Edit tour

Windows Analysis Report
fpIGwanLZi.exe

Overview

General Information

Sample name:	fpIGwanLZi.exe renamed because original name is a hash value
Original sample name:	f22cf9dc92fc4eee3eb35b4cdb613f21fa285d5f7630d2a898e25d4c5c512e5e.exe
Analysis ID:	1588644
MD5:	b270344e0a2760f0faacbe25670635bc
SHA1:	2677ed82fcc97bc63ddba361d4c0052058d263c5
SHA256:	f22cf9dc92fc4eee3eb35b4cdb613f21fa285d5f7630d2a898e25d4c5c512e5e
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

AI detected suspicious sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

fpIGwanLZi.exe (PID: 7880 cmdline: "C:\Users\user\Desktop\fpIGwanLZi.exe" MD5: B270344E0A2760F0FAACBE25670635BC)

fpIGwanLZi.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\fpIGwanLZi.exe" MD5: B270344E0A2760F0FAACBE25670635BC)

fpIGwanLZi.exe (PID: 7368 cmdline: "C:\Users\user\Desktop\fpIGwanLZi.exe" MD5: B270344E0A2760F0FAACBE25670635BC)

fpIGwanLZi.exe (PID: 7380 cmdline: "C:\Users\user\Desktop\fpIGwanLZi.exe" MD5: B270344E0A2760F0FAACBE25670635BC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "recruitment_ck@bprck.co.id", "Password": "@BPR.ck22!!", "Host": "mail.bprck.co.id", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdc75:$a1: get_encryptedPassword 0xdf50:$a2: get_encryptedUsername 0xda81:$a3: get_timePasswordChanged 0xdb7c:$a4: get_passwordField 0xdc8b:$a5: set_encryptedPassword 0xf26a:$a7: get_logins 0xf1cd:$a10: KeyLoggerEventArgs 0xee5c:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x11428:$x1: $%SMTPDV$ 0x1148e:$x2: $#TheHashHere%& 0x12ac5:$x3: %FTPDV$ 0x12baf:$x4: $%TelegramDv$ 0xee5c:$x5: KeyLoggerEventArgs 0xf1cd:$x5: KeyLoggerEventArgs 0x12ae9:$m2: Clipboard Logs ID 0x12cff:$m2: Screenshot Logs ID 0x12e0f:$m2: keystroke Logs ID 0x130e9:$m3: SnakePW 0x12cd7:$m4: \SnakeKeylogger\
00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4acad:$a1: get_encryptedPassword 0x616cd:$a1: get_encryptedPassword 0x77eed:$a1: get_encryptedPassword 0x4af88:$a2: get_encryptedUsername 0x619a8:$a2: get_encryptedUsername 0x781c8:$a2: get_encryptedUsername 0x4aab9:$a3: get_timePasswordChanged 0x614d9:$a3: get_timePasswordChanged 0x77cf9:$a3: get_timePasswordChanged 0x4abb4:$a4: get_passwordField 0x615d4:$a4: get_passwordField 0x77df4:$a4: get_passwordField 0x4acc3:$a5: set_encryptedPassword 0x616e3:$a5: set_encryptedPassword 0x77f03:$a5: set_encryptedPassword 0x4c2a2:$a7: get_logins 0x62cc2:$a7: get_logins 0x794e2:$a7: get_logins 0x4c205:$a10: KeyLoggerEventArgs 0x62c25:$a10: KeyLoggerEventArgs 0x79445:$a10: KeyLoggerEventArgs
00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x4e460:$x1: $%SMTPDV$ 0x64e80:$x1: $%SMTPDV$ 0x7b6a0:$x1: $%SMTPDV$ 0x4e4c6:$x2: $#TheHashHere%& 0x64ee6:$x2: $#TheHashHere%& 0x7b706:$x2: $#TheHashHere%& 0x4fafd:$x3: %FTPDV$ 0x6651d:$x3: %FTPDV$ 0x7cd3d:$x3: %FTPDV$ 0x4fbe7:$x4: $%TelegramDv$ 0x66607:$x4: $%TelegramDv$ 0x7ce27:$x4: $%TelegramDv$ 0x4be94:$x5: KeyLoggerEventArgs 0x4c205:$x5: KeyLoggerEventArgs 0x628b4:$x5: KeyLoggerEventArgs 0x62c25:$x5: KeyLoggerEventArgs 0x790d4:$x5: KeyLoggerEventArgs 0x79445:$x5: KeyLoggerEventArgs 0x4fb21:$m2: Clipboard Logs ID 0x4fd37:$m2: Screenshot Logs ID 0x4fe47:$m2: keystroke Logs ID
00000005.00000002.3165103758.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: fpIGwanLZi.exe PID: 7880	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: fpIGwanLZi.exe PID: 7880	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: fpIGwanLZi.exe PID: 7880	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa2cd9:$a1: get_encryptedPassword 0xa2faa:$a2: get_encryptedUsername 0xa2aef:$a3: get_timePasswordChanged 0xa2bea:$a4: get_passwordField 0xa2cef:$a5: set_encryptedPassword 0xa50ef:$a7: get_logins 0xa5052:$a10: KeyLoggerEventArgs 0xa4ce1:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: fpIGwanLZi.exe PID: 7880	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xa4ce1:$x5: KeyLoggerEventArgs 0xa5052:$x5: KeyLoggerEventArgs 0xa5ba7:$x5: KeyLoggerEventArgs 0xa5ee6:$x5: KeyLoggerEventArgs 0xa71c9:$m2: Clipboard Logs ID 0xa72bb:$m2: Screenshot Logs ID 0xa7311:$m2: keystroke Logs ID 0xa7446:$m3: SnakePW 0xa72a7:$m4: \SnakeKeylogger\
Process Memory Space: fpIGwanLZi.exe PID: 7380	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: fpIGwanLZi.exe PID: 7380	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x15174:$a1: get_encryptedPassword 0x15445:$a2: get_encryptedUsername 0x14f8a:$a3: get_timePasswordChanged 0x15085:$a4: get_passwordField 0x1518a:$a5: set_encryptedPassword 0x1758a:$a7: get_logins 0x174ed:$a10: KeyLoggerEventArgs 0x1717c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: fpIGwanLZi.exe PID: 7380	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1717c:$x5: KeyLoggerEventArgs 0x174ed:$x5: KeyLoggerEventArgs 0x18042:$x5: KeyLoggerEventArgs 0x18381:$x5: KeyLoggerEventArgs 0x19664:$m2: Clipboard Logs ID 0x19756:$m2: Screenshot Logs ID 0x197ac:$m2: keystroke Logs ID 0x198e1:$m3: SnakePW 0x19742:$m4: \SnakeKeylogger\
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.fpIGwanLZi.exe.3eb5e38.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.fpIGwanLZi.exe.3eb5e38.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc075:$a1: get_encryptedPassword 0xc350:$a2: get_encryptedUsername 0xbe81:$a3: get_timePasswordChanged 0xbf7c:$a4: get_passwordField 0xc08b:$a5: set_encryptedPassword 0xd66a:$a7: get_logins 0xd5cd:$a10: KeyLoggerEventArgs 0xd25c:$a11: KeyLoggerEventArgsEventHandler
0.2.fpIGwanLZi.exe.3eb5e38.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xcc0b:$s1: UnHook 0xcc12:$s2: SetHook 0xcc1a:$s3: CallNextHook 0xcc27:$s4: _hook
0.2.fpIGwanLZi.exe.3eb5e38.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf828:$x1: $%SMTPDV$ 0xf88e:$x2: $#TheHashHere%& 0x10ec5:$x3: %FTPDV$ 0x10faf:$x4: $%TelegramDv$ 0xd25c:$x5: KeyLoggerEventArgs 0xd5cd:$x5: KeyLoggerEventArgs 0x10ee9:$m2: Clipboard Logs ID 0x110ff:$m2: Screenshot Logs ID 0x1120f:$m2: keystroke Logs ID 0x114e9:$m3: SnakePW 0x110d7:$m4: \SnakeKeylogger\
0.2.fpIGwanLZi.exe.3ecc858.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.fpIGwanLZi.exe.3ecc858.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc075:$a1: get_encryptedPassword 0xc350:$a2: get_encryptedUsername 0xbe81:$a3: get_timePasswordChanged 0xbf7c:$a4: get_passwordField 0xc08b:$a5: set_encryptedPassword 0xd66a:$a7: get_logins 0xd5cd:$a10: KeyLoggerEventArgs 0xd25c:$a11: KeyLoggerEventArgsEventHandler
0.2.fpIGwanLZi.exe.3ecc858.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xcc0b:$s1: UnHook 0xcc12:$s2: SetHook 0xcc1a:$s3: CallNextHook 0xcc27:$s4: _hook
0.2.fpIGwanLZi.exe.3ecc858.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xf828:$x1: $%SMTPDV$ 0xf88e:$x2: $#TheHashHere%& 0x10ec5:$x3: %FTPDV$ 0x10faf:$x4: $%TelegramDv$ 0xd25c:$x5: KeyLoggerEventArgs 0xd5cd:$x5: KeyLoggerEventArgs 0x10ee9:$m2: Clipboard Logs ID 0x110ff:$m2: Screenshot Logs ID 0x1120f:$m2: keystroke Logs ID 0x114e9:$m3: SnakePW 0x110d7:$m4: \SnakeKeylogger\
5.2.fpIGwanLZi.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
5.2.fpIGwanLZi.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xde75:$a1: get_encryptedPassword 0xe150:$a2: get_encryptedUsername 0xdc81:$a3: get_timePasswordChanged 0xdd7c:$a4: get_passwordField 0xde8b:$a5: set_encryptedPassword 0xf46a:$a7: get_logins 0xf3cd:$a10: KeyLoggerEventArgs 0xf05c:$a11: KeyLoggerEventArgsEventHandler
5.2.fpIGwanLZi.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xea0b:$s1: UnHook 0xea12:$s2: SetHook 0xea1a:$s3: CallNextHook 0xea27:$s4: _hook
5.2.fpIGwanLZi.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x11628:$x1: $%SMTPDV$ 0x1168e:$x2: $#TheHashHere%& 0x12cc5:$x3: %FTPDV$ 0x12daf:$x4: $%TelegramDv$ 0xf05c:$x5: KeyLoggerEventArgs 0xf3cd:$x5: KeyLoggerEventArgs 0x12ce9:$m2: Clipboard Logs ID 0x12eff:$m2: Screenshot Logs ID 0x1300f:$m2: keystroke Logs ID 0x132e9:$m3: SnakePW 0x12ed7:$m4: \SnakeKeylogger\
0.2.fpIGwanLZi.exe.3eb5e38.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.fpIGwanLZi.exe.3eb5e38.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xde75:$a1: get_encryptedPassword 0x24895:$a1: get_encryptedPassword 0x3b0b5:$a1: get_encryptedPassword 0xe150:$a2: get_encryptedUsername 0x24b70:$a2: get_encryptedUsername 0x3b390:$a2: get_encryptedUsername 0xdc81:$a3: get_timePasswordChanged 0x246a1:$a3: get_timePasswordChanged 0x3aec1:$a3: get_timePasswordChanged 0xdd7c:$a4: get_passwordField 0x2479c:$a4: get_passwordField 0x3afbc:$a4: get_passwordField 0xde8b:$a5: set_encryptedPassword 0x248ab:$a5: set_encryptedPassword 0x3b0cb:$a5: set_encryptedPassword 0xf46a:$a7: get_logins 0x25e8a:$a7: get_logins 0x3c6aa:$a7: get_logins 0xf3cd:$a10: KeyLoggerEventArgs 0x25ded:$a10: KeyLoggerEventArgs 0x3c60d:$a10: KeyLoggerEventArgs
0.2.fpIGwanLZi.exe.3eb5e38.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xea0b:$s1: UnHook 0x2542b:$s1: UnHook 0x3bc4b:$s1: UnHook 0xea12:$s2: SetHook 0x25432:$s2: SetHook 0x3bc52:$s2: SetHook 0xea1a:$s3: CallNextHook 0x2543a:$s3: CallNextHook 0x3bc5a:$s3: CallNextHook 0xea27:$s4: _hook 0x25447:$s4: _hook 0x3bc67:$s4: _hook
0.2.fpIGwanLZi.exe.3eb5e38.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x11628:$x1: $%SMTPDV$ 0x28048:$x1: $%SMTPDV$ 0x3e868:$x1: $%SMTPDV$ 0x1168e:$x2: $#TheHashHere%& 0x280ae:$x2: $#TheHashHere%& 0x3e8ce:$x2: $#TheHashHere%& 0x12cc5:$x3: %FTPDV$ 0x296e5:$x3: %FTPDV$ 0x3ff05:$x3: %FTPDV$ 0x12daf:$x4: $%TelegramDv$ 0x297cf:$x4: $%TelegramDv$ 0x3ffef:$x4: $%TelegramDv$ 0xf05c:$x5: KeyLoggerEventArgs 0xf3cd:$x5: KeyLoggerEventArgs 0x25a7c:$x5: KeyLoggerEventArgs 0x25ded:$x5: KeyLoggerEventArgs 0x3c29c:$x5: KeyLoggerEventArgs 0x3c60d:$x5: KeyLoggerEventArgs 0x12ce9:$m2: Clipboard Logs ID 0x12eff:$m2: Screenshot Logs ID 0x1300f:$m2: keystroke Logs ID
0.2.fpIGwanLZi.exe.3ecc858.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.fpIGwanLZi.exe.3ecc858.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xde75:$a1: get_encryptedPassword 0x24695:$a1: get_encryptedPassword 0xe150:$a2: get_encryptedUsername 0x24970:$a2: get_encryptedUsername 0xdc81:$a3: get_timePasswordChanged 0x244a1:$a3: get_timePasswordChanged 0xdd7c:$a4: get_passwordField 0x2459c:$a4: get_passwordField 0xde8b:$a5: set_encryptedPassword 0x246ab:$a5: set_encryptedPassword 0xf46a:$a7: get_logins 0x25c8a:$a7: get_logins 0xf3cd:$a10: KeyLoggerEventArgs 0x25bed:$a10: KeyLoggerEventArgs 0xf05c:$a11: KeyLoggerEventArgsEventHandler 0x2587c:$a11: KeyLoggerEventArgsEventHandler
0.2.fpIGwanLZi.exe.3ecc858.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xea0b:$s1: UnHook 0x2522b:$s1: UnHook 0xea12:$s2: SetHook 0x25232:$s2: SetHook 0xea1a:$s3: CallNextHook 0x2523a:$s3: CallNextHook 0xea27:$s4: _hook 0x25247:$s4: _hook
0.2.fpIGwanLZi.exe.3ecc858.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x11628:$x1: $%SMTPDV$ 0x27e48:$x1: $%SMTPDV$ 0x1168e:$x2: $#TheHashHere%& 0x27eae:$x2: $#TheHashHere%& 0x12cc5:$x3: %FTPDV$ 0x294e5:$x3: %FTPDV$ 0x12daf:$x4: $%TelegramDv$ 0x295cf:$x4: $%TelegramDv$ 0xf05c:$x5: KeyLoggerEventArgs 0xf3cd:$x5: KeyLoggerEventArgs 0x2587c:$x5: KeyLoggerEventArgs 0x25bed:$x5: KeyLoggerEventArgs 0x12ce9:$m2: Clipboard Logs ID 0x12eff:$m2: Screenshot Logs ID 0x1300f:$m2: keystroke Logs ID 0x29509:$m2: Clipboard Logs ID 0x2971f:$m2: Screenshot Logs ID 0x2982f:$m2: keystroke Logs ID 0x132e9:$m3: SnakePW 0x29b09:$m3: SnakePW 0x12ed7:$m4: \SnakeKeylogger\
Click to see the 15 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T03:45:18.578097+0100	2803305	3	Unknown Traffic	192.168.2.10	49930	104.21.48.1	443	TCP
2025-01-11T03:45:19.730053+0100	2803305	3	Unknown Traffic	192.168.2.10	49940	104.21.48.1	443	TCP
2025-01-11T03:45:21.637494+0100	2803305	3	Unknown Traffic	192.168.2.10	49951	104.21.48.1	443	TCP
2025-01-11T03:45:22.581243+0100	2803305	3	Unknown Traffic	192.168.2.10	49959	104.21.48.1	443	TCP
2025-01-11T03:45:23.480331+0100	2803305	3	Unknown Traffic	192.168.2.10	49966	104.21.48.1	443	TCP
2025-01-11T03:45:24.351225+0100	2803305	3	Unknown Traffic	192.168.2.10	49973	104.21.48.1	443	TCP
2025-01-11T03:45:25.455761+0100	2803305	3	Unknown Traffic	192.168.2.10	49980	104.21.48.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T03:45:16.600341+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49814	132.226.8.169	80	TCP
2025-01-11T03:45:18.037828+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49814	132.226.8.169	80	TCP
2025-01-11T03:45:19.178475+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49814	132.226.8.169	80	TCP
2025-01-11T03:45:21.069145+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49814	132.226.8.169	80	TCP
2025-01-11T03:45:22.022321+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49814	132.226.8.169	80	TCP
2025-01-11T03:45:22.928496+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49814	132.226.8.169	80	TCP
2025-01-11T03:45:23.819200+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49814	132.226.8.169	80	TCP
2025-01-11T03:45:24.850359+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49814	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "recruitment_ck@bprck.co.id", "Password": "@BPR.ck22!!", "Host": "mail.bprck.co.id", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: fpIGwanLZi.exe	ReversingLabs: Detection: 63%
Source: fpIGwanLZi.exe	Virustotal: Detection: 79%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: fpIGwanLZi.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: fpIGwanLZi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.10:49922 version: TLS 1.0

