	49744	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:48.856259108 CET	49744	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:48.861077070 CET	80	49744	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:49.043322086 CET	80	49744	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:49.084489107 CET	49744	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:49.095588923 CET	49750	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:49.095624924 CET	443	49750	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:49.095694065 CET	49750	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:49.103576899 CET	49750	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:49.103601933 CET	443	49750	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:49.570188999 CET	443	49750	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:49.570252895 CET	49750	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:49.575741053 CET	49750	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:49.575753927 CET	443	49750	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:49.576139927 CET	443	49750	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:49.631371975 CET	49750	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:49.646361113 CET	49750	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:49.687324047 CET	443	49750	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:49.767065048 CET	443	49750	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:49.767157078 CET	443	49750	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:49.767210007 CET	49750	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:49.774025917 CET	49750	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:49.778161049 CET	49744	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:49.782917023 CET	80	49744	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:49.991183043 CET	80	49744	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:49.993500948 CET	49757	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:49.993545055 CET	443	49757	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:49.993628025 CET	49757	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:49.993915081 CET	49757	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:49.993925095 CET	443	49757	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:50.037614107 CET	49744	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:50.476022005 CET	443	49757	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:50.478518009 CET	49757	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:50.478562117 CET	443	49757	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:50.633400917 CET	443	49757	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:50.633474112 CET	443	49757	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:50.634356022 CET	49757	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:50.634865046 CET	49757	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:50.638310909 CET	49744	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:50.639870882 CET	49763	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:50.643259048 CET	80	49744	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:50.643321037 CET	49744	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:50.644649029 CET	80	49763	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:50.645138025 CET	49763	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:50.645457983 CET	49763	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:50.650245905 CET	80	49763	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:51.535799026 CET	80	49763	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:51.541989088 CET	49769	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:51.542035103 CET	443	49769	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:51.542102098 CET	49769	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:51.545929909 CET	49769	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:51.545947075 CET	443	49769	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:51.585531950 CET	49763	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:52.036747932 CET	443	49769	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:52.038569927 CET	49769	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:52.038619995 CET	443	49769	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:52.200860977 CET	443	49769	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:52.200918913 CET	443	49769	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:52.200968981 CET	49769	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:52.201466084 CET	49769	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:52.204823971 CET	49763	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:52.205985069 CET	49776	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:52.210155964 CET	80	49763	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:52.210210085 CET	49763	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:52.210850954 CET	80	49776	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:52.210912943 CET	49776	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:52.211014032 CET	49776	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:52.215864897 CET	80	49776	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:53.013863087 CET	80	49776	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:53.015433073 CET	49783	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:53.015490055 CET	443	49783	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:53.015727043 CET	49783	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:53.015991926 CET	49783	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:53.016010046 CET	443	49783	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:53.068893909 CET	49776	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:53.486401081 CET	443	49783	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:53.488250971 CET	49783	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:53.488285065 CET	443	49783	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:53.645328999 CET	443	49783	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:53.645490885 CET	443	49783	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:53.645572901 CET	49783	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:53.646137953 CET	49783	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:53.659563065 CET	49789	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:53.664382935 CET	80	49789	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:53.664659023 CET	49789	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:53.664891958 CET	49789	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:53.669709921 CET	80	49789	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:54.424226999 CET	80	49789	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:54.427087069 CET	49795	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:54.427128077 CET	443	49795	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:54.427349091 CET	49795	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:54.427689075 CET	49795	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:54.427697897 CET	443	49795	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:54.475218058 CET	49789	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:54.902738094 CET	443	49795	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:54.904328108 CET	49795	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:54.904356956 CET	443	49795	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:55.059431076 CET	443	49795	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:55.059503078 CET	443	49795	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:55.059631109 CET	49795	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:55.060115099 CET	49795	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:55.063702106 CET	49789	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:55.064866066 CET	49801	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:55.068707943 CET	80	49789	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:55.068783045 CET	49789	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:55.069802046 CET	80	49801	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:55.069900036 CET	49801	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:55.070142031 CET	49801	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:55.075052977 CET	80	49801	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:56.044583082 CET	80	49801	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:56.046067953 CET	49807	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:56.046101093 CET	443	49807	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:56.046268940 CET	49807	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:56.046514988 CET	49807	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:56.046525002 CET	443	49807	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:56.084507942 CET	49801	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:56.501763105 CET	443	49807	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:56.506540060 CET	49807	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:56.506561041 CET	443	49807	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:56.656407118 CET	443	49807	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:56.656472921 CET	443	49807	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:56.656585932 CET	49807	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:56.657083988 CET	49807	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:56.660404921 CET	49801	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:56.661720991 CET	49813	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:56.665349007 CET	80	49801	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:56.665409088 CET	49801	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:56.666562080 CET	80	49813	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:56.666627884 CET	49813	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:56.666769981 CET	49813	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:56.671561956 CET	80	49813	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:57.336054087 CET	80	49813	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:57.337340117 CET	49819	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:57.337404966 CET	443	49819	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:57.337466002 CET	49819	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:57.337786913 CET	49819	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:57.337801933 CET	443	49819	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:57.376981020 CET	49813	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:57.818418026 CET	443	49819	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:57.822834015 CET	49819	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:57.822863102 CET	443	49819	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:57.958568096 CET	443	49819	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:57.958638906 CET	443	49819	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:57.958678961 CET	49819	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:57.959330082 CET	49819	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:57.963098049 CET	49813	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:57.964112997 CET	49825	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:57.968604088 CET	80	49813	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:57.968669891 CET	49813	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:57.968918085 CET	80	49825	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:57.968991995 CET	49825	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:57.969089985 CET	49825	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:57.973866940 CET	80	49825	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:58.800096035 CET	80	49825	193.122.6.168	192.168.2.9
Jan 11, 2025 03:36:58.801561117 CET	49831	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:58.801594973 CET	443	49831	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:58.801671028 CET	49831	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:58.801966906 CET	49831	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:58.801975965 CET	443	49831	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:58.850202084 CET	49825	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:36:59.256124020 CET	443	49831	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:59.258259058 CET	49831	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:59.258327007 CET	443	49831	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:59.389808893 CET	443	49831	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:59.389873028 CET	443	49831	104.21.48.1	192.168.2.9
Jan 11, 2025 03:36:59.389935970 CET	49831	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:36:59.390641928 CET	49831	443	192.168.2.9	104.21.48.1
Jan 11, 2025 03:37:58.014384985 CET	80	49776	193.122.6.168	192.168.2.9
Jan 11, 2025 03:37:58.014452934 CET	49776	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:38:03.799129009 CET	80	49825	193.122.6.168	192.168.2.9
Jan 11, 2025 03:38:03.801393032 CET	49825	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:38:38.805527925 CET	49825	80	192.168.2.9	193.122.6.168
Jan 11, 2025 03:38:38.812999010 CET	80	49825	193.122.6.168	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:36:48.177910089 CET	59311	53	192.168.2.9	1.1.1.1
Jan 11, 2025 03:36:48.186691046 CET	53	59311	1.1.1.1	192.168.2.9
Jan 11, 2025 03:36:49.087960005 CET	65051	53	192.168.2.9	1.1.1.1
Jan 11, 2025 03:36:49.094937086 CET	53	65051	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 03:36:48.177910089 CET	192.168.2.9	1.1.1.1	0x8ada	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:36:49.087960005 CET	192.168.2.9	1.1.1.1	0x1314	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 03:36:48.186691046 CET	1.1.1.1	192.168.2.9	0x8ada	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 03:36:48.186691046 CET	1.1.1.1	192.168.2.9	0x8ada	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:36:48.186691046 CET	1.1.1.1	192.168.2.9	0x8ada	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:36:48.186691046 CET	1.1.1.1	192.168.2.9	0x8ada	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:36:48.186691046 CET	1.1.1.1	192.168.2.9	0x8ada	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:36:48.186691046 CET	1.1.1.1	192.168.2.9	0x8ada	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:36:49.094937086 CET	1.1.1.1	192.168.2.9	0x1314	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:36:49.094937086 CET	1.1.1.1	192.168.2.9	0x1314	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:36:49.094937086 CET	1.1.1.1	192.168.2.9	0x1314	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:36:49.094937086 CET	1.1.1.1	192.168.2.9	0x1314	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:36:49.094937086 CET	1.1.1.1	192.168.2.9	0x1314	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:36:49.094937086 CET	1.1.1.1	192.168.2.9	0x1314	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:36:49.094937086 CET	1.1.1.1	192.168.2.9	0x1314	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49744	193.122.6.168	80	7816	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:36:48.298548937 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:36:48.850562096 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 03:36:48.856259108 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:36:49.043322086 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 03:36:49.778161049 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:36:49.991183043 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49763	193.122.6.168	80	7816	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:36:50.645457983 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:36:51.535799026 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49776	193.122.6.168	80	7816	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:36:52.211014032 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:36:53.013863087 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49789	193.122.6.168	80	7816	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:36:53.664891958 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:36:54.424226999 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49801	193.122.6.168	80	7816	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:36:55.070142031 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:36:56.044583082 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49813	193.122.6.168	80	7816	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:36:56.666769981 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:36:57.336054087 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49825	193.122.6.168	80	7816	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:36:57.969089985 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:36:58.800096035 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49750	104.21.48.1	443	7816	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:36:49 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:36:49 UTC	863	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:49 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1877798 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QDcQ2IJf8dVPJFCkhFE9AkUADB8N6AcHzVFmbViZQzMwR4E0LDWJTFMhIwZ%2Bw4T2N%2Bw96iwUifOaLkagV%2F26qR%2BHIqnx4%2F7%2FoU3mStqxYmXgti%2FozAuGsOCivH65ihPKrdRJn3ai"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9001857a9892c323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1520&min_rtt=1517&rtt_var=571&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1924851&cwnd=214&unsent_bytes=0&cid=4ee41a640fbc1a97&ts=214&x=0"
2025-01-11 02:36:49 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49757	104.21.48.1	443	7816	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:36:50 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:36:50 UTC	859	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:50 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1877799 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NzVmeNupji25idfgfLP4jThXxXETmkje0TvLG1P%2BdefDGic7X9QOseDPGtV9lXmn1QuFKcXRxEcG%2B6dm%2FvFywcnMW4XVPgx4UPGFUlHGdKfbr5Agbxn9Lp%2Bg%2FxHiR4XT3ilHDsoG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900185800de142e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1592&rtt_var=607&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1787025&cwnd=240&unsent_bytes=0&cid=516051612cb771e1&ts=162&x=0"
2025-01-11 02:36:50 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49769	104.21.48.1	443	7816	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:36:52 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:36:52 UTC	859	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:52 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1877801 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R9anSDn7Rb4HA8MqfCzTwsxNOxRWeU4J5vuDmX3Rm1%2BtAb88jiQX5c4GF6IWCJfNBD3OLntw18Zk0%2Bfj8ZiHRQElY2WkmxpwreOV%2FNY73p9DnOVwsp%2FGP%2BrX2TSjoyesr8J7k6th"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90018589ca1142e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1561&min_rtt=1547&rtt_var=608&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1760096&cwnd=240&unsent_bytes=0&cid=d0bd9d85ae0293cb&ts=155&x=0"
2025-01-11 02:36:52 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49783	104.21.48.1	443	7816	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:36:53 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:36:53 UTC	859	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:53 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1877802 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sEXFebcQvYQFDNG0Rib%2Bwj7Ohiv3Zu%2FfUYu566pu6eALPcUtYpFnSlJ%2F86%2Bihn5u9htvYESCWt1E1bL2iePa9%2BszFztDAAgyIeEXQm7QnYBfkZD8JnpKzyNBkxfaSXcN4B6XLZNZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90018592e8fb43be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1684&min_rtt=1650&rtt_var=643&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1769696&cwnd=226&unsent_bytes=0&cid=237a3bfbc981a9a0&ts=163&x=0"
2025-01-11 02:36:53 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49795	104.21.48.1	443	7816	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:36:54 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:36:55 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:55 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1877804 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ze6d%2BU4%2BSNbhRgziQKOIzDBX9a2fpU3m4vude2yizSu7liUULnsOSY9iILQdHliavWG2UCfwvFplltUCCqZWPqvctm7drUOOV5UNj231d%2Fq8IN10ZnksKFlwn37z1aMSYF4aWCVF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9001859bb90fc461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1623&min_rtt=1604&rtt_var=640&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1660978&cwnd=228&unsent_bytes=0&cid=f3962f47a4827771&ts=164&x=0"
2025-01-11 02:36:55 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49807	104.21.48.1	443	7816	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:36:56 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:36:56 UTC	859	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:56 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1877805 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fRD8mDPnttyI7LzZK5GpQGEo0uNkD2Iaj%2BxN9td6OUglosYVmOQZ1WKT%2FNXYX0DQ7E6qnYYjA%2BGg7nYLs4%2FF1MPdoaP0v%2B37oHXO5nDhLiS8PoRxiGRwqqGTSwC1dIcDYE4pTFnA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900185a5be3842e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1692&min_rtt=1687&rtt_var=643&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1689814&cwnd=240&unsent_bytes=0&cid=7618ebb6445c5e42&ts=157&x=0"
2025-01-11 02:36:56 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49819	104.21.48.1	443	7816	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:36:57 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:36:57 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1877807 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zGAh6HKbsn0pd3dXnpo0JYVUv7j%2F9D6ZVf23CXniKJw4O6kFEEDd840Sl1%2FG0laIfGCbGH67vDTC%2BkFGFEWaLowLihE9YHxS%2FMNUkfuyL03Bk6O1C0iZ53HHSQmWd22VjAwVyM5l"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900185add90442e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1728&min_rtt=1722&rtt_var=659&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1645070&cwnd=240&unsent_bytes=0&cid=40f37d47e36c81e9&ts=142&x=0"
2025-01-11 02:36:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49831	104.21.48.1	443	7816	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:36:59 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:36:59 UTC	861	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:36:59 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1877808 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mtJ8L4WM9%2BkZ%2FNTaldZd%2BI9SkP%2Fv7Zfq0E%2FVYGF6QL3fT0hSztZfwuqK0f3jsdLKYB5OUOLoLZmUHPdlZIZmgKrOq5buVoQHyaL%2F7HN82N1X03kobvMX7f3lfYAZdMhQG1EXMdYU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900185b6dfb2c461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1561&min_rtt=1548&rtt_var=607&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1762220&cwnd=228&unsent_bytes=0&cid=ac88ab57a307e02e&ts=138&x=0"
2025-01-11 02:36:59 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: fpIGwanLZi.exePID: 7660, Parent PID: 3504