Source: fpIGwanLZi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: hEdIE.pdb source: fpIGwanLZi.exe
Source:	Binary string: hEdIE.pdbSHA256K source: fpIGwanLZi.exe

Source: global traffic

TCP traffic: 192.168.2.10:51628 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49814 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49930 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49940 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49973 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49951 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49959 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49980 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49966 -> 104.21.48.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.10:49922 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003285000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003279000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.000000000333A000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003285000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003345000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003323000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003318000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.000000000332E000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: fpIGwanLZi.exe, 00000005.00000002.3165103758.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: fpIGwanLZi.exe, 00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: fpIGwanLZi.exe, 00000005.00000002.3165103758.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: fpIGwanLZi.exe, 00000005.00000002.3165103758.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: fpIGwanLZi.exe, 00000005.00000002.3165103758.000000000333A000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003285000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003345000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003323000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003318000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.000000000332E000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: fpIGwanLZi.exe, 00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003285000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: fpIGwanLZi.exe, 00000005.00000002.3165103758.000000000333A000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003345000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003323000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003318000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.000000000332E000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.fpIGwanLZi.exe.3eb5e38.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.fpIGwanLZi.exe.3eb5e38.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.fpIGwanLZi.exe.3eb5e38.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.fpIGwanLZi.exe.3ecc858.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.fpIGwanLZi.exe.3ecc858.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.fpIGwanLZi.exe.3ecc858.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 5.2.fpIGwanLZi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.fpIGwanLZi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.fpIGwanLZi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.fpIGwanLZi.exe.3eb5e38.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.fpIGwanLZi.exe.3eb5e38.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.fpIGwanLZi.exe.3eb5e38.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.fpIGwanLZi.exe.3ecc858.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.fpIGwanLZi.exe.3ecc858.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.fpIGwanLZi.exe.3ecc858.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: fpIGwanLZi.exe PID: 7880, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: fpIGwanLZi.exe PID: 7880, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: fpIGwanLZi.exe PID: 7380, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: fpIGwanLZi.exe PID: 7380, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_0148D584	0_2_0148D584
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_054EE62B	0_2_054EE62B
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_054EE630	0_2_054EE630
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_0713B760	0_2_0713B760
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_0713B328	0_2_0713B328
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_0713CFA0	0_2_0713CFA0
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_0713AEBF	0_2_0713AEBF
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_0713AEF0	0_2_0713AEF0
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_0713CB68	0_2_0713CB68
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_07141650	0_2_07141650
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_02F9C190	5_2_02F9C190
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_02F96118	5_2_02F96118
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_02F9C753	5_2_02F9C753
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_02F9B4A0	5_2_02F9B4A0
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_02F9C470	5_2_02F9C470
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_02F93580	5_2_02F93580
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_02F94AD9	5_2_02F94AD9
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_02F9CA33	5_2_02F9CA33
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_02F9BBD3	5_2_02F9BBD3
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_02F99858	5_2_02F99858
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_02F9BEB0	5_2_02F9BEB0
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_02F9B4F3	5_2_02F9B4F3
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_06C4C254	5_2_06C4C254
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_06C4F55B	5_2_06C4F55B
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_06C4F560	5_2_06C4F560

Source: fpIGwanLZi.exe, 00000000.00000002.1466425489.0000000007A63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamempclient.dllj% vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000002.1461013073.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000002.1465837006.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000002.1463069626.0000000003F1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000002.1461013073.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000000.1294241275.0000000000AFC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehEdIE.exe< vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000002.1466171931.0000000007480000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000000.00000002.1459472130.000000000109E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe, 00000005.00000002.3163959687.0000000001337000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs fpIGwanLZi.exe
Source: fpIGwanLZi.exe	Binary or memory string: OriginalFilenamehEdIE.exe< vs fpIGwanLZi.exe

Source: fpIGwanLZi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.fpIGwanLZi.exe.3eb5e38.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.fpIGwanLZi.exe.3eb5e38.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.fpIGwanLZi.exe.3eb5e38.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.fpIGwanLZi.exe.3ecc858.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.fpIGwanLZi.exe.3ecc858.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.fpIGwanLZi.exe.3ecc858.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 5.2.fpIGwanLZi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.fpIGwanLZi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.fpIGwanLZi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.fpIGwanLZi.exe.3eb5e38.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.fpIGwanLZi.exe.3eb5e38.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.fpIGwanLZi.exe.3eb5e38.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.fpIGwanLZi.exe.3ecc858.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.fpIGwanLZi.exe.3ecc858.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.fpIGwanLZi.exe.3ecc858.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: fpIGwanLZi.exe PID: 7880, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: fpIGwanLZi.exe PID: 7880, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: fpIGwanLZi.exe PID: 7380, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: fpIGwanLZi.exe PID: 7380, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: fpIGwanLZi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal96.troj.evad.winEXE@7/1@2/2

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fpIGwanLZi.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

Mutant created: NULL

Source: fpIGwanLZi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: fpIGwanLZi.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: fpIGwanLZi.exe	ReversingLabs: Detection: 63%
Source: fpIGwanLZi.exe	Virustotal: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\fpIGwanLZi.exe "C:\Users\user\Desktop\fpIGwanLZi.exe"
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process created: C:\Users\user\Desktop\fpIGwanLZi.exe "C:\Users\user\Desktop\fpIGwanLZi.exe"
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process created: C:\Users\user\Desktop\fpIGwanLZi.exe "C:\Users\user\Desktop\fpIGwanLZi.exe"
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process created: C:\Users\user\Desktop\fpIGwanLZi.exe "C:\Users\user\Desktop\fpIGwanLZi.exe"
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process created: C:\Users\user\Desktop\fpIGwanLZi.exe "C:\Users\user\Desktop\fpIGwanLZi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process created: C:\Users\user\Desktop\fpIGwanLZi.exe "C:\Users\user\Desktop\fpIGwanLZi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process created: C:\Users\user\Desktop\fpIGwanLZi.exe "C:\Users\user\Desktop\fpIGwanLZi.exe"	Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: fpIGwanLZi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: fpIGwanLZi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: fpIGwanLZi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: hEdIE.pdb source: fpIGwanLZi.exe
Source:	Binary string: hEdIE.pdbSHA256K source: fpIGwanLZi.exe

Source: fpIGwanLZi.exe

Static PE information: 0x9A1BCFA6 [Wed Dec 6 22:18:14 2051 UTC]

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_054E4C35 pushfd ; retf	0_2_054E4C41
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_054EB1AF push eax; mov dword ptr [esp], edx	0_2_054EB1C4
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_054EF1A0 push eax; retf	0_2_054EF1A1
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 0_2_054EDCA0 push esp; ret	0_2_054EDCA1
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_06C4B6A0 push ss; retf	5_2_06C4B8AA
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_06C4B5E9 push cs; retf	5_2_06C4B5EA
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_06C4B8A1 push ss; retf	5_2_06C4B8A2
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Code function: 5_2_06C4B988 push ss; retf	5_2_06C4B992

Source: fpIGwanLZi.exe

Static PE information: section name: .text entropy: 6.958210174643718

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: fpIGwanLZi.exe PID: 7880, type: MEMORYSTR

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: 1480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: 4E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: 95D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: A5D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: A7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: B7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 7900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 1384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe TID: 1384	Thread sleep time: -600000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: fpIGwanLZi.exe, 00000005.00000002.3164463248.0000000001496000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

Memory written: C:\Users\user\Desktop\fpIGwanLZi.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process created: C:\Users\user\Desktop\fpIGwanLZi.exe "C:\Users\user\Desktop\fpIGwanLZi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process created: C:\Users\user\Desktop\fpIGwanLZi.exe "C:\Users\user\Desktop\fpIGwanLZi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Process created: C:\Users\user\Desktop\fpIGwanLZi.exe "C:\Users\user\Desktop\fpIGwanLZi.exe"	Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Users\user\Desktop\fpIGwanLZi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Users\user\Desktop\fpIGwanLZi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fpIGwanLZi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\fpIGwanLZi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.fpIGwanLZi.exe.3eb5e38.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fpIGwanLZi.exe.3ecc858.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.fpIGwanLZi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fpIGwanLZi.exe.3eb5e38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fpIGwanLZi.exe.3ecc858.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3165103758.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fpIGwanLZi.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fpIGwanLZi.exe PID: 7380, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.fpIGwanLZi.exe.3eb5e38.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fpIGwanLZi.exe.3ecc858.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.fpIGwanLZi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fpIGwanLZi.exe.3eb5e38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fpIGwanLZi.exe.3ecc858.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3165103758.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fpIGwanLZi.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fpIGwanLZi.exe PID: 7380, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
fpIGwanLZi.exe	63%	ReversingLabs	Win32.Trojan.Jalapeno
fpIGwanLZi.exe	79%	Virustotal		Browse
fpIGwanLZi.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	fpIGwanLZi.exe, 00000005.00000002.3165103758.000000000333A000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003285000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003345000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003323000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003318000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.000000000332E000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003350000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003279000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.000000000333A000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003285000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003345000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003323000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003318000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.000000000332E000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003350000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003285000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	fpIGwanLZi.exe, 00000005.00000002.3165103758.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	fpIGwanLZi.exe, 00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	fpIGwanLZi.exe, 00000005.00000002.3165103758.000000000333A000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003345000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003323000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003318000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.000000000332E000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003350000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	fpIGwanLZi.exe, 00000005.00000002.3165103758.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	fpIGwanLZi.exe, 00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3165103758.0000000003285000.00000004.00000800.00020000.00000000.sdmp, fpIGwanLZi.exe, 00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.48.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588644
Start date and time:	2025-01-11 03:43:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	fpIGwanLZi.exe renamed because original name is a hash value
Original Sample Name:	f22cf9dc92fc4eee3eb35b4cdb613f21fa285d5f7630d2a898e25d4c5c512e5e.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@7/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 111 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
104.21.48.1	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
checkip.dyndns.com	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	1SxKeB4u0c.exe	Get hash	malicious	FormBook	Browse	104.21.95.160
	SpCuEoekPa.exe	Get hash	malicious	FormBook	Browse	104.21.64.1
	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	AxKxwW9WGa.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
UTMEMUS	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	6BRa130JDj.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fpIGwanLZi.exe.log

Download File

Process:	C:\Users\user\Desktop\fpIGwanLZi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.950802950730529
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	fpIGwanLZi.exe
File size:	757'760 bytes
MD5:	b270344e0a2760f0faacbe25670635bc
SHA1:	2677ed82fcc97bc63ddba361d4c0052058d263c5
SHA256:	f22cf9dc92fc4eee3eb35b4cdb613f21fa285d5f7630d2a898e25d4c5c512e5e
SHA512:	9cb8c9e211e28b9d989993fce4b93429c24f1db7a57c54a594888489568b4f42dee6c8fbadf189978d117e76bf6a85f710484892ecfb3d55ab6cffdde81cf59d
SSDEEP:	12288:npZsS4aTEaFP2BHykEW+7CGpfxNuWro8wFiQ4Cg0:nzsHaTEw7Jl7FpruWro8wF9g
TLSH:	A1F4933D29BD222BA175C3A7CBDBF427F138986F3115AD6498D343A94346A4734C326E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............f.... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4ba566
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9A1BCFA6 [Wed Dec 6 22:18:14 2051 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba511	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x5ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb8c08	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb856c	0xb8600	82e60ee3e19305397cc2f5935f919b74	False	0.7003138241525424	data	6.958210174643718	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x5ac	0x600	1fefeea52d892dd9bb08ebb0534bae89	False	0.4231770833333333	data	4.111005504871255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbe000	0xc	0x200	c09020cb67e1caded6bd0125e1440504	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xbc090	0x31c	data			0.4396984924623116
RT_MANIFEST	0xbc3bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T03:45:16.600341+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49814	132.226.8.169	80	TCP
2025-01-11T03:45:18.037828+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49814	132.226.8.169	80	TCP
2025-01-11T03:45:18.578097+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49930	104.21.48.1	443	TCP
2025-01-11T03:45:19.178475+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49814	132.226.8.169	80	TCP
2025-01-11T03:45:19.730053+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49940	104.21.48.1	443	TCP
2025-01-11T03:45:21.069145+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49814	132.226.8.169	80	TCP
2025-01-11T03:45:21.637494+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49951	104.21.48.1	443	TCP
2025-01-11T03:45:22.022321+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49814	132.226.8.169	80	TCP
2025-01-11T03:45:22.581243+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49959	104.21.48.1	443	TCP
2025-01-11T03:45:22.928496+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49814	132.226.8.169	80	TCP
2025-01-11T03:45:23.480331+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49966	104.21.48.1	443	TCP
2025-01-11T03:45:23.819200+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49814	132.226.8.169	80	TCP
2025-01-11T03:45:24.351225+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49973	104.21.48.1	443	TCP
2025-01-11T03:45:24.850359+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49814	132.226.8.169	80	TCP
2025-01-11T03:45:25.455761+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.10	49980	104.21.48.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:45:00.328758001 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:00.334496975 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:00.334573984 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:00.335177898 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:00.340950012 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:14.124535084 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:14.130105019 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:14.134972095 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:16.555829048 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:16.600341082 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:16.635885954 CET	49922	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:16.635948896 CET	443	49922	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:16.636024952 CET	49922	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:16.644435883 CET	49922	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:16.644467115 CET	443	49922	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:17.109497070 CET	443	49922	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:17.109587908 CET	49922	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:17.130731106 CET	49922	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:17.130754948 CET	443	49922	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:17.131645918 CET	443	49922	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:17.178469896 CET	49922	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:17.222918987 CET	49922	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:17.263323069 CET	443	49922	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:17.333410025 CET	443	49922	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:17.333472013 CET	443	49922	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:17.333548069 CET	49922	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:17.367422104 CET	49922	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:17.371121883 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:17.375941992 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:17.982935905 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:17.985934019 CET	49930	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:17.985975027 CET	443	49930	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:17.986562967 CET	49930	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:17.986890078 CET	49930	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:17.986902952 CET	443	49930	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:18.037827969 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:18.447875977 CET	443	49930	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:18.468338013 CET	49930	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:18.468369961 CET	443	49930	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:18.578110933 CET	443	49930	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:18.578207016 CET	443	49930	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:18.578315973 CET	49930	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:18.607923985 CET	49930	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:18.657394886 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:18.662219048 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:19.138087034 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:19.139105082 CET	49940	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:19.139137983 CET	443	49940	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:19.139209986 CET	49940	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:19.139719963 CET	49940	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:19.139729977 CET	443	49940	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:19.178474903 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:19.598900080 CET	443	49940	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:19.603485107 CET	49940	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:19.603498936 CET	443	49940	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:19.730130911 CET	443	49940	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:19.730268002 CET	443	49940	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:19.730351925 CET	49940	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:19.730978966 CET	49940	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:19.734113932 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:19.738920927 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:21.020294905 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:21.021179914 CET	49951	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:21.021223068 CET	443	49951	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:21.021297932 CET	49951	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:21.021564007 CET	49951	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:21.021579027 CET	443	49951	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:21.069144964 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:21.486943007 CET	443	49951	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:21.512759924 CET	49951	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:21.512795925 CET	443	49951	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:21.637533903 CET	443	49951	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:21.637620926 CET	443	49951	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:21.637687922 CET	49951	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:21.669789076 CET	49951	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:21.673613071 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:21.680749893 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:21.968872070 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:21.969794035 CET	49959	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:21.969836950 CET	443	49959	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:21.969898939 CET	49959	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:21.970347881 CET	49959	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:21.970364094 CET	443	49959	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:22.022320986 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:22.427922964 CET	443	49959	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:22.430691004 CET	49959	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:22.430727005 CET	443	49959	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:22.581273079 CET	443	49959	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:22.581361055 CET	443	49959	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:22.581465960 CET	49959	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:22.582096100 CET	49959	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:22.585417986 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:22.590224028 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:22.886873007 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:22.887820005 CET	49966	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:22.887856007 CET	443	49966	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:22.887922049 CET	49966	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:22.888245106 CET	49966	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:22.888253927 CET	443	49966	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:22.928495884 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:23.354043961 CET	443	49966	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:23.360631943 CET	49966	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:23.360667944 CET	443	49966	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:23.480407000 CET	443	49966	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:23.480577946 CET	443	49966	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:23.480638981 CET	49966	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:23.481156111 CET	49966	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:23.484424114 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:23.489207983 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:23.775898933 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:23.777159929 CET	49973	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:23.777220011 CET	443	49973	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:23.777318001 CET	49973	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:23.777744055 CET	49973	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:23.777756929 CET	443	49973	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:23.819200039 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:24.230093002 CET	443	49973	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:24.234369040 CET	49973	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:24.234394073 CET	443	49973	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:24.351273060 CET	443	49973	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:24.351361990 CET	443	49973	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:24.351413012 CET	49973	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:24.359349012 CET	49973	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:24.443308115 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:24.448399067 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:24.802040100 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:45:24.803785086 CET	49980	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:24.803838968 CET	443	49980	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:24.803915977 CET	49980	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:24.804250956 CET	49980	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:24.804265022 CET	443	49980	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:24.850358963 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:45:25.310972929 CET	443	49980	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:25.312750101 CET	49980	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:25.312766075 CET	443	49980	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:25.455784082 CET	443	49980	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:25.455867052 CET	443	49980	104.21.48.1	192.168.2.10
Jan 11, 2025 03:45:25.456000090 CET	49980	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:25.456593037 CET	49980	443	192.168.2.10	104.21.48.1
Jan 11, 2025 03:45:28.076992989 CET	51628	53	192.168.2.10	162.159.36.2
Jan 11, 2025 03:45:28.081876040 CET	53	51628	162.159.36.2	192.168.2.10
Jan 11, 2025 03:45:28.081999063 CET	51628	53	192.168.2.10	162.159.36.2
Jan 11, 2025 03:45:28.087011099 CET	53	51628	162.159.36.2	192.168.2.10
Jan 11, 2025 03:45:28.530359983 CET	51628	53	192.168.2.10	162.159.36.2
Jan 11, 2025 03:45:28.535526991 CET	53	51628	162.159.36.2	192.168.2.10
Jan 11, 2025 03:45:28.535595894 CET	51628	53	192.168.2.10	162.159.36.2
Jan 11, 2025 03:46:29.795870066 CET	80	49814	132.226.8.169	192.168.2.10
Jan 11, 2025 03:46:29.795984983 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:47:04.788652897 CET	49814	80	192.168.2.10	132.226.8.169
Jan 11, 2025 03:47:04.793488979 CET	80	49814	132.226.8.169	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:45:00.242506027 CET	63477	53	192.168.2.10	1.1.1.1
Jan 11, 2025 03:45:00.249583960 CET	53	63477	1.1.1.1	192.168.2.10
Jan 11, 2025 03:45:16.627712965 CET	54900	53	192.168.2.10	1.1.1.1
Jan 11, 2025 03:45:16.634907007 CET	53	54900	1.1.1.1	192.168.2.10
Jan 11, 2025 03:45:28.076117992 CET	53	57429	162.159.36.2	192.168.2.10
Jan 11, 2025 03:45:28.614306927 CET	53	64866	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 03:45:00.242506027 CET	192.168.2.10	1.1.1.1	0xa424	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:16.627712965 CET	192.168.2.10	1.1.1.1	0x3e8b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 03:45:00.249583960 CET	1.1.1.1	192.168.2.10	0xa424	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 03:45:00.249583960 CET	1.1.1.1	192.168.2.10	0xa424	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:00.249583960 CET	1.1.1.1	192.168.2.10	0xa424	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:00.249583960 CET	1.1.1.1	192.168.2.10	0xa424	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:00.249583960 CET	1.1.1.1	192.168.2.10	0xa424	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:00.249583960 CET	1.1.1.1	192.168.2.10	0xa424	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:16.634907007 CET	1.1.1.1	192.168.2.10	0x3e8b	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:16.634907007 CET	1.1.1.1	192.168.2.10	0x3e8b	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:16.634907007 CET	1.1.1.1	192.168.2.10	0x3e8b	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:16.634907007 CET	1.1.1.1	192.168.2.10	0x3e8b	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:16.634907007 CET	1.1.1.1	192.168.2.10	0x3e8b	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:16.634907007 CET	1.1.1.1	192.168.2.10	0x3e8b	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:45:16.634907007 CET	1.1.1.1	192.168.2.10	0x3e8b	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49814	132.226.8.169	80	7380	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:45:00.335177898 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 03:45:14.124535084 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 03:45:14.130105019 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:45:16.555829048 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 03:45:17.371121883 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:45:17.982935905 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 03:45:18.657394886 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:45:19.138087034 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 03:45:19.734113932 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:45:21.020294905 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 03:45:21.673613071 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:45:21.968872070 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 03:45:22.585417986 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:45:22.886873007 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 03:45:23.484424114 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:45:23.775898933 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 03:45:24.443308115 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 03:45:24.802040100 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49922	104.21.48.1	443	7380	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:17 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 02:45:17 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:17 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878306 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JDa06YV9z0yrUvMmKiOBD9AWheuM%2F3Cm4Yxa7BCnV5%2BjI4bx5Hq22a6LXAijhaFlesGOAHCVpDLs5wHEOhAPPSSr5IWM3fwmXXrepXUxYDS9vjgVXqWa0FBrDbnylE%2BN93QBTDoq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900191def99d8c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1799&min_rtt=1788&rtt_var=692&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1556503&cwnd=238&unsent_bytes=0&cid=226024f84bd99f23&ts=241&x=0"
2025-01-11 02:45:17 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49930	104.21.48.1	443	7380	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:18 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:45:18 UTC	863	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878307 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B4FvgB8dVGieWTNHJfSK0l5gYrqn7PYldw6%2FGojgWY33XNYaqxrlCFTozRB9QLpQYzj%2BB5S3vE%2B%2BeFMWn2MojlqgMCr%2FySCyhQoye%2BYH3iac5uwdacjyCN1NL5YLxfFoBtXnX27p"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900191e6b851c323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1471&min_rtt=1470&rtt_var=554&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1967654&cwnd=214&unsent_bytes=0&cid=2ac730b96dc8e5c9&ts=140&x=0"
2025-01-11 02:45:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49940	104.21.48.1	443	7380	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:19 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:45:19 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878308 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AOkNHCvKlaftsTzsATyXWavf5YRwoiR0CvCpe3rwquUyYKV0Uc6jqdNylfGcT%2FeDE5x4PLxbDgIxNR9w9lKrA36L%2FShhK%2B7lrLzUiERK4iq%2FgVolp8joqDf3O5SEDZ5k0S169ZDV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900191edeacd42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2308&min_rtt=1739&rtt_var=1790&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=464081&cwnd=240&unsent_bytes=0&cid=9185bcd8f68e5b14&ts=140&x=0"
2025-01-11 02:45:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49951	104.21.48.1	443	7380	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:21 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:45:21 UTC	865	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878310 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8mCNm%2BeUzRh6zty4KEj4xpDm6Wg1RZWV%2F%2F3gMrM4NRNtsoS0LxGsEfHIYF6zKzsinshv%2FZcX08z%2B0dLqa38ZiVuCFYskSAinx95d%2B7%2B4jld%2Bz0TxB9nBO8ouHWZQQNSoZHzyWvBM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900191f9dee142e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1664&min_rtt=1656&rtt_var=637&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1695702&cwnd=240&unsent_bytes=0&cid=cffd28cf8fd30a83&ts=156&x=0"
2025-01-11 02:45:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49959	104.21.48.1	443	7380	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:22 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:45:22 UTC	859	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878311 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Owjs0j8ownQAd6785Yz6%2BB%2FO8rwK9ZpZt0D30OpQtg%2F0RTJThvxWPkD%2BneIGjyoHauE3jBPURTizmKggz%2BvIL9VNNMyvcZNjaNSaaivcuHGWGXSgolfwMjCRE4l1yBkqqb7uRPR5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900191ffb91043be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1641&min_rtt=1633&rtt_var=618&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1788120&cwnd=226&unsent_bytes=0&cid=54643d5525d59fe6&ts=160&x=0"
2025-01-11 02:45:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49966	104.21.48.1	443	7380	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:23 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:45:23 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:23 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878312 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AhvjF1vub5tERSmXGXVCn75%2BN3iRESrzkdlYzic2P9a5SytrXMv9xZ7YaDjvRCVv4CGs3TuCuMuSAFbl396sUqhFebYifE%2BA7VVlgMbx8Zo9khPpy%2F9ABRsQTOEGDEVq2N9CG%2B2i"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900192056c9f8c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1793&min_rtt=1790&rtt_var=678&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1605277&cwnd=238&unsent_bytes=0&cid=882e0bf835a1636c&ts=130&x=0"
2025-01-11 02:45:23 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49973	104.21.48.1	443	7380	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:24 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:45:24 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878313 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dAfzL4Hwk2I2VZ9q6pKhz4rhvAlJnhnKYsQQ%2BEoa35pFvA52xj0rNaOroLVJcFx9lT02%2FUL9CpZ5Pzo16A7IgHoS4NZ5G6gSRS%2BCEOZ1qvAV%2FyY034zSbzIm9WImjo8wuifxwEf0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9001920adec443be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1598&min_rtt=1585&rtt_var=603&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1842271&cwnd=226&unsent_bytes=0&cid=f20a2d4671346f3e&ts=124&x=0"
2025-01-11 02:45:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49980	104.21.48.1	443	7380	C:\Users\user\Desktop\fpIGwanLZi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 02:45:25 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 02:45:25 UTC	868	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:45:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1878314 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nCs5bHIbgFtG8FQzBTqY1kcfTNi0%2BXO6%2Bv3JgYSo94usBIdqhqO00m4cqT86RysBHoOGJbMGT3S%2F27hF5n5NgB%2BYmOc0HY%2B1aU70qAGn1bsb%2B%2B3WgpFAp4CZ3WVAxABtatryR99%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90019211b84843be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=31122&min_rtt=1631&rtt_var=18168&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1790312&cwnd=226&unsent_bytes=0&cid=e0569307e298e165&ts=149&x=0"
2025-01-11 02:45:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: fpIGwanLZi.exePID: 7880, Parent PID: 3968