General

Target ID:	0
Start time:	21:36:46
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\fpIGwanLZi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fpIGwanLZi.exe"
Imagebase:	0x710000
File size:	757'760 bytes
MD5 hash:	B270344E0A2760F0FAACBE25670635BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1385537496.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: fpIGwanLZi.exePID: 7816, Parent PID: 7660

General

Target ID:	3
Start time:	21:36:47
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\fpIGwanLZi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fpIGwanLZi.exe"
Imagebase:	0x8d0000
File size:	757'760 bytes
MD5 hash:	B270344E0A2760F0FAACBE25670635BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.3844854366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3846138474.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: fpIGwanLZi.exePID: 7660, Parent PID: 3504COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	67
Total number of Limit Nodes:	9

Executed Functions

Function 0290D5B9 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0290D646
GetCurrentThread.KERNEL32 ref: 0290D683
GetCurrentProcess.KERNEL32 ref: 0290D6C0
GetCurrentThreadId.KERNEL32 ref: 0290D719

Memory Dump Source

Source File: 00000000.00000002.1381991022.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_fpIGwanLZi.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3d5c06068e3b3b312f76626d8a7293952e7ab9a28c8ff511f79d9b7b33f1ba18
Instruction ID: e2efe1eae8fa1e736906a654d2f6ad296b7dfb250dbfac44dae52952f32301e2
Opcode Fuzzy Hash: 3d5c06068e3b3b312f76626d8a7293952e7ab9a28c8ff511f79d9b7b33f1ba18
Instruction Fuzzy Hash: EA5158B09017498FEB14DFA9D588BDEBBF2EF48304F24805AE019A73A0D774A945CF65

Function 0290D5C8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0290D646
GetCurrentThread.KERNEL32 ref: 0290D683
GetCurrentProcess.KERNEL32 ref: 0290D6C0
GetCurrentThreadId.KERNEL32 ref: 0290D719

Memory Dump Source

Source File: 00000000.00000002.1381991022.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_fpIGwanLZi.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c13bd686d6e3e5a8d1c071f17f54d63683aaa8935d8eb2443177bccad7de1ff6
Instruction ID: 48fae04a5508eb66b50f02b428af03334bbd92188918c24bfdee27c83e23ff59
Opcode Fuzzy Hash: c13bd686d6e3e5a8d1c071f17f54d63683aaa8935d8eb2443177bccad7de1ff6
Instruction Fuzzy Hash: E15147B09017099FEB14DFAAD588B9EBBF1FF48304F248059E019A7390D774A944CF66

Function 06C7E094 Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C7E2D6

Memory Dump Source

Source File: 00000000.00000002.1389637587.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_fpIGwanLZi.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 031d54aeaf634c0733ccf509119f2155d6b2c4b104c35560bc029d8f422a9510
Instruction ID: d4423da470397c7ce26e6ce80495c7cdb3b0f7b8657e733e25f5dd33de147a85
Opcode Fuzzy Hash: 031d54aeaf634c0733ccf509119f2155d6b2c4b104c35560bc029d8f422a9510
Instruction Fuzzy Hash: 48A15D72D00319DFEB60DF69C8417EEBBB2BF48310F1485A9E809A7250DB759A85CF91

Function 06C7E0A0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C7E2D6

Memory Dump Source

Source File: 00000000.00000002.1389637587.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_fpIGwanLZi.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7f6ed0db8648fe523dd0a5bd998666815cd2ef4bc2955f9e81a04fdc08fec92e
Instruction ID: 10d087b88a339ba913113274d889cb46e69f35b8f624abd46af8efd6cc3d4ff7
Opcode Fuzzy Hash: 7f6ed0db8648fe523dd0a5bd998666815cd2ef4bc2955f9e81a04fdc08fec92e
Instruction Fuzzy Hash: 35915E72D00719CFEB60DF69C8417EEBBB2BF48310F1485A9E809A7250DB759A85CF91

Function 08141398 Relevance: 1.7, APIs: 1, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1390860015.0000000008140000.00000040.00000800.00020000.00000000.sdmp, Offset: 08140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8140000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a322fb33e241cbfd7c743a971d7a38b4e78df9419cb27ee99c0dfa33855f9fc
Instruction ID: 165418a540cdd81eb86dd72ac477f697410b83b189e26be0f5fa99eee2bb86d4
Opcode Fuzzy Hash: 8a322fb33e241cbfd7c743a971d7a38b4e78df9419cb27ee99c0dfa33855f9fc
Instruction Fuzzy Hash: B091FA35A00218DFDB14DFA4D598AEEB7F2FF89211F244499D405AB390DB35AD82CFA1

Function 0290AF19 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0290B17E

Memory Dump Source

Source File: 00000000.00000002.1381991022.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_fpIGwanLZi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ab18db07370c929f096cb6fc6f10b50202f558bba666ace8ecfafeb496df9f50
Instruction ID: 8cef5e1138205d28f6facfff955fa83e48aea5a9772bd9b560fa97a1cd3d90aa
Opcode Fuzzy Hash: ab18db07370c929f096cb6fc6f10b50202f558bba666ace8ecfafeb496df9f50
Instruction Fuzzy Hash: B1813570A00B498FD724CF29D49479ABBF5FF88304F10892ED59AD7A90D775E84ACB90