General

Target ID:	0
Start time:	21:44:42
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\fpIGwanLZi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fpIGwanLZi.exe"
Imagebase:	0xa40000
File size:	757'760 bytes
MD5 hash:	B270344E0A2760F0FAACBE25670635BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1463069626.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: fpIGwanLZi.exePID: 7304, Parent PID: 7880

General

Target ID:	3
Start time:	21:44:57
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\fpIGwanLZi.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\fpIGwanLZi.exe"
Imagebase:	0x3c0000
File size:	757'760 bytes
MD5 hash:	B270344E0A2760F0FAACBE25670635BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: fpIGwanLZi.exePID: 7368, Parent PID: 7880

General

Target ID:	4
Start time:	21:44:57
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\fpIGwanLZi.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\fpIGwanLZi.exe"
Imagebase:	0x80000
File size:	757'760 bytes
MD5 hash:	B270344E0A2760F0FAACBE25670635BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: fpIGwanLZi.exePID: 7380, Parent PID: 7880

General

Target ID:	5
Start time:	21:44:57
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\fpIGwanLZi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fpIGwanLZi.exe"
Imagebase:	0xec0000
File size:	757'760 bytes
MD5 hash:	B270344E0A2760F0FAACBE25670635BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000005.00000002.3163834939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.3165103758.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: fpIGwanLZi.exePID: 7880, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	105
Total number of Limit Nodes:	8

Executed Functions

Function 0148D5B9 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0148D646
GetCurrentThread.KERNEL32 ref: 0148D683
GetCurrentProcess.KERNEL32 ref: 0148D6C0
GetCurrentThreadId.KERNEL32 ref: 0148D719

Memory Dump Source

Source File: 00000000.00000002.1460310986.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_fpIGwanLZi.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d65e638a11f4ebf25df0ebd413e253894dee258c64ece061f869c37166e99f10
Instruction ID: 95990b956f441bdff6d45e712ce269022c3ac92aacebefbd736315356e4cd10f
Opcode Fuzzy Hash: d65e638a11f4ebf25df0ebd413e253894dee258c64ece061f869c37166e99f10
Instruction Fuzzy Hash: A15176B0D013498FEB14DFAAD548BAEBBF1EF88304F20846AD019A73A0D7745981CB65

Function 0148D5C8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0148D646
GetCurrentThread.KERNEL32 ref: 0148D683
GetCurrentProcess.KERNEL32 ref: 0148D6C0
GetCurrentThreadId.KERNEL32 ref: 0148D719

Memory Dump Source

Source File: 00000000.00000002.1460310986.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_fpIGwanLZi.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2409b298bce81f745935460abdc43950acd5b7e9f99c5e2553dd28d7a23d3e3c
Instruction ID: 5d090edee33c14be8aeb36ab10f6f4d6768e69a753e0cf14f03c0df7c0b89be0
Opcode Fuzzy Hash: 2409b298bce81f745935460abdc43950acd5b7e9f99c5e2553dd28d7a23d3e3c
Instruction Fuzzy Hash: CB5145B0D013498FEB14DFAAD548B9EBBF1EF48304F20846AE419A73A0D7745984CB65

Function 0713E094 Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0713E2D6

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4b56f7f40cdcbb39d51a92242b612f39dd724896fb4d9a95e88a2a283e4b315d
Instruction ID: 162ee3b992e9ab7d152e55ccd26e1da4af1261216135790779ae9e08c7fc47a4
Opcode Fuzzy Hash: 4b56f7f40cdcbb39d51a92242b612f39dd724896fb4d9a95e88a2a283e4b315d
Instruction Fuzzy Hash: E6A12AB1D0031ADFEB25CF69C841BDDBBB2BF44310F1485A9E809A7280DB749989CF91

Function 0713E0A0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0713E2D6

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fcb95d1f5d24e694fafedabc29d17076354be4ef1f131b7cbbe5221bde05746a
Instruction ID: 26bcb96585bb1a305f3649e3627a799cad25b9a974dc7d2ecd04be08f1b3a897
Opcode Fuzzy Hash: fcb95d1f5d24e694fafedabc29d17076354be4ef1f131b7cbbe5221bde05746a
Instruction Fuzzy Hash: 5A911AB1D0031ADFEB25DF69C841BDDBBB2BF44310F1485A9E809A7280DB759989CF91

Function 0148AF19 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0148B17E

Memory Dump Source

Source File: 00000000.00000002.1460310986.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_fpIGwanLZi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 09e4b50f8b4a10c4d3d05edf8ca55765a8ad69926b8ea0d7b9763381188a059b
Instruction ID: e9c5c06062cdfa7cc7e89e5264aea52d631b15b7f0a837fdb612378903ad6c1f
Opcode Fuzzy Hash: 09e4b50f8b4a10c4d3d05edf8ca55765a8ad69926b8ea0d7b9763381188a059b
Instruction Fuzzy Hash: 308145B0A00B058FE725EF2AC45475BBBF1FF48204F10892ED59A9BB60D775E846CB94

Function 0148590C Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014859C9

Memory Dump Source

Source File: 00000000.00000002.1460310986.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_fpIGwanLZi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 87caa2efe0460ec1e15069b2dcdbfac01a29ac3aaecc9c79da5bd623c4255b96
Instruction ID: 92837c96cfef18e833e87cfdb86afa60f6d291cb9e351160ca1c7b5792e35e8b
Opcode Fuzzy Hash: 87caa2efe0460ec1e15069b2dcdbfac01a29ac3aaecc9c79da5bd623c4255b96
Instruction Fuzzy Hash: 2C41E3B0C00719CBEF24DFAAC884BDEBBB5BF49314F20806AD409AB255DB755946CF90

Function 01485A84 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1460310986.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b042f8cc073a5540888329302adeaeef3860ff6d1de869a10fe64a3ab0f7512c
Instruction ID: 4472802fc87dfb6d7dfb799ad10ce03ad157d86d8eb89fd53483a7316dd4b7c4
Opcode Fuzzy Hash: b042f8cc073a5540888329302adeaeef3860ff6d1de869a10fe64a3ab0f7512c
Instruction Fuzzy Hash: 7341DD71C05348CFEF11EBA8C8857EEBBB1AF56324F20818AD445AF262C775598ACB41

Function 0148449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014859C9

Memory Dump Source

Source File: 00000000.00000002.1460310986.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_fpIGwanLZi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 43709a0fbd876be5355dbceea208c10bf2c575d813da7d2ef69e55599e55e5eb
Instruction ID: 73453455c5b6d995f798624a64636ebb6c781b1e751032c5f12fe56d1c577b40
Opcode Fuzzy Hash: 43709a0fbd876be5355dbceea208c10bf2c575d813da7d2ef69e55599e55e5eb
Instruction Fuzzy Hash: 6141C470C00719CBEB24DFAAC885BDEBBB5BF45304F20806AD409AB251D7755946CF90

Function 07115D50 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07115DEF

Memory Dump Source

Source File: 00000000.00000002.1465921328.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7110000_fpIGwanLZi.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: ab37e2655d5213854766065aeb0e26513bc775b9ce2209f2a1a5d371018b93b6
Instruction ID: 7c82115d65ecddd105be088a8f46012984af407a0adcfd13a297c1633a367409
Opcode Fuzzy Hash: ab37e2655d5213854766065aeb0e26513bc775b9ce2209f2a1a5d371018b93b6
Instruction Fuzzy Hash: F031E4B5D0130A9FDB11CF9AD884ADEFBF5FB48320F14842AE815A7250D774A945CFA1