Function 0290590C Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 029059C9

Memory Dump Source

Source File: 00000000.00000002.1381991022.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_fpIGwanLZi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 29a70e427ad0a79fb27ad6f740cac45ab23231bb9868b27c72d5ea91339fb3f0
Instruction ID: 2e56ec28d5b48d7c0237bdc3310ce0588c4ab6b0ff03eda99cc183e16086671f
Opcode Fuzzy Hash: 29a70e427ad0a79fb27ad6f740cac45ab23231bb9868b27c72d5ea91339fb3f0
Instruction Fuzzy Hash: F341AF70C0171DCFEB24CFAAC88578EBBB6BF49704F60846AD409AB251DB756946CF50

Function 0290449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 029059C9

Memory Dump Source

Source File: 00000000.00000002.1381991022.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_fpIGwanLZi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1c1c2545029cc977489ac199914144f1e799e34c5e0cc3498d5c06fb405941bd
Instruction ID: a5509a2fb81b89819e4539dee9d2b60589fee76011c62b766983edd8214c886e
Opcode Fuzzy Hash: 1c1c2545029cc977489ac199914144f1e799e34c5e0cc3498d5c06fb405941bd
Instruction Fuzzy Hash: 0341D270C0071DCFEB24CFAAC88478EBBB6BF49704F60846AD409AB251DB756946CF90

Function 02905A84 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1381991022.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc8c176755e36fc7f9176d936231a4e49817ad2f3b3b913b430262a8f636bd9
Instruction ID: cf6a1013d56eacc075c8a7849d7870fd193b2c8b04962ae8fed90bf51b5fa25b
Opcode Fuzzy Hash: ecc8c176755e36fc7f9176d936231a4e49817ad2f3b3b913b430262a8f636bd9
Instruction Fuzzy Hash: 9631AAB180575DCFEB01CFA4C89479EBBF1BF46308FA4418AD415AB291C779A94ACF11

Function 08145D50 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 08145DEF

Memory Dump Source

Source File: 00000000.00000002.1390860015.0000000008140000.00000040.00000800.00020000.00000000.sdmp, Offset: 08140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8140000_fpIGwanLZi.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: d0f5a0409c1e7dce5365d8ee8623ccfa0b6f03e5a92411514b7d10087c15234b
Instruction ID: 8bb7fae17a5c5a820104f59c603f623a6de89fff610ce59d076167aafaef217c
Opcode Fuzzy Hash: d0f5a0409c1e7dce5365d8ee8623ccfa0b6f03e5a92411514b7d10087c15234b
Instruction Fuzzy Hash: AE31C0B5D012099FDB10CF9AD884ADEFBF9EF48320F14842EE819A7210D775A945CFA5

Function 06C7DE10 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C7DEA8

Memory Dump Source

Source File: 00000000.00000002.1389637587.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_fpIGwanLZi.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7f1b38a4931e5fe0c92c9d1c77f2e55b2b4fcec4be50c7349d8872dbe1ce308a
Instruction ID: f91e24c595875ace99eec225a6dc8256ac1e568865b0a6e74ecfea88cf58e909
Opcode Fuzzy Hash: 7f1b38a4931e5fe0c92c9d1c77f2e55b2b4fcec4be50c7349d8872dbe1ce308a
Instruction Fuzzy Hash: 252106B59003099FDB10CFA9C885BEEBBF5FF48310F148429E919A7250D779AA55CBA0

Function 06C7DE18 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C7DEA8

Memory Dump Source

Source File: 00000000.00000002.1389637587.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_fpIGwanLZi.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b1166deb08a4c3cce20c96fe8d314ffa1033fcde16ef3221cfa7e836972753c5
Instruction ID: 1eb42803350bef983d67d434772f8b23ac4e7ed52a3391fcd31c946be361fb98
Opcode Fuzzy Hash: b1166deb08a4c3cce20c96fe8d314ffa1033fcde16ef3221cfa7e836972753c5
Instruction Fuzzy Hash: 852115B19003099FDB10CFA9C885BEEBBF5FF48310F14842AE919A7240D779A944CBA0

Function 08145D58 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 08145DEF

Memory Dump Source

Source File: 00000000.00000002.1390860015.0000000008140000.00000040.00000800.00020000.00000000.sdmp, Offset: 08140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8140000_fpIGwanLZi.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: bcd2824d37b095b3f941530405cff8f7059ce7ffdc50c35498a3f3ab4e5c7fec
Instruction ID: ef3b589930b1972e4dfe6072fa7e76b5cb20459aafcd8ea60a3141d232f5e57b
Opcode Fuzzy Hash: bcd2824d37b095b3f941530405cff8f7059ce7ffdc50c35498a3f3ab4e5c7fec
Instruction Fuzzy Hash: 7C21ACB5D0024A9FDB10CF9AD884ADEFBF5AF48320F14842EE919A7210D775A945CFA4

Function 06C7D871 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C7D8F6

Memory Dump Source

Source File: 00000000.00000002.1389637587.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_fpIGwanLZi.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e8fe14c752c08b281d801ba32d5f216c0003e7ebfea95828feeade3ee6966a5f
Instruction ID: c4de11e9ce0d24703fcd13179b67f59fcf6ab9ecc2f82c2dc55b8dfaea2a308e
Opcode Fuzzy Hash: e8fe14c752c08b281d801ba32d5f216c0003e7ebfea95828feeade3ee6966a5f
Instruction Fuzzy Hash: 65213871D003099FDB10DFAAC8857EEBBF4EF48210F14842AD459B7240CB78AA44CFA1

Function 06C7DF00 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C7DF88

Memory Dump Source

Source File: 00000000.00000002.1389637587.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_fpIGwanLZi.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d94525190848114ea96e33103c530a2bcfbf7511cb339741a832d5cea053fc32
Instruction ID: c4593b4fe47297deae3f57e86eb6ca5d2e56d4d72be73273b70db4837d978ade
Opcode Fuzzy Hash: d94525190848114ea96e33103c530a2bcfbf7511cb339741a832d5cea053fc32
Instruction Fuzzy Hash: 0F2148B2D003499FDB10DFAAC880BEEBBF5FF48310F50842AE519A7240C7799941CBA0

Function 0290D808 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0290D897

Memory Dump Source

Source File: 00000000.00000002.1381991022.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_fpIGwanLZi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 959c57e919cb3b2202e3dc26c3da5d4d554cea6a021844e6b6df0dbeb203bf6f
Instruction ID: f25590f7223f8bd2ea1213b7fc284a1e2506ed689b4fa1dedf51f2b4c807a57e
Opcode Fuzzy Hash: 959c57e919cb3b2202e3dc26c3da5d4d554cea6a021844e6b6df0dbeb203bf6f
Instruction Fuzzy Hash: 632112B5D00249DFDB10CFAAD585ADEBBF4FB08310F14842AE958A3350D378A945CFA4

Function 06C7DF08 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C7DF88

Memory Dump Source

Source File: 00000000.00000002.1389637587.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_fpIGwanLZi.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8d16cf464211b242ecb2f8fb3537474872314ec84dfdf84b1d71898ee913b9e8
Instruction ID: 72388c2e4579e9186f684e7b1a3ff8367584fda78168b4b2cbb86e0fd6993a23
Opcode Fuzzy Hash: 8d16cf464211b242ecb2f8fb3537474872314ec84dfdf84b1d71898ee913b9e8
Instruction Fuzzy Hash: D32125B1C003499FDB10CFAAC884BEEBBF5FF48310F14842AE519A7240C779A940CBA1

Function 06C7D878 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C7D8F6

Memory Dump Source

Source File: 00000000.00000002.1389637587.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_fpIGwanLZi.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 414cb461b79c5a2b84b3451e2a1b8a2cabb6fc09228161ddf6fabb6649670dc9
Instruction ID: 6804eb7ffa0e257037174ae87f81ee2432e084d24cdfc19e640dcc80bc68f826
Opcode Fuzzy Hash: 414cb461b79c5a2b84b3451e2a1b8a2cabb6fc09228161ddf6fabb6649670dc9
Instruction Fuzzy Hash: 642115B1D003098FDB10DFAAC4857EEBBF5EF48210F54842AD559A7240DB78AA44CFA5

Function 0290D810 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0290D897

Memory Dump Source

Source File: 00000000.00000002.1381991022.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_fpIGwanLZi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3a612c157e295b1e1201a01455ad74f7e399e1fd5c81dda3d526a046a4a51e26
Instruction ID: fb4e70d976491d5f045fed808a86139784f36e1bff096ab1a9ed9fba613d2f1a
Opcode Fuzzy Hash: 3a612c157e295b1e1201a01455ad74f7e399e1fd5c81dda3d526a046a4a51e26
Instruction Fuzzy Hash: 5221E4B5D00209DFDB10CF9AD584ADEFBF9EB48310F14841AE918A3350D374A940CFA4

Function 06C7DD50 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C7DDC6

Memory Dump Source

Source File: 00000000.00000002.1389637587.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_fpIGwanLZi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5a45b8f02498b227a4eea8198bfd40a44f9cd21c5ea4eb646464935358fd1f79
Instruction ID: 3208cac8460ae981f56c7a6b6b6ea93b9442d1ebfc4d3fb344fcaab0e5bfc64c
Opcode Fuzzy Hash: 5a45b8f02498b227a4eea8198bfd40a44f9cd21c5ea4eb646464935358fd1f79
Instruction Fuzzy Hash: B01147769002099FDB10DFAAD845BEFBBF5EF48310F148419E519A7250CB76A540CFA1

Function 06C7D7C1 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06C7D82A

Memory Dump Source

Source File: 00000000.00000002.1389637587.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_fpIGwanLZi.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5455cfd4f13458c9090abced2e26ddf27bd06caa64d6232f1fb177cb93622524
Instruction ID: dc62da9750b57557525373f0548248c19ae781abcd885ec4e4efc3573ccbbaac
Opcode Fuzzy Hash: 5455cfd4f13458c9090abced2e26ddf27bd06caa64d6232f1fb177cb93622524
Instruction Fuzzy Hash: 8B1128B1D003498BDB10DFAAD8457EFFBF5EF88220F14842AD519A7240C779A544CBE5

Function 06C7DD58 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C7DDC6

Memory Dump Source

Source File: 00000000.00000002.1389637587.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_fpIGwanLZi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5f4861c631c13a525747136391088330a83ee58d349047ba82173e81262f0a0e
Instruction ID: caac6ae6f5ac910bd9a688922e17afd9eec01bab7b34a10972bf61fa8aae15b4
Opcode Fuzzy Hash: 5f4861c631c13a525747136391088330a83ee58d349047ba82173e81262f0a0e
Instruction Fuzzy Hash: 4F1134729003499FDB10DFAAD845BEFBBF5EF48320F14881AE519A7250C779A940CFA4

Function 06C7D7C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06C7D82A

Memory Dump Source

Source File: 00000000.00000002.1389637587.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_fpIGwanLZi.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cd3a409ba1b55eaf88dbc0e4e400901366d305184f45d314310546d3b5637231
Instruction ID: bf92192af15f7e4e2cd3f00647dfa477c977984815829ef3d960a7eead82a91b
Opcode Fuzzy Hash: cd3a409ba1b55eaf88dbc0e4e400901366d305184f45d314310546d3b5637231
Instruction Fuzzy Hash: 251125B1D003498BDB10DFAAC4457EEFBF5EF88220F24842AD519A7240C779A944CBA4

Function 0290B118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0290B17E

Memory Dump Source

Source File: 00000000.00000002.1381991022.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_fpIGwanLZi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3ea57fe15506e16b903c356b951e3f2642ba3443048b6a75e12f12f48cdbd6f8
Instruction ID: 8f401036447892fc82c13f99f898fe4e63f0c9af894a4bd8bd398025cbfcbe7a
Opcode Fuzzy Hash: 3ea57fe15506e16b903c356b951e3f2642ba3443048b6a75e12f12f48cdbd6f8
Instruction Fuzzy Hash: 7B1110B6C007498FDB10CF9AC884BDEFBF8EB88314F10842AD418A7250C379A545CFA1

Function 010BD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379432619.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b659ef651bb68c4efe801890e0f3d2f712df6d8192e1efd15ae13ebe08d16013
Instruction ID: f6bc30d24d7450eba93ff8c124dcb34c72967fbdc77b4c577b0d0f4969965ba6
Opcode Fuzzy Hash: b659ef651bb68c4efe801890e0f3d2f712df6d8192e1efd15ae13ebe08d16013
Instruction Fuzzy Hash: C3214871500304DFDB05DF44C9C0B9AFBA5FB84318F24C5A9E9490B247C73AE446CBA2

Function 010CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379587642.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10cd000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d755c04327922c7abf71268ddce4c878b96d1f7c24dd571f9945bdd41754da
Instruction ID: d02b3ffd070f691770f60265f9d65d2efeb0e37d8493071e3ebc387f10a5d879
Opcode Fuzzy Hash: 76d755c04327922c7abf71268ddce4c878b96d1f7c24dd571f9945bdd41754da
Instruction Fuzzy Hash: 4E21F1715043409FDB15DF98D4C0B1ABBA5EB84614F34C5ADE88A4B282C336D407CBA2

Function 010CD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379587642.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10cd000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d9c3ba83adfe338b167a6105a82a270b4f4440a2cdd4f91973e42dcb438ea15
Instruction ID: 756695f928c9e75b67315ca4d45dccf681e75f2be013d2c19772ec958ab8cc29
Opcode Fuzzy Hash: 6d9c3ba83adfe338b167a6105a82a270b4f4440a2cdd4f91973e42dcb438ea15
Instruction Fuzzy Hash: E621D071504244AFDB05DF94D9C0B2ABBA6FB94724F24C5BDE8894B292C336D846CFA1

Function 010CD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379587642.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10cd000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248f250b62ef27040153bd83a6528f102dd31b338fa3d0fa316bc2d78235aa1d
Instruction ID: 7a39f87cbfe52ee0436c9853c2dccecab24acfabe150765bc40c50911c2d180d
Opcode Fuzzy Hash: 248f250b62ef27040153bd83a6528f102dd31b338fa3d0fa316bc2d78235aa1d
Instruction Fuzzy Hash: 892198755083809FCB03CF54D594715BFB1EB46314F24C5EAD8854F297C33A9846CBA2

Function 010BD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379432619.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10bd000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: 8a675f528f757af8fca9710966105c2185729e3354d3e18da6025a0dc93c15dc
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: 0911CD72404240CFCB02CF44D5C0B96BFA1FB84328F2486A9D8490A656C33AE45ACBA2

Function 010CD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1379587642.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10cd000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: ff4b65981c409422ecd3ce479796cd442cca775da7a5e2bc37a9480ba0b67be2
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: C311BE75504240DFCB02CF54C5C0B19BBA2FB84624F24C6AED8494B696C33AD44ACF91

Non-executed Functions

Function 06C7B760 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389637587.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fed2d089846613ba80eb4bb7b8152743720386fe760eaf28a4796b1d3ae0c2a
Instruction ID: b19971fbab197b3e2c1cea0c307c6dee6cfa0f0bb03c1aec25716bd2fa8c0ae3
Opcode Fuzzy Hash: 9fed2d089846613ba80eb4bb7b8152743720386fe760eaf28a4796b1d3ae0c2a
Instruction Fuzzy Hash: 38E1F874E0025A8FDB54DFA9C580AAEFBB2FF89305F248169D414AB359D731AD42CF60

Function 06C7B328 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389637587.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2447cbb701f2cbac8c20a863bbb7080fc7f037d8cb595378fe9b1bd15f26f11
Instruction ID: 149ff3bc9fdecd3bdfbdd11dc42920ae55f86088ffa76125d31cc8925a284fdb
Opcode Fuzzy Hash: a2447cbb701f2cbac8c20a863bbb7080fc7f037d8cb595378fe9b1bd15f26f11
Instruction Fuzzy Hash: DDE1F774E0025A8FDB54DFA9C580AAEFBB2FF89305F248169D414AB355D731AD42CFA0

Function 06C7CFA0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389637587.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b368d827e02732429f4bb24cf5513c25a7ea21f7833e0c9e877aad716b07878
Instruction ID: 27649b869a5b30338a9d44b632f40c8be94667a2baa1176bef1268295fd0250e
Opcode Fuzzy Hash: 6b368d827e02732429f4bb24cf5513c25a7ea21f7833e0c9e877aad716b07878
Instruction Fuzzy Hash: 8AE12674E0025A8FDB14DFA9C580AAEFBB2FF89301F248169D415AB355D731AD42CFA0

Function 06C7CB68 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389637587.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293767f9a57fe0a3ddfedb5a9c8aad8e73de11e469c6a0d13f81d9d2932acdf6
Instruction ID: 0f1043a00c079aaf0470a639408b52aefed0a72343b426fc159d419cd0b43c99
Opcode Fuzzy Hash: 293767f9a57fe0a3ddfedb5a9c8aad8e73de11e469c6a0d13f81d9d2932acdf6
Instruction Fuzzy Hash: A2E1E774E0025A8FDB54DFA9C580AAEFBB2FF89305F248169D414AB355D731AD42CFA0

Function 0290D584 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1381991022.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288ee58ec4b9e13de987058b354565d8acbff20ca471d7382a6308f56360bbf5
Instruction ID: 96da38c0d9d1fcdc0db45e4a3f5475d67a2cd84c4a7fa99a0ba55b69858c2e21
Opcode Fuzzy Hash: 288ee58ec4b9e13de987058b354565d8acbff20ca471d7382a6308f56360bbf5
Instruction Fuzzy Hash: 66A17E36E002098FCF15DFB4C88059EB7B6FF89304B15856AE905AB695DF31EA56CF80

Analysis Process: fpIGwanLZi.exePID: 7816, Parent PID: 7660COMMON

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	82
Total number of Limit Nodes:	6

Executed Functions

Function 02B0B328 Relevance: 4.1, Strings: 3, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj#p, xrefs: 02B0B6E5
Lj#p, xrefs: 02B0B6CF
0o#p, xrefs: 02B0B562

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: 72cc94fd8bf23fc33cb71798cdebe3bd3a43c4876590d98a08a282867e4dce23
Instruction ID: c38b10f7fa415bcd94a423a41f612481136f8252c00678a02287cac9d37355d4
Opcode Fuzzy Hash: 72cc94fd8bf23fc33cb71798cdebe3bd3a43c4876590d98a08a282867e4dce23
Instruction Fuzzy Hash: 0FE10B75E00218CFDB15DFA9D984A9DBBB2FF49314F1980A9E819AB3A1D730AD41CF50

Function 02B0C752 Relevance: 3.9, Strings: 3, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj#p, xrefs: 02B0C945
0o#p, xrefs: 02B0C7C2
Lj#p, xrefs: 02B0C92F

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: 864cdb7fb5ee0a5cbcbb22863219bca6aeb88209de6a27fb8e5d76058b072721
Instruction ID: a9cfdb8e184345cdd9898c1b8937dcc5ea5f3e27c3e7c7e7e75f1ccca6e8ed5d
Opcode Fuzzy Hash: 864cdb7fb5ee0a5cbcbb22863219bca6aeb88209de6a27fb8e5d76058b072721
Instruction Fuzzy Hash: 3781A374E00218DFDB15DFAAD984B9DBBF2BF89300F1485AAE409AB365DB309945CF14

Function 02B0C190 Relevance: 3.9, Strings: 3, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj#p, xrefs: 02B0C385
0o#p, xrefs: 02B0C202
Lj#p, xrefs: 02B0C36F

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: 48724ee95b3999f32000dbe4fab1dc1a5dac502f4a06c706650d35f13eda9c16
Instruction ID: 000bbac6baeda523a19cb0a6b3a511760bb1fd08e3658874a81e8f633c9b6206
Opcode Fuzzy Hash: 48724ee95b3999f32000dbe4fab1dc1a5dac502f4a06c706650d35f13eda9c16
Instruction Fuzzy Hash: DE81A174E002188FDB15DFAAD984A9DBBF2FF89300F15C1AAE419AB365DB309945CF14

Function 02B0C470 Relevance: 3.9, Strings: 3, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj#p, xrefs: 02B0C665
0o#p, xrefs: 02B0C4E2
Lj#p, xrefs: 02B0C64F