Function 0713DE10 Relevance: 1.6, APIs: 1, Instructions: 75
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0713DEA8

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ba7c4b7d1cde40e47e3b0033ce74f0d0809f1dd22c2b8f8edd54548204149165
Instruction ID: 36f623aa14315bbad4004dd42c4862e5ee88ce08c645bd906f01bd02efc9d27a
Opcode Fuzzy Hash: ba7c4b7d1cde40e47e3b0033ce74f0d0809f1dd22c2b8f8edd54548204149165
Instruction Fuzzy Hash: DE2135B5D00349DFDB14CFAAD885BEEBBF5FB48310F10842AE958A7240C7789941CBA0

Function 0148D808 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0148D897

Memory Dump Source

Source File: 00000000.00000002.1460310986.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_fpIGwanLZi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4297805f78eacb6a5d4692a8ab75ffa3edb1696dc40446367dad8d8427383b0d
Instruction ID: f6f45476f4d9242a428be0ee53df74eb40ecb564ea0ff1ed724ef653f239471e
Opcode Fuzzy Hash: 4297805f78eacb6a5d4692a8ab75ffa3edb1696dc40446367dad8d8427383b0d
Instruction Fuzzy Hash: 123148B5C002499FDB11CF99D844BDEBFF4EB48320F14856AE968A7351C374A941CFA0

Function 07115D58 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07115DEF

Memory Dump Source

Source File: 00000000.00000002.1465921328.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7110000_fpIGwanLZi.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 62967d738aa11dc1b7fc18cb89d71a8a9d1000e1b0aea68653374fba0ccbae92
Instruction ID: f2bbec5cdacdc5c7361a3734dc3f06ab7b1360a357fac6eb728783afa1ccb7af
Opcode Fuzzy Hash: 62967d738aa11dc1b7fc18cb89d71a8a9d1000e1b0aea68653374fba0ccbae92
Instruction Fuzzy Hash: A921F2B5D0030A9FDB11CF9AD884A9EFBF5FB48310F14842AE829A7350D374A940CFA0

Function 0713DE18 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0713DEA8

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ea41ba98f798465e1057d997377854043b23c0747a3b82273023701c8821928d
Instruction ID: 5044c79b04d0b690e3205b6e06b06e21196649b2959706bfaf8a18939b049d2f
Opcode Fuzzy Hash: ea41ba98f798465e1057d997377854043b23c0747a3b82273023701c8821928d
Instruction Fuzzy Hash: 252124B1900349DFDB14CFAAC885BDEBBF5FF48310F10842AE958A7240D779A941CBA0

Function 0713D871 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0713D8F6

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4bd7e5f4ab317bb2e10bf11dc91e6ca8aa969d85921671c5274a89d755e37a10
Instruction ID: fc51365a63b300174d785f7d5c23e71d8de8f1d21ef8cd9f54063b2ec828f4c5
Opcode Fuzzy Hash: 4bd7e5f4ab317bb2e10bf11dc91e6ca8aa969d85921671c5274a89d755e37a10
Instruction Fuzzy Hash: F0213DB1D003099FDB10DFAAD4457EEBBF4EF48314F14842AD559A7240C7789945CFA0

Function 0713DF00 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0713DF88

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5f5cdfb946d12c809e5c280af29a3bf7c4398df4a74fa2977c9d72fa8c98efb6
Instruction ID: c50e1dba8661b4c3a43d0ddc1f582994b182b72b46b6e0d0b1d464c2c062290a
Opcode Fuzzy Hash: 5f5cdfb946d12c809e5c280af29a3bf7c4398df4a74fa2977c9d72fa8c98efb6
Instruction Fuzzy Hash: 1F2116B1D013599FDB10DFAAD881BDEBBF5FF48310F50842AE958A7244C7799941CBA0

Function 0713DF08 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0713DF88

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 15862fb25b3249739bfc75afc671f624110811d7bb18db5f485625a945d5fb9b
Instruction ID: cbc5306a1de1c08659ab97e36907263203cdc621f09f5c21f28d440b57527c62
Opcode Fuzzy Hash: 15862fb25b3249739bfc75afc671f624110811d7bb18db5f485625a945d5fb9b
Instruction Fuzzy Hash: 662125B1D003599FDB10CFAAC881BEEBBF5FF48310F10842AE958A7240C7799941CBA0

Function 0713D878 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0713D8F6

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6b3cbbf266a635e0bd3ce8206265409277db429a4d59ea9fac59d34d5c83f516
Instruction ID: 56dc651b6d58c93da9683c24f3300b63d4111456728506dc36ba2210448b778b
Opcode Fuzzy Hash: 6b3cbbf266a635e0bd3ce8206265409277db429a4d59ea9fac59d34d5c83f516
Instruction Fuzzy Hash: E92129B1D003099FDB10DFAAC4857EEBBF4EF48310F14842AD959A7281D778A945CFA4

Function 0148D810 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0148D897

Memory Dump Source

Source File: 00000000.00000002.1460310986.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_fpIGwanLZi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0d4f657f467744ed4d535f0f5f22240105ab8de6d39362845174b67471133ff7
Instruction ID: f565d31dc9c3f9f749c541c580efc8c38add0055dff12782fed0038104191e26
Opcode Fuzzy Hash: 0d4f657f467744ed4d535f0f5f22240105ab8de6d39362845174b67471133ff7
Instruction Fuzzy Hash: 6221E2B5D01209EFDB10CFAAD884ADEBBF8EB48310F14841AE918A3350D374A940CFA5

Function 0713DD50 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0713DDC6

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a4b9277753f4ce18d065a97bfbc82302f9d3e0a718a6805c0d38f5ee177fc933
Instruction ID: 48409b71559cd80852c7c3cf40edb537720ce50d62e9721d1e1b2a6f1ea21b3d
Opcode Fuzzy Hash: a4b9277753f4ce18d065a97bfbc82302f9d3e0a718a6805c0d38f5ee177fc933
Instruction Fuzzy Hash: A11156729003499FDB20DFAAD844BEEBBF9EF48320F148419E955A7640C775A940CFA0

Function 0713D7C1 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0713D82A

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 89e419e3fcc80d02834718413df0392e67a9c0d74f3209a46f9fafa5dbeca223
Instruction ID: 6fa6cce7285f287c0fe473faa36b6fae786f86f900db45ed7bae625441d140ce
Opcode Fuzzy Hash: 89e419e3fcc80d02834718413df0392e67a9c0d74f3209a46f9fafa5dbeca223
Instruction Fuzzy Hash: 54116AB1D003498FDB20DFAAD4457EEFBF4EB88320F14842AD419A7240C779A941CFA4

Function 0713DD58 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0713DDC6

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5ac77dbb65e88379815810ebbf1a8dd323fbf102f71cbb84593056613ab1b13e
Instruction ID: 2fdf36442ba7bdc56524816f6456c680c84d1f32c2c0f6e380cb67561cacb01a
Opcode Fuzzy Hash: 5ac77dbb65e88379815810ebbf1a8dd323fbf102f71cbb84593056613ab1b13e
Instruction Fuzzy Hash: 621137B19003499FDF20DFAAD844BDEBBF5EF48320F148819E955A7250C779A941CFA0

Function 07140430 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07140495

Memory Dump Source

Source File: 00000000.00000002.1466035639.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_fpIGwanLZi.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3d3d01eeafcf0b50239af864fcef9610640ad2b898e2f2523090aa31450b7562
Instruction ID: cd5ee50572159b1f47ace7fda82f0589f0cccc0138825a3640de1af31a4c242a
Opcode Fuzzy Hash: 3d3d01eeafcf0b50239af864fcef9610640ad2b898e2f2523090aa31450b7562
Instruction Fuzzy Hash: F611F5B5900349DFDB20CF9AD845BDEBFF4EB48320F14885AD958A7240C375A984CFA1

Function 0713D7C8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0713D82A

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 637ce1f1186491740d345618076ca93b5e8ec43a6e8c70bbc932ac45a89d8846
Instruction ID: 10a4660671322652df766c779c647815c746394d705a8903f90001daaf92d79c
Opcode Fuzzy Hash: 637ce1f1186491740d345618076ca93b5e8ec43a6e8c70bbc932ac45a89d8846
Instruction Fuzzy Hash: 98113AB1D003498FDB20DFAAD4457DEFBF4EB88320F148419D459A7240C779A941CF94

Function 0148B118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0148B17E

Memory Dump Source

Source File: 00000000.00000002.1460310986.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_fpIGwanLZi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 87d24ca0fb74d1d3ad5042985f7a961ad995f79600fd0d72939e8b2f54f4a238
Instruction ID: 9a3f568f31c653ef1cc7c1e7327b3c56ee72776e07a608e80d4d512dc574ab33
Opcode Fuzzy Hash: 87d24ca0fb74d1d3ad5042985f7a961ad995f79600fd0d72939e8b2f54f4a238
Instruction Fuzzy Hash: B11113B5C003498FDB20DF9AC844BDEFBF4EB48210F10841AD828A7310C375A545CFA1

Function 07140438 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07140495

Memory Dump Source

Source File: 00000000.00000002.1466035639.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_fpIGwanLZi.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d68147ae2b3beaf14c6585fda154ffd8b6112d955b6242851d2b060d38118d61
Instruction ID: e061450c6a4726fa6823613df7032a85db748415500acf9980063ab83f8bef74
Opcode Fuzzy Hash: d68147ae2b3beaf14c6585fda154ffd8b6112d955b6242851d2b060d38118d61
Instruction Fuzzy Hash: 0411E5B5800349DFDB10CF9AC845BDEFBF8EB48320F14845AE958A7240C375A944CFA5

Function 054E3EA8 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 054E3F08

Memory Dump Source

Source File: 00000000.00000002.1465089813.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54e0000_fpIGwanLZi.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ad632183c3d304884ff095e405953fea1c538824b3ce5e05bdd946244ad72f8c
Instruction ID: e70bab772487394ba77635540741c55316d36c22f68be0614088e7ed1e7e02e5
Opcode Fuzzy Hash: ad632183c3d304884ff095e405953fea1c538824b3ce5e05bdd946244ad72f8c
Instruction Fuzzy Hash: 4C1166B1800349CFDB10CF9AC445BDEBBF4EB48320F10845AE968A7341C338A984CFA4

Function 054E3EB0 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 054E3F08

Memory Dump Source

Source File: 00000000.00000002.1465089813.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54e0000_fpIGwanLZi.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 08396b4304128fecf1e7bf38f943d8b795fe6098a9cf7a3720fa6d823b8b1b13
Instruction ID: 084d5445287fcad27440c56b2ae710dda17f91cb8faff70f917abe8cf9c2cb19
Opcode Fuzzy Hash: 08396b4304128fecf1e7bf38f943d8b795fe6098a9cf7a3720fa6d823b8b1b13
Instruction Fuzzy Hash: CA1103B5800349CFDB20DF9AC545BDEBBF4EB48320F10845AD968A7341D379A945CFA5

Function 013ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459960780.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ed000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffec341747c3c6966333be3bf6472d01917ab92884d057648b55872acb0e6f08
Instruction ID: ac7e18e2a6874c220f6b016dd6ed16f97723b47d73b200facd1852ac015bc964
Opcode Fuzzy Hash: ffec341747c3c6966333be3bf6472d01917ab92884d057648b55872acb0e6f08
Instruction Fuzzy Hash: A1214872500308DFDB05DF44D9C8B56BBA5FB94318F20C169E9091B286C736E456CAA2

Function 013FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460067022.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fd000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e468cc6e171fd960f9635e73ed443894f00a8e0405e0db881083c189e09add
Instruction ID: fbe634e3bf740b3975fdd616e00e1611feaa4f45d934000b14b835185e53eafb
Opcode Fuzzy Hash: 42e468cc6e171fd960f9635e73ed443894f00a8e0405e0db881083c189e09add
Instruction Fuzzy Hash: 0E213471604304EFDB15DF54D9C8B16BB65FB84318F20C56DEA0A4B386C33AD847CA62

Function 013FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460067022.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fd000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397b0f15dce17efc9c4dbeac97db5ff4ba51fde391863db10b5e4478c3dd018a
Instruction ID: 61af909c996fbe3c11c41888f1a6bfda7a1c1daa012c8f72a4ffd481ff153075
Opcode Fuzzy Hash: 397b0f15dce17efc9c4dbeac97db5ff4ba51fde391863db10b5e4478c3dd018a
Instruction Fuzzy Hash: B0212975504304FFDB05DF94D5C8B16BB65FB84328F20C56DEA094B256C376D446CAA1