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: f8b15c1f8139287b725caacd047f9b6dd6e28896626c6f8c38e431b168e93a1a
Instruction ID: 9d692a3aca2ee8357a77d02fecec6c80f6dbda3889e3baa0b08c3561b24bcf4d
Opcode Fuzzy Hash: f8b15c1f8139287b725caacd047f9b6dd6e28896626c6f8c38e431b168e93a1a
Instruction Fuzzy Hash: CE81A374E00218CFDB15DFAAD984A9DBBF2BF89300F14D1AAE409AB365DB305945CF10

Function 02B04AD9 Relevance: 3.9, Strings: 3, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj#p, xrefs: 02B04CCE
Lj#p, xrefs: 02B04CB8
0o#p, xrefs: 02B04B4A

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: 2e435e6f0c2f36e926332c9d2f700b5a39684a183d1e528f573cae43ac2cd91a
Instruction ID: 50ecb91c376b2f7aa81e6154ebaafd73f5217993fa433f7eb1d5ea40abed80a3
Opcode Fuzzy Hash: 2e435e6f0c2f36e926332c9d2f700b5a39684a183d1e528f573cae43ac2cd91a
Instruction Fuzzy Hash: 48819274E00218DFDB55DFAAD984A9DBBF2FF89300F1480A9D919AB365DB309985CF10

Function 02B0CA32 Relevance: 3.9, Strings: 3, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o#p, xrefs: 02B0CAA2
Lj#p, xrefs: 02B0CC0F
Lj#p, xrefs: 02B0CC25

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: 71a697c41c4f93d1dc51f868ebb674440a321d762b8af50bda1edba85a80ad78
Instruction ID: 46f79ea0c562fc2f02e52618d9fe42483623940943c0462b1a15082a242d212e
Opcode Fuzzy Hash: 71a697c41c4f93d1dc51f868ebb674440a321d762b8af50bda1edba85a80ad78
Instruction Fuzzy Hash: F681A474E00218CFDB15DFAAD984A9DBBF2FF89300F1481AAE819AB365DB305945CF50

Function 02B0BEB2 Relevance: 3.9, Strings: 3, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj#p, xrefs: 02B0C08F
Lj#p, xrefs: 02B0C0A5
0o#p, xrefs: 02B0BF22

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: b8fab8d5cc2cf2fadc31c06620982949fdbad38c20972b94b845a051f7277631
Instruction ID: 77de8a5238d954c5c21c8765a143b5558b925a4022785283469ada5a9a98799d
Opcode Fuzzy Hash: b8fab8d5cc2cf2fadc31c06620982949fdbad38c20972b94b845a051f7277631
Instruction Fuzzy Hash: 6281A374E00218CFDB15DFAAD984A9DBBF2FF89314F1481AAD419AB365DB309945CF10

Function 02B0BBD2 Relevance: 3.9, Strings: 3, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lj#p, xrefs: 02B0BDC5
0o#p, xrefs: 02B0BC42
Lj#p, xrefs: 02B0BDAF

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID: 0o#p$Lj#p$Lj#p
API String ID: 0-1178635779
Opcode ID: ed7e61c95e8d0fdceb9946fb660d61d08e485546adb47bcf086d357c836b6dad
Instruction ID: 75440cf45b7d557a500e5f5bf26c9c8760fa64ae9d87c1277a5ba4538ea52389
Opcode Fuzzy Hash: ed7e61c95e8d0fdceb9946fb660d61d08e485546adb47bcf086d357c836b6dad
Instruction Fuzzy Hash: D5818F74E00218CFDB15DFAAD984A9DFBF2BF89304F1481A9E419AB365DB309945CF10

Function 02B0B4F2 Relevance: 1.4, Strings: 1, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0o#p, xrefs: 02B0B562

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID: 0o#p
API String ID: 0-2085137917
Opcode ID: 00c70654d7a2d8715144489de5f87bcff0adef7e97b00a404747d1dd472ae184
Instruction ID: 1b4c3587e255edfe8f3fc08a145241920f020860b6cb7f184dd504ef0e7ed9d5
Opcode Fuzzy Hash: 00c70654d7a2d8715144489de5f87bcff0adef7e97b00a404747d1dd472ae184
Instruction Fuzzy Hash: CB61A1B4E006089FEB19DFAAD984A9DBBF2FF89304F14C069E419AB365DB345941CF10

Function 02B09858 Relevance: .9, Instructions: 853COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ba4da2fc700f688ac00e2399d5f3d8aea477e9b32bbb163506c63341cc762d
Instruction ID: 3e87fe0a42565b84fcbf151854b036ab9166c2b11e9a3135b2ec2f482a2cc759
Opcode Fuzzy Hash: a2ba4da2fc700f688ac00e2399d5f3d8aea477e9b32bbb163506c63341cc762d
Instruction Fuzzy Hash: D6728171A00609DFCB16CF68C984AAEBFF2FF89304F158995E9459B2A1D730ED81CB50

Function 02B06108 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6adfbb27f1151b3656f6fb0f85df1be30128bfef467bd5b2f2f498c57a9d5d
Instruction ID: e1ef82d2fb470cd720ba2dadb5758eaab24f83fce9e94d20039626e8ae66d5b5
Opcode Fuzzy Hash: 4d6adfbb27f1151b3656f6fb0f85df1be30128bfef467bd5b2f2f498c57a9d5d
Instruction Fuzzy Hash: BF12A170A002189FDB15DFA9C994BAEBBFAFF88340F148559E406EB394DB349D51CB90

Function 02B06880 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979bba67f9ab045c87a3757c3ec232bfa2688c7d649a3ef12a95c5b15c698cad
Instruction ID: 10facb92cc036bfa951c6ebd4e3d607eaf0970ae2a74764c840950d23c08fac7
Opcode Fuzzy Hash: 979bba67f9ab045c87a3757c3ec232bfa2688c7d649a3ef12a95c5b15c698cad
Instruction Fuzzy Hash: A4D11970A00119DFCB16DFA9C9C4AADBFFAFF88344F1581A5E415AB2A5D730E861CB50

Function 0696628A Relevance: 4.6, APIs: 3, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06966316
GetCurrentThread.KERNEL32 ref: 06966353
GetCurrentProcess.KERNEL32 ref: 06966390

Memory Dump Source

Source File: 00000003.00000002.3848284688.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6960000_fpIGwanLZi.jbxd

Similarity

API ID: Current$Process$Thread
String ID:
API String ID: 3242834020-0
Opcode ID: 7604cc3e9a7ad9e11630a0267161c49eec06fbb13d7cddc3d0fd9af6d4e1acd8
Instruction ID: 23ac15095bcfcded98a9f19f719ba87ce0f05baed4a096a6262ba34458e1b78b
Opcode Fuzzy Hash: 7604cc3e9a7ad9e11630a0267161c49eec06fbb13d7cddc3d0fd9af6d4e1acd8
Instruction Fuzzy Hash: D85166B09017498FDB44CFAAD948B9EBBF1FF88300F24805AE409A7790D775A944CF66

Function 06966298 Relevance: 4.6, APIs: 3, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06966316
GetCurrentThread.KERNEL32 ref: 06966353
GetCurrentProcess.KERNEL32 ref: 06966390

Memory Dump Source

Source File: 00000003.00000002.3848284688.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6960000_fpIGwanLZi.jbxd

Similarity

API ID: Current$Process$Thread
String ID:
API String ID: 3242834020-0
Opcode ID: 0e57edcacc88dc652522859b3ff71de711cddb5c777b218323dced1ca4033054
Instruction ID: 9376977215af211cabc7fea0a618b70489b60ff42257dc37ed3cdb0b78e7cc75
Opcode Fuzzy Hash: 0e57edcacc88dc652522859b3ff71de711cddb5c777b218323dced1ca4033054
Instruction Fuzzy Hash: 685154B09017498FDB44CFAAD948B9EBBF1EF88304F20805AE409A7790D775A944CF66

Function 0696EC30 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3848284688.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6960000_fpIGwanLZi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bfaefb322819e9c4a0a3d9f9f7997eea262ffc05eefe3fb2777dfc19db79190a
Instruction ID: b32ada9a335c24bae471c638041f226f09dd7bca814fea628e4523322fd88e49
Opcode Fuzzy Hash: bfaefb322819e9c4a0a3d9f9f7997eea262ffc05eefe3fb2777dfc19db79190a
Instruction Fuzzy Hash: E0817774A00B058FEBA4DF2AD55475ABBF5FF88300F10892EE44ADBA40D774E849CB91

Function 069664D8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06966567

Memory Dump Source

Source File: 00000003.00000002.3848284688.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6960000_fpIGwanLZi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: edd104639dd46e95791f736fc4aaf9ea74f249b352b08b101cadd2ea9e5a6e06
Instruction ID: 6ed39d3440cf5400d7605d589716a0ddd5240f2fe8ee4d8f409811dac3e8b82a
Opcode Fuzzy Hash: edd104639dd46e95791f736fc4aaf9ea74f249b352b08b101cadd2ea9e5a6e06
Instruction Fuzzy Hash: 4B21E3B59003499FDB10CFAAD985ADEBFF8EB48310F14801AE915A3750D378A954CFA5

Function 069664E0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06966567

Memory Dump Source

Source File: 00000003.00000002.3848284688.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6960000_fpIGwanLZi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 655dbbc5d500118bc6af8786ff9912162e62841c08fea3c9a6e706462440ae7c
Instruction ID: 6787693c2516068c322be156631aa1af9ed9746ce15b5ebed2baafa4857af04d
Opcode Fuzzy Hash: 655dbbc5d500118bc6af8786ff9912162e62841c08fea3c9a6e706462440ae7c
Instruction Fuzzy Hash: AC21C2B5D003499FDB10CFAAD985ADEBFF8EB48310F14841AE918A3750D378A954CFA5

Function 0696E114 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0696EC4C), ref: 0696EE86

Memory Dump Source

Source File: 00000003.00000002.3848284688.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6960000_fpIGwanLZi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7d5a73399fe14bb3b37c46d65b083c17692a0f62240f801dffd10e7189023e13
Instruction ID: f5abd5676b13715863d01d06743e8d7f5c852288857792f30b60382700c2e7a2
Opcode Fuzzy Hash: 7d5a73399fe14bb3b37c46d65b083c17692a0f62240f801dffd10e7189023e13
Instruction Fuzzy Hash: 061102BAC047498FDB10DF9AD444BAEFBF4EB49210F10842AE829B7740D375A545CFA5

Function 02B01F61 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

T, xrefs: 02B01F6C

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-286829874
Opcode ID: 531cdcabf817ccf1741cdadc72a7332bfeebe486472abdbec013310b4f6beb5c
Instruction ID: 72365d9195517220f1af0be47e7053851c71c50e3832bb2568173438715abef9
Opcode Fuzzy Hash: 531cdcabf817ccf1741cdadc72a7332bfeebe486472abdbec013310b4f6beb5c
Instruction Fuzzy Hash: 8421C4B4C052498FCB05EFA8D9855EDBFF0BB49300F10556AD819B7250EB305A95CBA1

Function 02B077F0 Relevance: .7, Instructions: 688COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b54602567dde732d43846063617d81bbf0fec7eac44fc1ee159b467a7f5d6e6
Instruction ID: c24dd74a5530bb36d207ae1973359315d26cf9d496f5abfe18f3be8ca4db0d04
Opcode Fuzzy Hash: 0b54602567dde732d43846063617d81bbf0fec7eac44fc1ee159b467a7f5d6e6
Instruction Fuzzy Hash: F452F134A002188FEB15DBE0D860B9EBBB2FF88300F1481A9D10A6B7A5DF359E45DF55

Function 02B06E58 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b004ceb5320cc40a005430d214d033cfb464c97edc61dcbf6d19e0dcd55c8f1a
Instruction ID: d7cb7f0735b94158daee8b45d8231d6b93e7a2f5bb4fde002ac0842d2e823061
Opcode Fuzzy Hash: b004ceb5320cc40a005430d214d033cfb464c97edc61dcbf6d19e0dcd55c8f1a
Instruction Fuzzy Hash: 70124631A006089FCB16DF68D884E9EFBF2EF89314F158599E8499B2A1DB30FD41CB50

Function 02B0A818 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3bf4e8df99a1ec4657578d8aa48356eb87d7f17d98fe8c9d25b489497a8b563
Instruction ID: 42e8c1c332ca622c74329c4542e4868985f5b3f6ae53c00b038fb549da4792a3
Opcode Fuzzy Hash: e3bf4e8df99a1ec4657578d8aa48356eb87d7f17d98fe8c9d25b489497a8b563
Instruction Fuzzy Hash: 6CF13C71A402148FCB15CF6DD8C4AADBBF2FF88354B1A8599E615AB3A1CB31EC41CB50

Function 02B00C8F Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb38e809615f6a375b5027f95dc1caacc69abb08839d33bc48e2f1268e7fc4b
Instruction ID: 5f05e8fb8b4bb7828b1657b6ebc6d9b5867f63a6baf61263487cc9b0b33303d8
Opcode Fuzzy Hash: 4bb38e809615f6a375b5027f95dc1caacc69abb08839d33bc48e2f1268e7fc4b
Instruction Fuzzy Hash: 0922EA74D00219CFCB55EF64E984A9DBBB2FF48314F1089A9D809AB754DB306E85CF91

Function 02B00CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82fecb2eb42962a975ee5f257960cc06c67ea99eea296d60c253d7abb359bb0
Instruction ID: e817bf61e63dfe4063d1388fb45f79a2927f27c327417ee0e4626109e62172a6
Opcode Fuzzy Hash: e82fecb2eb42962a975ee5f257960cc06c67ea99eea296d60c253d7abb359bb0
Instruction Fuzzy Hash: 7122DA74D00219CFCB55EF64E984A9DBBB2FF48315F1089A9D809AB754DB306E85CF81

Function 02B087E9 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f01ffafb66e101a25534fa5f5062ef4f6c43b8a3bb724a6cc02a561c3764cae
Instruction ID: 875a4731041434efa48e064563d807b4e1cbba97451a38ecc5f880ab7e478fdc
Opcode Fuzzy Hash: 3f01ffafb66e101a25534fa5f5062ef4f6c43b8a3bb724a6cc02a561c3764cae
Instruction Fuzzy Hash: A3B17C707146018FEB169B29C9E8B393B96EF85644F1804EAE142CF3E1EB26DE42C741

Function 02B056A8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f11878e667e40ac7b5865f00712a0f8c5ad7e9d1a278fdca0aceb62f2d367e1
Instruction ID: 9d33dbc40a35e38c1d1cef8dd7f78c76618a18b075b536ad6f58921a6670dbe8
Opcode Fuzzy Hash: 8f11878e667e40ac7b5865f00712a0f8c5ad7e9d1a278fdca0aceb62f2d367e1
Instruction Fuzzy Hash: 7391DD31B04200CFDB269F64D898B6E7BE6FB88340F5489A9E8468B381DF749C41CB94

Function 02B0F790 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a71590994e958b0b4e73c5547701788490a59f19ec569f8f4eab39b2e14d763
Instruction ID: 32135d7d386e46582defbac2defe386996a2f417f1f7db1e80a8641a2106df88
Opcode Fuzzy Hash: 8a71590994e958b0b4e73c5547701788490a59f19ec569f8f4eab39b2e14d763
Instruction Fuzzy Hash: B2918D70B007059FDB55EF79D88092EBBE2FF883007108669D44ACBB51EB70E846CB94

Function 02B05C08 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f6d3500d9e7fc93139c0f5e08191acf72b51bbeacf9f4b6cdf5532dd905750
Instruction ID: e6e5ada559d6105d4b7793f511f91e2682484f84656c09c402a17678764e92c5
Opcode Fuzzy Hash: 01f6d3500d9e7fc93139c0f5e08191acf72b51bbeacf9f4b6cdf5532dd905750
Instruction Fuzzy Hash: 90819431B00505DFCB25CF69C8C8AA9BBB2FF89204B9481AAD405E7BA5DB31EC41CF50

Function 02B07438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc873432ce8ed1cb4811ed65ce6b78658623b24dd53a8f2873267ad54057913
Instruction ID: b9a6a1b6cd1501fff7441e58e6f011eb3fb32261bbeb8c5f08a187ee344f0524
Opcode Fuzzy Hash: fdc873432ce8ed1cb4811ed65ce6b78658623b24dd53a8f2873267ad54057913
Instruction Fuzzy Hash: 1A71D734B006058FCB16DF68C498AADBBE6EF49644B1944E9E806CB3B1DF70EC51DB90

Function 02B0F0C0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06beb332e4499bed9177c6347f28906c9f4bf236a6609143fe5b37aa91ba36c7
Instruction ID: 0d9ec8d1aa30b431543753567711ba8f906445025764c4be00da38571ca23647
Opcode Fuzzy Hash: 06beb332e4499bed9177c6347f28906c9f4bf236a6609143fe5b37aa91ba36c7
Instruction Fuzzy Hash: EF713574A043299FDB16DFA4D8589ADBFB3FF88700F148129E506AB690DB349942DF44

Function 02B0CEC7 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4908b419193fe58215893720d8edfcd9dad534c7fe04501f7f8455bf02f23b
Instruction ID: 2d72fce606b64d7f2d924dfd69e6ad5379bfbf6ce0bbb986b9c08beee1039d04
Opcode Fuzzy Hash: 4f4908b419193fe58215893720d8edfcd9dad534c7fe04501f7f8455bf02f23b
Instruction Fuzzy Hash: 8A51D0318A1743CFD3086F35E9AC16EBBA5FB4F3A3744AD14B15E92025DBB058A9CA11

Function 02B0CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75dcfb033a96785d28c724c379e26249a8572dd1f834007e12cc6ebacbe6c132
Instruction ID: e0366af05146e629d303e591411165e7b804325370d7b548b7fadddad29b46c8
Opcode Fuzzy Hash: 75dcfb033a96785d28c724c379e26249a8572dd1f834007e12cc6ebacbe6c132
Instruction Fuzzy Hash: 0451AF318A1747CFD3086F35E9AC16EBBA5FB4F3A3744AD14B15E92025CB7058A9CA21

Function 02B0EBE8 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668281cdb23cd1ed6eab852e764f4c55be9dc3b3805d0c7aa39d50d79fcd6709
Instruction ID: 6b328ef243ef5c1e086f2b6a2265450565ae3a6c75f950c98b139469e736e2d3
Opcode Fuzzy Hash: 668281cdb23cd1ed6eab852e764f4c55be9dc3b3805d0c7aa39d50d79fcd6709
Instruction Fuzzy Hash: 12415B71901219DFD704AF61D46C7FE7BB1EB8A315F104869D215632E0CBB90A88CF91

Function 02B0CD10 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5480ccfd72ea0852e753452f81545f68220034fe381c876e2c1f7963ac86a409
Instruction ID: cd54ac4786cd0def46f0244c2bad1dfb13326f73e5bf058a0031a516543d85dd
Opcode Fuzzy Hash: 5480ccfd72ea0852e753452f81545f68220034fe381c876e2c1f7963ac86a409
Instruction Fuzzy Hash: EA519175E01208DFDB44DFAAD98499DBBF2FF89300F209169E819AB365DB30A945CF50

Function 02B03908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a44bece6606414c1237f44e818b21485f393410311c372d245ad37a47e6cb7
Instruction ID: 385e4054c861dbad723f27d722423577a5527e7f0808e84bf121ea4e60485a65
Opcode Fuzzy Hash: c8a44bece6606414c1237f44e818b21485f393410311c372d245ad37a47e6cb7
Instruction Fuzzy Hash: 8C519F75E01208CFCB48DFA9D99499DBBF2FF89305B209469E809BB364DB31A945CF50

Function 02B0F781 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d384998856c994a0d66f55a40944b0d993ffacc40e973ea55866f1e582a15a6a
Instruction ID: e755cd0aabf838de4a50d0eb14f4898c6127f4f4403ee76c5a6f3200b7408daf
Opcode Fuzzy Hash: d384998856c994a0d66f55a40944b0d993ffacc40e973ea55866f1e582a15a6a
Instruction Fuzzy Hash: E941A130B043069FDB55EB36D89097EBBE2EF883107048569D456C7A81EF30E806CB91