Function 013FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460067022.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fd000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ebf91378d0f07d79d19a875e53c26a782fce99517e0f4ad3f8f2e93f6472b5
Instruction ID: fdaf3fdbcd3f308b8c5a25b9cd634fcab9e87f436b58423df90e60c746152b20
Opcode Fuzzy Hash: 42ebf91378d0f07d79d19a875e53c26a782fce99517e0f4ad3f8f2e93f6472b5
Instruction Fuzzy Hash: 4A219F755093808FCB07CF24D994715BF71EB46218F28C5EED9498F2A7C33A980ACB62

Function 013ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459960780.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13ed000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a736483c7301ab0b942446287a2da93ee8c90a3553c7a0be40e84c1f23337044
Instruction ID: 34f4ae995f8f63d877856b952f0319db6b13411da815d05613cee29042992de1
Opcode Fuzzy Hash: a736483c7301ab0b942446287a2da93ee8c90a3553c7a0be40e84c1f23337044
Instruction Fuzzy Hash: 8111CD76404280CFCB06CF44D5C4B56BFA1FB94224F2482A9D8090A256C33AE456CFA1

Function 013FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460067022.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13fd000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0032d31c21eee98164703ed9ecbad4511e5bcd2f12e312fdd1ff5dc5c24f5f
Instruction ID: 2f70f0258eb997cba718b1b3159c44e9170c522b76245fbcbb7c8fa9c0843069
Opcode Fuzzy Hash: af0032d31c21eee98164703ed9ecbad4511e5bcd2f12e312fdd1ff5dc5c24f5f
Instruction Fuzzy Hash: 7511BE79504240DFCB06CF54C6C4B15BB71FB84228F24C6AED9494B256C33AD40ACB91

Non-executed Functions

Function 07141650 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1466035639.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b239700e17f5e94640d8a679952abe0ef27a26285117087578d5469062140b
Instruction ID: 040160d72035362b77d2e2f9188b55fb14e3b61b8e71fb2259ac217ddc80ce63
Opcode Fuzzy Hash: d3b239700e17f5e94640d8a679952abe0ef27a26285117087578d5469062140b
Instruction Fuzzy Hash: F3D1CEB170060A9FD71AEB76C850B6EB7F6AF89601F24846ED146DB3E0DB34D881C751

Function 0713B760 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c42ddff020a8e6b8baf207d14bee69846f4b42e40ec66608a477f4ed257f187
Instruction ID: aa241995d719fa9305a16c47bf24fe94444c57c7a4b5eefca01a9e1740c08d65
Opcode Fuzzy Hash: 9c42ddff020a8e6b8baf207d14bee69846f4b42e40ec66608a477f4ed257f187
Instruction Fuzzy Hash: D0E10CB4E042598FDB24DF99C580AAEFBF2FF89305F248169D454A7359D7309942CF60

Function 0713B328 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a20231bbc2a0d8d7f41d91f5107857b696f660c517228485692716b57d73ee4
Instruction ID: d48283bb0946126031c4c22d28ddfb07a9f144bbdbd10d75621d355cf46aa0e5
Opcode Fuzzy Hash: 0a20231bbc2a0d8d7f41d91f5107857b696f660c517228485692716b57d73ee4
Instruction Fuzzy Hash: C8E10BB4E042598FDB24DFA9C580AAEFBB2FF89305F248169D415AB355D7309D42CF60

Function 0713CFA0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca1d6fc6f94cd08af1e1bd708590bc4008e7ac7554f45081c585019c02f3ab3
Instruction ID: 35159446a6098f2d2cd771fa62beedbfa49174adbb84cf161ba8f684aa440afc
Opcode Fuzzy Hash: 8ca1d6fc6f94cd08af1e1bd708590bc4008e7ac7554f45081c585019c02f3ab3
Instruction Fuzzy Hash: 73E11AB4E002598FDB14DFA9D580AAEFBB2FF89305F248169D454AB359D730AD42CF60

Function 0713AEF0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b068db562feaa2b7091beb8bd79dbafe8c23b5bf8bc4a7e90b7ae4a870ccab4
Instruction ID: 117a17face0ca62357f04f3b9783f291ca2ab08927ad3beb8b2948da20dc344f
Opcode Fuzzy Hash: 6b068db562feaa2b7091beb8bd79dbafe8c23b5bf8bc4a7e90b7ae4a870ccab4
Instruction Fuzzy Hash: DAE12EB4E0425A8FDB14DF99C580AAEFBF2FF89305F248169D415AB359D730A941CF60

Function 0713CB68 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315061fd786d441daee305f4197b8172fce31dba3c6209d7428cece33c84b5e3
Instruction ID: 263b4ac86d707cbfd51b5486536a9936bf85e96b8b71ead08ff7cd2d99a01bdb
Opcode Fuzzy Hash: 315061fd786d441daee305f4197b8172fce31dba3c6209d7428cece33c84b5e3
Instruction Fuzzy Hash: D6E11CB4E1025A8FDB14DFA9C580AAEFBB2FF89305F248169D414B7395D730A941DFA0

Function 054EE62B Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465089813.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54e0000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc030da70204f31b80d8754e89ac13dbf9fa4ac57338c0e5d1790e720b6b3b46
Instruction ID: 848a5bf2fbdae43a7400729c122a9ae4eb1265e9dd16642999db0a20efaa353f
Opcode Fuzzy Hash: fc030da70204f31b80d8754e89ac13dbf9fa4ac57338c0e5d1790e720b6b3b46
Instruction Fuzzy Hash: 8CD1F831D20B1A8ADB11EB68D99469DB7B1FF96200F50C79AE40977260EF70AEC4CF41

Function 0148D584 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1460310986.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1480000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05db9c642b98b45039373f40cd36914ccd5220760fd3af1f6001181ca9417235
Instruction ID: 8f4f6e68df45f9f1a843b756a786553bef3be8d637eaa55f1ff0eb629fdd7ceb
Opcode Fuzzy Hash: 05db9c642b98b45039373f40cd36914ccd5220760fd3af1f6001181ca9417235
Instruction Fuzzy Hash: B8A18036E0020ACFCF05EFB5C84059EBBB2FF95300B25856AE905AB365DB71E959CB40

Function 054EE630 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465089813.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54e0000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133e829ccd56f66ef2b3c128fb173f3b3a26acf34f0ee971b786a91bd6143999
Instruction ID: 6bd220ec672a884f31c0c07197575b9f7b4a268a670ccd3457b9d9ab9d5d1620
Opcode Fuzzy Hash: 133e829ccd56f66ef2b3c128fb173f3b3a26acf34f0ee971b786a91bd6143999
Instruction Fuzzy Hash: BED1F831D20B1A8ADB11EB68D9946ADB7B1FF96200F50C79AE40977260EF706EC4CF41

Function 0713AEBF Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1465999472.0000000007130000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7130000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82207ce6361a9b6892308197144746951ba6f28a21cbe37af332e5ba548ceafd
Instruction ID: 2599dff45a24cb62d386f3ba7e10d90bacb8e6802bf480793ca7be363a1e8cdc
Opcode Fuzzy Hash: 82207ce6361a9b6892308197144746951ba6f28a21cbe37af332e5ba548ceafd
Instruction Fuzzy Hash: C4514DB0E042598FDB14CFA9C9805AEFBF6FF89300F24816AD414AB356D7319942CFA1

Analysis Process: fpIGwanLZi.exePID: 7380, Parent PID: 7880COMMON

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	83
Total number of Limit Nodes:	4

Executed Functions

Function 02F96118 Relevance: .9, Instructions: 906COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f99cfeead411689ecbfd5fa0045dbbe5939fbec9e28257d16ee90ca8e5c4a741
Instruction ID: 240d59243465857bb19f06975b71335e9014b927f6bb7f566820af2168e37e3b
Opcode Fuzzy Hash: f99cfeead411689ecbfd5fa0045dbbe5939fbec9e28257d16ee90ca8e5c4a741
Instruction Fuzzy Hash: AE724C71A002199FEF15CFA9C994AAEBBB6FF88344F148469E505EB3A1DB34DC41CB50

Function 02F99858 Relevance: .9, Instructions: 863COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d37c988f5d443c8da9858e238788261d6cf544a1029f273155c54ee40d7ddcf
Instruction ID: 72fc7b2472561a49b81904b2f82e74b6d7906a6a543110c952c7d370656458fd
Opcode Fuzzy Hash: 3d37c988f5d443c8da9858e238788261d6cf544a1029f273155c54ee40d7ddcf
Instruction Fuzzy Hash: 57728D71A00209DFEF15CF68C884AAEBBB2FF88344F158559E915AB2A1D770ED85CF50

Function 02F93580 Relevance: .4, Instructions: 430
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdaaf9f505efc926ae7a533ddac5d329fa0a810062cf6bad01ea8c332d399bae
Instruction ID: 16f0849f8215ed0edbe8d53f90606c760acd7feeac81c90dc984128b8021b2d9
Opcode Fuzzy Hash: cdaaf9f505efc926ae7a533ddac5d329fa0a810062cf6bad01ea8c332d399bae
Instruction Fuzzy Hash: 9BF15C35F002489FDF18DFB9D854AAEBBB2BF88300B148569E906A7354DF359C02CB91

Function 02F9C470 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3d3b6486b9645d7bfc938b318374a9bf674ffc14deb741030380d5a69812d3
Instruction ID: 7c1da7bb3927b79a3be8a120544ace93a77ae45be713c4d51880b64610f33bea
Opcode Fuzzy Hash: 8c3d3b6486b9645d7bfc938b318374a9bf674ffc14deb741030380d5a69812d3
Instruction Fuzzy Hash: D1A1C474E002189FEF14DFA9D984B9DBBF2BF89340F14806AE919AB365DB349941CF50

Function 02F9B4A0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd248e83617917dd7ce9bf36a21dd1df99cfa7f5dff6ea79c4c9db0d986a3b2
Instruction ID: 833a5c55891379e2afe8f8c593810c88179de46de427e72d8723bc1a223b740b
Opcode Fuzzy Hash: 6cd248e83617917dd7ce9bf36a21dd1df99cfa7f5dff6ea79c4c9db0d986a3b2
Instruction Fuzzy Hash: D5A1E874E00218DFEB14CFAAD984A9DBBF2FF89344F1480A9D509AB361DB359941CF51

Function 02F9C753 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d461cd19e69c874fe9f67a501cbec0abcc59c1c862c3648fb67ef8b084e5edc
Instruction ID: cccf02a55ca63c011e8049cb0e007346519c0711ecf59f255694664deac56570
Opcode Fuzzy Hash: 0d461cd19e69c874fe9f67a501cbec0abcc59c1c862c3648fb67ef8b084e5edc
Instruction Fuzzy Hash: BF81C574E002188FEF14CFAAD994B9DBBF2BF88340F14806AD919AB365DB349941CF10

Function 02F9C190 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2425dbe1449c36210397824b63c727fe75b5dd7fa3fbd7568df6cacb21b84cf3
Instruction ID: cc27f5cfcb20ef77c8b78e9788215d6e5612f40f3fda1e4e90144a2b5225692d
Opcode Fuzzy Hash: 2425dbe1449c36210397824b63c727fe75b5dd7fa3fbd7568df6cacb21b84cf3
Instruction Fuzzy Hash: 2C81C474E00218CFEB14DFAAD984A9DBBF2BF89340F14806AE919A7365DB349941CF54

Function 02F94AD9 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc6015417387fdf0ce18d13f7b3c892559189f4f1a3a1b3b86ecf3811f8720b
Instruction ID: 2a3f581c17335295f730ae836fa2a35856cb6562ba086d4df14362c673497b15
Opcode Fuzzy Hash: 9cc6015417387fdf0ce18d13f7b3c892559189f4f1a3a1b3b86ecf3811f8720b
Instruction Fuzzy Hash: E781B574E00218DFEB14CFAAD984B9DBBF2BF88300F148069D919AB365DB345982CF51

Function 02F9BEB0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9706e8e3d2eb67832a9f524c8c9f97c884083f7240e6b0d59091fb90f9e9cee9
Instruction ID: 2b28577606843146939fac20cf15d6c30a662752e9a22cd9dbbab6df705725c7
Opcode Fuzzy Hash: 9706e8e3d2eb67832a9f524c8c9f97c884083f7240e6b0d59091fb90f9e9cee9
Instruction Fuzzy Hash: C781A574E002188FEF14DFAAD984B9DBBF2BF88340F14806AD519AB365DB349981CF55

Function 02F9CA33 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b24de578ad093cb47d1cbd525c6e36bac11c0be304b52c5a0b73f7bb0f8317
Instruction ID: 40e3222bd27f4f12e7aff524d36a34ca87311fda735299dfc16cb202bbb8cac3
Opcode Fuzzy Hash: d3b24de578ad093cb47d1cbd525c6e36bac11c0be304b52c5a0b73f7bb0f8317
Instruction Fuzzy Hash: EC81A474E00218CFEB14DFAAD994B9DBBF2BF88300F14806AD919AB365DB349941CF50

Function 02F9BBD3 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab16f61b5ae0175779bee40b5a245d9af23271acbd6b11160d6d5cc9e30e5c1
Instruction ID: 8c7776c84f82c5fba7407fe5b11fb0b7c4f337085f5374f5a222d8954a1870a5
Opcode Fuzzy Hash: 7ab16f61b5ae0175779bee40b5a245d9af23271acbd6b11160d6d5cc9e30e5c1
Instruction Fuzzy Hash: 3B81B474E00218CFEB14DFAAD984B9DBBF2BF89304F14806AD919AB365DB349941CF51

Function 02F9B4F3 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9477f78bdef800bc99b1139256788e0195c03454919812df1b931f9bee54dbd9
Instruction ID: f3c96b04611a2bd640dd650798e7ee51ace4560c250f9ba2717555ecb83ece31
Opcode Fuzzy Hash: 9477f78bdef800bc99b1139256788e0195c03454919812df1b931f9bee54dbd9
Instruction Fuzzy Hash: F661C274E006089FEF18DFAAD984A9DBBF2BF89300F14C069D918AB365DB349941CF51

Function 06C464D8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06C464A6,?,?,?,?,?), ref: 06C46567

Memory Dump Source

Source File: 00000005.00000002.3167447754.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c40000_fpIGwanLZi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8f4a9b872e3b3dfeb482df2410811b2fb1be5d32e4b8dd711a739b99a1410b7b
Instruction ID: 837f4a584438d0e926b8fb09df77b3dce6ac20301924794be3c5b565272809f1
Opcode Fuzzy Hash: 8f4a9b872e3b3dfeb482df2410811b2fb1be5d32e4b8dd711a739b99a1410b7b
Instruction Fuzzy Hash: 0021E4B5D002099FDB10DFAAD885ADEFFF8EB48310F14801AE918A3351D379A955CFA4

Function 06C4600C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06C464A6,?,?,?,?,?), ref: 06C46567

Memory Dump Source

Source File: 00000005.00000002.3167447754.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c40000_fpIGwanLZi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cc9c99f20033d2ba64ce1eb7e19e30db98a7a8d48fbf95788bef682eecce7fc4
Instruction ID: 6c49b318c708f6e41e4dc1758a40b142375df776f24dcae88a324bb3f3e72303
Opcode Fuzzy Hash: cc9c99f20033d2ba64ce1eb7e19e30db98a7a8d48fbf95788bef682eecce7fc4
Instruction Fuzzy Hash: 2221E3B5D002099FDB10DFAAD884ADEBBF4EB48310F14801AE918A3311D378A950CFA4

Function 06C4E114 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,06C4EC4C), ref: 06C4EE86

Memory Dump Source

Source File: 00000005.00000002.3167447754.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c40000_fpIGwanLZi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d0227ded3470789f635531116654856bac95c767f00d2fce7feb553d47f83eec
Instruction ID: 69ef9d905e58c37f5d7a94ed57a06b9d02bda279e25b9830ac4127f83ede4ac3
Opcode Fuzzy Hash: d0227ded3470789f635531116654856bac95c767f00d2fce7feb553d47f83eec
Instruction Fuzzy Hash: 5111F0B6D007498FDB20DF9AD484B9EFBF4EB48210F11842AD929A7200D375A946CFA5

Function 06C4EE1B Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,06C4EC4C), ref: 06C4EE86

Memory Dump Source

Source File: 00000005.00000002.3167447754.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c40000_fpIGwanLZi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 97fbb755c269a753ae39b0fd0deaf7c2ee1538f4fbc176279c4d496025f026df
Instruction ID: 50d01b76d04e10afe6c7f41c42ed1cf4ff799f72eece430fe2fbc8f91436f5be
Opcode Fuzzy Hash: 97fbb755c269a753ae39b0fd0deaf7c2ee1538f4fbc176279c4d496025f026df
Instruction Fuzzy Hash: 601102B6C002498FDB20DF9AC484BDEFBF4EF48210F11841AD829B7200C375A546CFA5

Function 02F977F0 Relevance: .7, Instructions: 700
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b66fc176341e03e24b3f5c6ac7b80afe6dea9ffa1a2855177f1122e8afa41fe
Instruction ID: 9a32eade53968c23f4e8ab597dd7821f0d93da63ae9b79d778543c61833ee3e0
Opcode Fuzzy Hash: 2b66fc176341e03e24b3f5c6ac7b80afe6dea9ffa1a2855177f1122e8afa41fe
Instruction Fuzzy Hash: F3523074A00219CFFF259BA0C850B9EBB72FF59740F5080AAC50A6B7A0DB355D86DF61

Function 02F96E68 Relevance: .5, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d9b91aa355bd0f102515c1ac53782dd93b700101b5854c42e443f632e6e6b03
Instruction ID: 2f9affdbef30e52bdae7c2af7919a4f9a3f0c991ae3891387a0d2f63b21ec212
Opcode Fuzzy Hash: 9d9b91aa355bd0f102515c1ac53782dd93b700101b5854c42e443f632e6e6b03
Instruction Fuzzy Hash: 02124871A102098FEF14DF69D884A9EBBF2BF48754F148569E909EB2A1DB31EC41CF50

Function 02F9A818 Relevance: .4, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f58e1ce64ba0883c7a306c9d6edd70652d68ed9d85c130252e50f904d2f870
Instruction ID: 6276bd0223c2e8f74d45f81b19fc5a6f8f546281e75fb339ea51576319b0e36b
Opcode Fuzzy Hash: 01f58e1ce64ba0883c7a306c9d6edd70652d68ed9d85c130252e50f904d2f870
Instruction Fuzzy Hash: 81F10A75E006158FDF05DFADC884AADBBF2BF88354B1A8059E615AB361CB35EC41CB50

Function 02F90C8F Relevance: .4, Instructions: 407
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a16565ad3ae7cf1c70129ce5fd592324d2dc65561cc071fb9ff6a0e7cc25cdc
Instruction ID: 3e8462e461bca877d955415e064ec50107edc34ef2b97d276263428971cb9a6d
Opcode Fuzzy Hash: 3a16565ad3ae7cf1c70129ce5fd592324d2dc65561cc071fb9ff6a0e7cc25cdc
Instruction Fuzzy Hash: E922A174A00219CFDB54DF65ED85A9DBBB2FF88301F1082A9D809AB364DB746D85CF81

Function 02F90CA0 Relevance: .4, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043083ca4e9a06de2911e4a78e01faca3fa89a32eae9277662f931353acb4fe4
Instruction ID: 98034f34b44b62513c303823627e876b07e074d9b6c53095e6266dee368d0a6c
Opcode Fuzzy Hash: 043083ca4e9a06de2911e4a78e01faca3fa89a32eae9277662f931353acb4fe4
Instruction Fuzzy Hash: 6322A174A00219CFDB54DF65ED85A9DBBB2FF88301F1082A9D809AB364DB746D85CF81

Function 02F987F8 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2e748a4c93a73043938f77ef1b4bb7888db36a1b6515d6fc8825ee0f068d1b
Instruction ID: c87a63020334ddcf171475a156989884ca2eb2c241c23d58f1f535251f2a17ba
Opcode Fuzzy Hash: 1d2e748a4c93a73043938f77ef1b4bb7888db36a1b6515d6fc8825ee0f068d1b
Instruction Fuzzy Hash: 4FB11C71B102018FFF599F29C968B393696AF876C4F18446AE702DB3A1EF25CC41C751

Function 02F96E58 Relevance: .3, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08ce94dfe14780ef581c033aad661e2ff3d1ba3de4bbac242328eee9f312a67
Instruction ID: 6945649361e801620d933498c91c3df71c61cd10a2ad54baf08e79eee92987ff
Opcode Fuzzy Hash: a08ce94dfe14780ef581c033aad661e2ff3d1ba3de4bbac242328eee9f312a67
Instruction Fuzzy Hash: 6BC13771A102099FEF14DFA9C884A9EBBF6BF48748F158159EA19EB261D731EC40CF50

Function 02F956A8 Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803cc9a5b5ea125ab6f2c0502acb0eeb949a30e89e804b382698ac50de929ba1
Instruction ID: b3e551a076832ab49f970df3f39be4943e59d643cd3e5c23b98adc6e5c96b844
Opcode Fuzzy Hash: 803cc9a5b5ea125ab6f2c0502acb0eeb949a30e89e804b382698ac50de929ba1
Instruction Fuzzy Hash: 2391C031B042159FEF169F25C894B3E7BA2FB88244F58842DEA069B391DF758C41DB91

Function 02F9F790 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20169fd2987d046fb419ddae622fdbc90d6045201dee41ad2fc5ec259f5c41e
Instruction ID: 600e273787babe8e9536cc0350c5660e387dce93712027fbfd11f738c6eac480
Opcode Fuzzy Hash: a20169fd2987d046fb419ddae622fdbc90d6045201dee41ad2fc5ec259f5c41e
Instruction Fuzzy Hash: 82914B70B007069FDB54EF79C894A2EB7F2BF8C210B508629D50ACB755EB74E8458B94

Function 02F95C08 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abad818983fca46b02880149164eccabf6f9b121e8b9c53700c25ad8d395cd7b
Instruction ID: 1fde63fc627935b0ba9e0f2140ceb92a83f0f63710e40ab0cd8a8aeec5ab57d7
Opcode Fuzzy Hash: abad818983fca46b02880149164eccabf6f9b121e8b9c53700c25ad8d395cd7b
Instruction Fuzzy Hash: 6A81B031B041058FEF16DFB9C888A69B7B6FF88284B94816AD606EB361D731EC41CF50

Function 02F97438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8924575ca0a56195275c6af628807d38f3e85aff2964e92b4e739be49ff2d805
Instruction ID: 2b327248adb3931aca8f098e0844ede807fc78cfad2536c29348a361a64816da
Opcode Fuzzy Hash: 8924575ca0a56195275c6af628807d38f3e85aff2964e92b4e739be49ff2d805
Instruction Fuzzy Hash: DA71F974B20205CFDF55EF2DC894AA9BBE6AF49684F1540A5E606CB3B1DB70DC41CB90

Function 02F9F0C0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab0f91fa88862d659d66c14034e12755831eff2d04326da23301cf4c539003e
Instruction ID: a90ba9c9c51fabf60962f275056cadbe25c0f56da0c0771b113c0096a0bd3e61
Opcode Fuzzy Hash: 1ab0f91fa88862d659d66c14034e12755831eff2d04326da23301cf4c539003e
Instruction Fuzzy Hash: 7A71F435A112199FDF19EFA5D858AADBFB2FF88310F148129E806AB250DF349942CF50

Function 02F9CEC7 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2e33311f08ea2bc31bb167cebadc7e3f0b3c5543e6986e8f34413a2078d176
Instruction ID: 71d11f075adfeebbde1a64afa8541fde413d9f765f017efc2e92df4ab72f0096
Opcode Fuzzy Hash: 8c2e33311f08ea2bc31bb167cebadc7e3f0b3c5543e6986e8f34413a2078d176
Instruction Fuzzy Hash: 0E51BA30235343CFC2242F22A6AE56ABFA5FB0F367705AC44F40E994299F715859EB21

Function 02F9CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b2b31d4ddec8b673b3b4a417fc6fc8ccf9f450597bf40d469b6475782a5972
Instruction ID: bdf5675cc5a41e2a9aeeebc550aca6e9963f062f1ffef11784a7919bb7d2e04a
Opcode Fuzzy Hash: 30b2b31d4ddec8b673b3b4a417fc6fc8ccf9f450597bf40d469b6475782a5972
Instruction Fuzzy Hash: F3519970231347CFC2242F62E6AE52ABFA5FB4F367705AC00F50E894299F705859AB24

Function 02F9EBE8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17396c0a7569a4e97a7f4009f77c3f78546f15f3c602ab4325806d228327421
Instruction ID: f8a7446a71be3da4703d7ec6d1ad0afbd6d87a81af1e672e99e45a5fdac2c796
Opcode Fuzzy Hash: a17396c0a7569a4e97a7f4009f77c3f78546f15f3c602ab4325806d228327421
Instruction Fuzzy Hash: 83519D30941319CFEB24EFA4D46C3EEBBB1FB4A356F104869D202662E0CBB80A44CF50

Function 02F938F9 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527a5d4c6b1e57bd9a6d577d642baa472050c5aefc26729ee4605705ee6b8ee1
Instruction ID: 3f6098eff68ad3a006477ac7b812be2d4f882ca9acaf67c18c154b364dc0fa36
Opcode Fuzzy Hash: 527a5d4c6b1e57bd9a6d577d642baa472050c5aefc26729ee4605705ee6b8ee1
Instruction Fuzzy Hash: DB51B675E01208DFDB08DFA9D99099DBBB2FF8D300B209169E905AB364DB35AC46CF50