Function 02B09A63 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789c4c8a7925b237649781bffa265b4c11cc0f55f18b7bc4a32b8a08056bae75
Instruction ID: 42a74a02a67a2f5bddd59475cb962556d45ec4483f64f4bb216274a13923944c
Opcode Fuzzy Hash: 789c4c8a7925b237649781bffa265b4c11cc0f55f18b7bc4a32b8a08056bae75
Instruction Fuzzy Hash: FE41A231A04649DFCF12CFA5C884B9EBFB2EF49754F048595E815AB2E2D374E950CB90

Function 02B0A650 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e767d9387a798059ef8de61989d3610a278baeda4c46187902ce55aef0e83f0f
Instruction ID: 5ebd24479ed0e8bb0db0513b2c7f8d38cf857fb7628377d8dbafa2f87747351a
Opcode Fuzzy Hash: e767d9387a798059ef8de61989d3610a278baeda4c46187902ce55aef0e83f0f
Instruction Fuzzy Hash: 6941F231B006049FCB169B79D854AAEBBF6EBC9250F1484A9E506E7391DE319C01CBA0

Function 02B0D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782e90607f23e7c3981330bc955ded41f7ced243c74f7a115fed98759c8520db
Instruction ID: 234402b1e0b26e45f785d41218699a0f509c4a434636bb26b1545ffee1d125c3
Opcode Fuzzy Hash: 782e90607f23e7c3981330bc955ded41f7ced243c74f7a115fed98759c8520db
Instruction Fuzzy Hash: 73410174E0420ACFCB16DFE8E484AADBBB2FB49305F609599D40AA72C4D774A841CF64

Function 02B03428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54da61f989d8ef7475d4096ff4171246693feef39e68934894bc10cffef1c5b0
Instruction ID: baecda4536b2240a60251f1d385c83191ac05fc1436169b8cd3a39849bfc0482
Opcode Fuzzy Hash: 54da61f989d8ef7475d4096ff4171246693feef39e68934894bc10cffef1c5b0
Instruction Fuzzy Hash: E831F571B003158BDF1A8AB659DC37E6ADAEBC4254F1C44F9D806DB3D1DB75CC048651

Function 02B0D7F1 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ac21c923a90e5ecef9afcec4d17933dbe347a68bffb94f15c482814010316c
Instruction ID: 05325a6765d980403a19cae7ce94fc08bb5f36e63e48907c1490be0683442346
Opcode Fuzzy Hash: 97ac21c923a90e5ecef9afcec4d17933dbe347a68bffb94f15c482814010316c
Instruction Fuzzy Hash: 4141F174E0420ACFCB06DFE8E4846EDBBB2FB49305F609599E409A7294D774A841CF64

Function 02B06730 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a3c03cecb6a61ac745682e646ac13df58cf50b9f660b3a480dc127a2af2bfe
Instruction ID: d8c0ac1a40de0e75ef3eedcb81306d1d2cb9a3c5fa15408e38f11c7bfaf71ca7
Opcode Fuzzy Hash: 03a3c03cecb6a61ac745682e646ac13df58cf50b9f660b3a480dc127a2af2bfe
Instruction Fuzzy Hash: A641E130A00208DFDB128F64C944BAEBFFAEB44304F0488AAE8559B281D775ED65CF91

Function 02B0D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83f9d2b4a6d67ffdd10e0c9c35fcd6b293b8ba06a2907fef2da0512571453ca
Instruction ID: b8a253eb686432334a6fe0f55ab68d142b791029ad4bf416f824c3a257f33c7d
Opcode Fuzzy Hash: c83f9d2b4a6d67ffdd10e0c9c35fcd6b293b8ba06a2907fef2da0512571453ca
Instruction Fuzzy Hash: 4B41F174E0420ACFDB06DFE8E4846EDBBB2FB49305F209599D409A72D4D774A841CF54

Function 02B0D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce92f94700df9f09c0ffffada0216a2b3a0881cc2bc802630e3d613fd141e74
Instruction ID: d00676ab049f2fc4ed22f2063b794352865dc8741d6cb293c88428804160c796
Opcode Fuzzy Hash: 2ce92f94700df9f09c0ffffada0216a2b3a0881cc2bc802630e3d613fd141e74
Instruction Fuzzy Hash: 3D41E370E01209CFDB09DFA9D484AEEFBB2FB89304F14D569D408A7294DB75A841CF64

Function 02B04DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c5ff510988d93d26a4523f21c5f3c89006ec587fa205c6aff3c0e8e30a669b
Instruction ID: 29f50ffed6f15583acd35d460472bc628f02a51563a7971055b9dd1d7248da2f
Opcode Fuzzy Hash: 30c5ff510988d93d26a4523f21c5f3c89006ec587fa205c6aff3c0e8e30a669b
Instruction Fuzzy Hash: 85318F7164010A9FCF0A9F64E894AAF7FB6FB88345F104464FA558B291CF35CD61DBA0

Function 02B0F610 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740b126f2470628774254949a71f02ef78dbcb098fbe81f79aa4b011ffc52366
Instruction ID: 0a68542ee9c22252ec80f644206b6e414ac4c03490a92beff83ec18b7de7b0ea
Opcode Fuzzy Hash: 740b126f2470628774254949a71f02ef78dbcb098fbe81f79aa4b011ffc52366
Instruction Fuzzy Hash: C731D270B057159BDB32DBA4C5807BEBFB5EF89750F0481A8D816A7AA0CF70A844CBD1

Function 02B076E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd4dc99fe6f7984a85bd04d350e4d71dafe10865efa67ac75e7bb1f80b5252c
Instruction ID: 9ce6e60c7805fbfdba4385e87c76d3458ba75f08ca460e3e2e4598cfba5da6df
Opcode Fuzzy Hash: 5fd4dc99fe6f7984a85bd04d350e4d71dafe10865efa67ac75e7bb1f80b5252c
Instruction Fuzzy Hash: A72190383042005BEB1A562588D4B7EFA97DFC4699F1840B8D502CB7D8EE25FC42E680

Function 02B0F0B0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb28b7043b113ca8dbc956880aabbb4a963886cb253274aea42c6ec2a88667d6
Instruction ID: ddc97d14c521fbc4be23f29da0d6e297616c187ff5418a565591875cb8a568b2
Opcode Fuzzy Hash: bb28b7043b113ca8dbc956880aabbb4a963886cb253274aea42c6ec2a88667d6
Instruction Fuzzy Hash: 6231AF34B043198BDB26DFB5C4546AEBFB3AF89250F04846DE806AB791DF348842CB60

Function 02B0A809 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 561d4f6e3237cc1910f9769c984385fbfc816f79487cac40bb7660d23e5e11a7
Instruction ID: 6bf169b9babf5ab6d6d1df5346876d50194be86b019a408e6834fea882103750
Opcode Fuzzy Hash: 561d4f6e3237cc1910f9769c984385fbfc816f79487cac40bb7660d23e5e11a7
Instruction Fuzzy Hash: 3C317070F406058FCB05CF69C884AAEBBB2FF89354B158655E655A73A5CB34EC42CB90

Function 02B0DF79 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2a037112e5851a57bbfdb53f5b0b343dc6a7431c946354399eb778e835e733
Instruction ID: c84a3b7da67b1cb4f467188079499343c9d28babc77496c57ffb9dc2781222f9
Opcode Fuzzy Hash: cf2a037112e5851a57bbfdb53f5b0b343dc6a7431c946354399eb778e835e733
Instruction Fuzzy Hash: EA217A71D002099FDB09DFAAD8446EEBBB6EBCA300F04D465D418B72E4DBB09549CE64

Function 02B02060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bbea1562c8dc790eac733a1505cbc9b7cf5da2162cbc25aeff47a21725e26a
Instruction ID: d18e98034a744070cf7111e4420f281180b96a16c913fdc55707407835f6e53d
Opcode Fuzzy Hash: d6bbea1562c8dc790eac733a1505cbc9b7cf5da2162cbc25aeff47a21725e26a
Instruction Fuzzy Hash: 9C21B231A00205DFDF15DB64C484AAE3BA9EB98750F10C459EC0A8B294EB31EE4ACBD1

Function 02B05A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79125a9ce362808fe95f5ae1188dd153174fbaa7404dfdf9002ec7384bc743c1
Instruction ID: 9cdde7ce5e6a893b6eb17a9d07e7d5d136ddbe501c788d1878822e3890cc1494
Opcode Fuzzy Hash: 79125a9ce362808fe95f5ae1188dd153174fbaa7404dfdf9002ec7384bc743c1
Instruction Fuzzy Hash: 3E2105317006118FC3269A29C8D492FBBA6FF8975175445A8E816DB790CF30DC06CBC0

Function 00E7D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845242622.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e7d000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f69e6c06c80514fc62631d1a916b051c76733e03485fa7fcf6cf79f0349fb0b
Instruction ID: fec028143ec5eb79b4606a6987266158b31575cc009a66f55fa64224a559b6df
Opcode Fuzzy Hash: 5f69e6c06c80514fc62631d1a916b051c76733e03485fa7fcf6cf79f0349fb0b
Instruction Fuzzy Hash: F521D0715083449FDB14DF20CDC4B26BB76FF84318F24D5A9E84E5B282C736D846CA62

Function 02B0215C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0faea35e238ac9ea0417590da6c71d50fffaf4e5b9c001da559c6c8d402963ae
Instruction ID: e93757154771712af492a9745498863c707fc186471b207a607fd9f03d502c20
Opcode Fuzzy Hash: 0faea35e238ac9ea0417590da6c71d50fffaf4e5b9c001da559c6c8d402963ae
Instruction Fuzzy Hash: CD113631E042599FCB02DBB8EC009DEBB75FF89210F2483A6D925B7190E6322906C790