Function 02F9CD10 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0f99da3b9e165e09cecb9714a75a3266a883f40b84ecb1a302a190244310cc
Instruction ID: 383e69f5cad51108e2a385ec33cb1c98acfc6a0aaafa510d3c935dab851b30b0
Opcode Fuzzy Hash: bb0f99da3b9e165e09cecb9714a75a3266a883f40b84ecb1a302a190244310cc
Instruction Fuzzy Hash: 52519474E01218DFDB44DFA9D5849DDBBF2BF89300F24816AE919AB365DB31A901CF50

Function 02F93908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadcb338e50caae43a6ec930c6ce995abae09677bd445897895ae6e8af385af4
Instruction ID: 6ab6752b54f069599f4f1580ffd3ec24725d73a5d5f1e4a0f894da8e88ef2f78
Opcode Fuzzy Hash: cadcb338e50caae43a6ec930c6ce995abae09677bd445897895ae6e8af385af4
Instruction Fuzzy Hash: CE519575E01208CFDB08DFAAD99499DBBB2FF8D300B209169E905AB364DB35AC45CF50

Function 02F9F783 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4090154097a194de32b23a8c7676507786667bd189c26ca275c350f5c0bf83e5
Instruction ID: c1382cc6b148a65e55dca5785d20029404c8da2bd165286b5345131b5b12f608
Opcode Fuzzy Hash: 4090154097a194de32b23a8c7676507786667bd189c26ca275c350f5c0bf83e5
Instruction Fuzzy Hash: 7C418C70B007069FEB54EF75C891A2EB7B6FF88250B048629E516CB751EF74E841CBA4

Function 02F99A63 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7f436b6e57a8c4d313215ca6ecb71f5b8f0ee7b49d558ddf739b74e18ba5d8
Instruction ID: 79f437458a1a9d95a7bcefdf6aa461d2163425a9a6a38bde27d7ce54dc5ab53c
Opcode Fuzzy Hash: 4c7f436b6e57a8c4d313215ca6ecb71f5b8f0ee7b49d558ddf739b74e18ba5d8
Instruction Fuzzy Hash: EE41C131A04249DFEF15CFA4C844B9DBFB2FF49394F058159EA15AB2A1D3B4E950CBA0

Function 02F9D7CE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f850c565c4af17beb8f0a6d58e9cb50172a84f93b0c288dd69376cac7c307af
Instruction ID: b5c09dddaf0ef56fd862a5d8afad9a17593a234011b1b2c9c1176988689e3a88
Opcode Fuzzy Hash: 8f850c565c4af17beb8f0a6d58e9cb50172a84f93b0c288dd69376cac7c307af
Instruction Fuzzy Hash: BA413775E04208CFEF14EFA8D884BEDBBB2FB49344F609129D619A7284DB359842CF15

Function 02F9D7EB Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b91a79c393a57aa920270d749d189a3bd8a44356596aa296543c6600064d203
Instruction ID: a4af920deaac4432fba2319f1578d90d8b96378bb0b25d7bf50ba0b2c276abc6
Opcode Fuzzy Hash: 3b91a79c393a57aa920270d749d189a3bd8a44356596aa296543c6600064d203
Instruction Fuzzy Hash: 80413771E00208CFEF00EFA8D484AEDBBB1FB49344F609115D609A7245D7359841CF15

Function 02F93428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6ee24a054b1165df7d57db829483fe816354c5507292ad999df9b1f9d976a8
Instruction ID: 9e936208622000e260ea29ebf9a121ac1f0cfac90054b638f0c5216c2f993816
Opcode Fuzzy Hash: ca6ee24a054b1165df7d57db829483fe816354c5507292ad999df9b1f9d976a8
Instruction Fuzzy Hash: 31312B36F003258BFF1D496A8A9437F65D6BBC9294F154179DA06D3380DFB4CC418791

Function 02F9D76E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d5a07ae979545b3daf2ce2e031fa6a6ff5822d2acf225fa4ae5703d76c4f41
Instruction ID: c6afdb9ccaf9f185c32d9cfed4983dba4d72d770617c1a18583712896fc52f11
Opcode Fuzzy Hash: 40d5a07ae979545b3daf2ce2e031fa6a6ff5822d2acf225fa4ae5703d76c4f41
Instruction Fuzzy Hash: 1741F371E01208CFEF14EFA8E484AEDBBB6FB49345F209129E619B7284D7359842CF55

Function 02F9D620 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 245ade828204dbc109b720d38a17707c6b98bbc6150f68134ac0d1145e368fc7
Instruction ID: 11c58d3195edf38bfbb394ebc38d4c1107f7ecc691ffe0dc2407720a4a3c93df
Opcode Fuzzy Hash: 245ade828204dbc109b720d38a17707c6b98bbc6150f68134ac0d1145e368fc7
Instruction Fuzzy Hash: 1841F671E00208CFEB14EFAAD844AEEFBB6BB89344F24D129D614B7294DB759841CF54

Function 02F94DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751a650d1f2476ab6f8d65fe6f837caf500478ba278e1352df90c8ea16674bd5
Instruction ID: 0b2fa27014b758fd436ea7aa28ff35bdd818589c7b07070047e56f0c8c30e489
Opcode Fuzzy Hash: 751a650d1f2476ab6f8d65fe6f837caf500478ba278e1352df90c8ea16674bd5
Instruction Fuzzy Hash: EC31A23570021A9FDF059F65D854AAF3FB6FB68254F008429FA1587290CB38DC66DFA0

Function 02F95EA8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab4378fc35a6ed71705c54b0d9a8e27c51f2a34daa13b4233aa56c20291ac76
Instruction ID: d92ce5a38463cd4573dbb543450adb3f572dcc9a680cb3d6237be1d37048881a
Opcode Fuzzy Hash: 3ab4378fc35a6ed71705c54b0d9a8e27c51f2a34daa13b4233aa56c20291ac76
Instruction Fuzzy Hash: 9831AF30B043054FEB16A7BA9C50A6A3FAADFD518478440BADA01CB293EE71DC45CBA1

Function 02F9A660 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4b83a742d19c56bf23124412402964bde03c738743e9ded7091b763d286bd5
Instruction ID: ce56b241de75a35cbd49c1a8b6e8f97d303d229757005ea40ba4ebdd91c485cb
Opcode Fuzzy Hash: 6e4b83a742d19c56bf23124412402964bde03c738743e9ded7091b763d286bd5
Instruction Fuzzy Hash: 6131CF31B102089FDB089F65D8657AE7BF6BB8C600F148469EA06E73A1DE359C01DBA5

Function 02F976D0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4963020323597f7b840e014450f63db151ea1afca09ca63795689fea1fb3a1
Instruction ID: 2ec6ff96c8274d0d3015f69b5bd47bd4a2b370bd2198b0f9b6350974c43dd8c2
Opcode Fuzzy Hash: 3b4963020323597f7b840e014450f63db151ea1afca09ca63795689fea1fb3a1
Instruction Fuzzy Hash: D6215770B243081BFF2522398894B3DBA97AFC52947044079E706C7751EF22CC41E782

Function 02F9DF79 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70bf418aa89f72a0fe2ab611edb3293d14cd876f8a87f97ec96992fa3907edc
Instruction ID: 952aa51d5dfc7ba1eadb70adc59f56aa78fd2fdee4b492db70086cd505271efc
Opcode Fuzzy Hash: b70bf418aa89f72a0fe2ab611edb3293d14cd876f8a87f97ec96992fa3907edc
Instruction Fuzzy Hash: C121D071E002488FEF09EFAAD8053EDBBB6AFCA344F14D025C604B72A5D7708506CE50

Function 02F9A809 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba933c8ebcb730dabaf45b43d3bbc9dbe88c16d35f855c6a06c6ea18abcac6aa
Instruction ID: c1e513e3541489925b9836a1b3644bf5a1ad86deeeec472ac959cb36e2c3ab2a
Opcode Fuzzy Hash: ba933c8ebcb730dabaf45b43d3bbc9dbe88c16d35f855c6a06c6ea18abcac6aa
Instruction Fuzzy Hash: 7731C670E001158FDF05CF69C8889AEBBB2FF88354B158159E515973A5CB30EC42CF90

Function 02F976E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebec2a8f1f2008937c26dcda1b7c2de6af19cb4b80a4c0a389f035728e1ca93c
Instruction ID: 5a8a4d1abe62333d2fbea9e033c4a04f07b91396da250a8a507f6cd6924c50e8
Opcode Fuzzy Hash: ebec2a8f1f2008937c26dcda1b7c2de6af19cb4b80a4c0a389f035728e1ca93c
Instruction Fuzzy Hash: D421D6747243185BFF2826358894B3AB697AFC4794F144078E706CB794EF66CC41D782

Function 02F9F620 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09cac5aaed4db9ef856d2ad2d6c759c6540f3198c3829e47cfc9d5bbee714d8d
Instruction ID: 3952ce43d350ab772a7f99be4b8b1f9ed77cf527f69343ab192f5d3b6e9bc6b4
Opcode Fuzzy Hash: 09cac5aaed4db9ef856d2ad2d6c759c6540f3198c3829e47cfc9d5bbee714d8d
Instruction Fuzzy Hash: B931B331E013158BEF21DF65C4407AEBBF5AF88690F448629D516E7A60CB74AC84CF91

Function 02F9F0BB Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0751464206c48e9a3f493921a9e5cee16d9096ed39c02bbc6b45fb6d778f73be
Instruction ID: 6b9dd6123174c4ecdc15fa25e9bc8731369a63fe9ea81673d5dd03ff1b378bb7
Opcode Fuzzy Hash: 0751464206c48e9a3f493921a9e5cee16d9096ed39c02bbc6b45fb6d778f73be
Instruction Fuzzy Hash: 32313E35A003198FEF19EF79D4546ADBBB2AF88250F148529E416EB750DF349842CF60

Function 02F92060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7cd7e64cfac1ea7e854a5ce373fce6de7b350f894cb06fb88e8122e7c91216c
Instruction ID: 92d630fdb086b82101806237a621941900e299b54b2c0de7dd83e515998443a2
Opcode Fuzzy Hash: e7cd7e64cfac1ea7e854a5ce373fce6de7b350f894cb06fb88e8122e7c91216c
Instruction Fuzzy Hash: 1321A335E00214AFDF15DB68C8409AE3BA6FF997A0F50C069ED058B254DB35EE81CBD1

Function 02F95A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48455274300a78ba747a6ab6d6718dc2535c38737bae982d6e1377fffb52b7a5
Instruction ID: cd31917bd964bb9dd5506641a31587184f09859f13053dd7b1445687ad7c5cbf
Opcode Fuzzy Hash: 48455274300a78ba747a6ab6d6718dc2535c38737bae982d6e1377fffb52b7a5
Instruction Fuzzy Hash: EB2196357016128FDB2A9A29C49452F7B67FB887957548179E906DB350CF34DC06CBC4

Function 0143D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164298338.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_143d000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e0d0a528194974872c9990a30d5c9dfcf7ae98da59e2bd5df9ac7d20220359d
Instruction ID: 1438929636140ff67ce3ef19e40efc42fee61011eb2c3ee253228303a048afba
Opcode Fuzzy Hash: 7e0d0a528194974872c9990a30d5c9dfcf7ae98da59e2bd5df9ac7d20220359d
Instruction Fuzzy Hash: 8E2103B1904204DFDB15CF64C980B16FB75EBC8718F60C56AE9094B362C736D447CA62

Function 02F9F613 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e7593e92de752b2c179a9e42f5d5e2550efa62862810f8f610c220feb0dabb4
Instruction ID: 2fb7a237df8f49d47b8fac6b0c2d342cca1c99e67aaea2466122606a80924acc
Opcode Fuzzy Hash: 3e7593e92de752b2c179a9e42f5d5e2550efa62862810f8f610c220feb0dabb4
Instruction Fuzzy Hash: A421E071E013599BFF11CF65D4807ADBBB2AF48690F048629C506F7A60CB74AC848FA1

Function 02F9A650 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3afb1fca2cd7da11f859798115a85b723984c309019a63197848ddd169c79545
Instruction ID: e54906f66c298380352239a75a16bb7e54574ef5918e121d1de5b7b6ef69e244
Opcode Fuzzy Hash: 3afb1fca2cd7da11f859798115a85b723984c309019a63197848ddd169c79545
Instruction Fuzzy Hash: 5F21C036B102089FDF149E64D849BAEBFB6FB8C350F148169E611A7391CB31AC10DF90

Function 02F9215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06426bc51ccf5aa4ee62cb2aa7491d9c03e63e1a00188dc40a55d6b32882f7c4
Instruction ID: 22a3214ebc9eb56e6263f4fda35907f2ee5df6657a43dbb9c24edd72eb33987e
Opcode Fuzzy Hash: 06426bc51ccf5aa4ee62cb2aa7491d9c03e63e1a00188dc40a55d6b32882f7c4
Instruction Fuzzy Hash: 9511AF32F483899FCB029BBC9C104DEBF30FF892507258396E662B7191EA311906C751

Function 02F