Function 02B04DB9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6478ae3d9d675f67f9950d7e4ff063d8ab7afc9c3011b417c48da26612861825
Instruction ID: 2f4483862c2a70dc773569c2609a03eb780c260266bfeae7e399869c8e66f936
Opcode Fuzzy Hash: 6478ae3d9d675f67f9950d7e4ff063d8ab7afc9c3011b417c48da26612861825
Instruction Fuzzy Hash: 302124316441499FDB0A9F78E494B6B7FB6EB48314F2044A4FA558B281CF34CC51CBE0

Function 02B0D60F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138e586a16f90e2b2924420d5f291f56f5603c52e01d517865ea39b2c4449dfd
Instruction ID: fc2b05d6c9685b0fc92355fd95ffdc532298c437e53219f55ca2bfb11eb82db6
Opcode Fuzzy Hash: 138e586a16f90e2b2924420d5f291f56f5603c52e01d517865ea39b2c4449dfd
Instruction Fuzzy Hash: 4D111971E006498FDB09CFEAD8446EEBFF2EBCA300F18D469D418A72A5DB7054468F54

Function 02B0E201 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb4e5e77fb110c114b2abc5ad9054a6e8bc8307645935b36f27a78181f90b02
Instruction ID: c2d05a740d34a97b995ec93bb4270a0abbc6caeb3953eac726596579c487e97c
Opcode Fuzzy Hash: 0cb4e5e77fb110c114b2abc5ad9054a6e8bc8307645935b36f27a78181f90b02
Instruction Fuzzy Hash: 772151B0D00209DFDB45EFB9D94079EBBF2FB49304F0085AAD058AB365EB309A55DB81

Function 02B0F008 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc967e85d5b64387b64a40a4ec85adaa2a9da99389fb4813d22ac0176cc815f
Instruction ID: dc797670eeac0fdee056033515c6541f39f1b9cb427b14ada4007ef0a7aee107
Opcode Fuzzy Hash: ebc967e85d5b64387b64a40a4ec85adaa2a9da99389fb4813d22ac0176cc815f
Instruction Fuzzy Hash: A501D830B443449BD7151A76A85877FBAEBAFCA250B1488B7F506C32D5DD388C058375

Function 02B0EFF9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b1d33d22d0d07308a0786b8ae461f316ddaa008bd7327c34bd8eb89d4b6b1f
Instruction ID: ce0db340f82548cf79497b5f34ef65708603626210091b21ad3b405ea0ce5639
Opcode Fuzzy Hash: 16b1d33d22d0d07308a0786b8ae461f316ddaa008bd7327c34bd8eb89d4b6b1f
Instruction Fuzzy Hash: A701F531B082849FD7161B75A8587BFBFAAAFCA250B0488B7E546C7392DD388C058775

Function 02B0E208 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c921b2b1b861c5da92d912b7fff5518a5f3cf15e52f6bfeab2ced1cb88c560
Instruction ID: 8d459190fad74d2be830607d61f3d6723acf13c284529a809ef5977931057ea0
Opcode Fuzzy Hash: f0c921b2b1b861c5da92d912b7fff5518a5f3cf15e52f6bfeab2ced1cb88c560
Instruction Fuzzy Hash: 8A1151B0D00209DFDB45EFB9D94079EBBF2FB49304F0085AAD018AB365EB309A559B81

Function 02B01F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96798fe6e5f97b1e70cac47e071458bce304b24744181be9b1a86030c33664b
Instruction ID: 31f70fa3d354e1e90e2e1e80a6175478b637c0db042b26de6b7ba560fc4be71b
Opcode Fuzzy Hash: c96798fe6e5f97b1e70cac47e071458bce304b24744181be9b1a86030c33664b
Instruction Fuzzy Hash: CA211774D042098FCB15DFA8D4845EEBFF0FF49304F10416AD805B7264EB305A95CBA1

Function 00E7D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845242622.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e7d000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: c0c0a9c6bbbc9485b03f8e9bd51558ce00d3ef60be7722aee1532ec94ca475c7
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: 70118E75508244DFCB15CF10D9C4B16BB72FB44318F28C6A9D8494B696C33AD84ACF61

Function 02B05607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3003a4736175ce7a307b2afcd88bef69f0b390f80a851d2e6c3e1f295932320a
Instruction ID: 968568b75429c09652872403b0952872ce287294c4d7367006a9964e3d4f9581
Opcode Fuzzy Hash: 3003a4736175ce7a307b2afcd88bef69f0b390f80a851d2e6c3e1f295932320a
Instruction Fuzzy Hash: 51012872B000046FCB538EA4A850BEF3F97EBC8790F288069F505D7280CE358C128BA0

Function 02B0D449 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef08afc72b6b903c4a4e5baa07dc1efccdec3e2d888f47f6f8dda7c79fe9b28d
Instruction ID: d35cd282e4a4b347671db7872470f2ec0fb381bc381482c5ae17dfb70ed934db
Opcode Fuzzy Hash: ef08afc72b6b903c4a4e5baa07dc1efccdec3e2d888f47f6f8dda7c79fe9b28d
Instruction Fuzzy Hash: 61E02272D041859FDB0ADBBAAC086EEBB78D78B300F085468D508A31E1CB706059CB91

Function 02B0DF08 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22786623e3ea3e58e263e1e602428b312e5b09acab64a25d7275e6c7b5da0d2f
Instruction ID: 82b9b5863e6f185e5805ed824623e16ce120f47f3d4aafb28b3833840dd87a54
Opcode Fuzzy Hash: 22786623e3ea3e58e263e1e602428b312e5b09acab64a25d7275e6c7b5da0d2f
Instruction Fuzzy Hash: 3AE022319042499FEB06CFAAA8082FABBB4EB8B300F009464D004620A1DBF052198A91

Function 02B02010 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8bec350f51b0adeefe9d3d8dfe8695cdbcfa5ff7d826edef88aac304f0a1ac7
Instruction ID: 49bcb88467e339821de4f4ff95beece9fbab7cc9183636134d9ee1158ed28278
Opcode Fuzzy Hash: e8bec350f51b0adeefe9d3d8dfe8695cdbcfa5ff7d826edef88aac304f0a1ac7
Instruction Fuzzy Hash: 2CE0D835D503599BCB119AB5DC054DFBF34EDE3310B454157D1603B141EB60250A8BB1

Function 02B0D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c212605b08d088d9ceb07111fb48a1cc28e6d1635c3f977984c521d59083a3
Instruction ID: 7b96d11db94e5d59ff196330590ac7d8e59d8b45a951bc942079c6451ee24b56
Opcode Fuzzy Hash: 02c212605b08d088d9ceb07111fb48a1cc28e6d1635c3f977984c521d59083a3
Instruction Fuzzy Hash: 9CE0DFA3C081868BE7168BE668960BDBF30DBD3201748A4CBC0899B1E5D664A206DB16

Function 02B0FFA0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c6536c23ce56047b77927963506b1f1bfbb80dd65db8f716d4432cfb059b5d
Instruction ID: faaa92efabb3d35a38d120434467422265c207208879d1517f4744f88350892e
Opcode Fuzzy Hash: 34c6536c23ce56047b77927963506b1f1bfbb80dd65db8f716d4432cfb059b5d
Instruction Fuzzy Hash: 24E0B33600010EBF8F429F91DA44CC97FAAAB49658B499191FA185A131D232D5A5EB50

Function 02B02020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af3e11d18f281fafcce46b671a7224426bbd2c014ebbdc0e4a8afea46801f7b
Instruction ID: a7925a47f84833d748cca345b0d4b124d72dd65a835aba162b19291c4699523a
Opcode Fuzzy Hash: 6af3e11d18f281fafcce46b671a7224426bbd2c014ebbdc0e4a8afea46801f7b
Instruction Fuzzy Hash: D8D01732D2022A979B10AAA9DC048EEBB38EE96621B908626D52437140EB70265986B1

Function 02B08258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 6750b3bceb0d47cf3225625ca5472a14efb9ee8ce115328eb74ab5c2339f2b5c
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 27C08C3320C1282BA636108F7C81EB3BF8CC3C53F4A2541B7F95CE3280A8429C8041F8

Function 02B0A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4df2c86e5b8ecc6217ba0696bb8eaa19185519e09c2d4a5fca1607c2f99d1b
Instruction ID: f64e9c12fd643b25e877d5762b223bc0417777dfa559e636bbe4f5b4cd78345b
Opcode Fuzzy Hash: fb4df2c86e5b8ecc6217ba0696bb8eaa19185519e09c2d4a5fca1607c2f99d1b
Instruction Fuzzy Hash: 14D0677BB41008EFDB049F98E8409DDB7B6FB9C221B148516E915E3260C6319961DB54

Function 02B05EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d255f040c7bbd874513911d6f29971fa815a0ceab6374a1c29986b44a9a0cc
Instruction ID: d74eb458db689595e3eede993b12c30076b70ec66471808c163c1b44aaa5b048
Opcode Fuzzy Hash: 66d255f040c7bbd874513911d6f29971fa815a0ceab6374a1c29986b44a9a0cc
Instruction Fuzzy Hash: 8DD02E709483450BC302F330EA06A6A3B29AA82208B844890E8050BA0BEE785C194BA2

Function 02B05EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3845893059.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b00000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ded2ddddf3f0632f569a5516c623aa448ba71c345844ba085af9e6f8b8d1090
Instruction ID: 8eb20f472f491b16dd0a394e3f839d7fa9ffeaea7ff47ed67dfb1bf23dd698e3
Opcode Fuzzy Hash: 8ded2ddddf3f0632f569a5516c623aa448ba71c345844ba085af9e6f8b8d1090
Instruction Fuzzy Hash: FAC0807094030947D501F771FF46D69335AF6C1204F405550F0090751AEF746D595791

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fpIGwanLZi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fpIGwanLZi.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
fpIGwanLZi.exe

Function 0290D5B9 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Function 0290D5C8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 06C7E094 Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Function 06C7E0A0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 08141398 Relevance: 1.7, APIs: 1, Instructions: 236
COMMON

Function 0290AF19 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Function 0290590C Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Function 0290449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02905A84 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Function 08145D50 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Function 06C7DE10 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Function 06C7DE18 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 08145D58 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 06C7D871 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Function 06C7DF00 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON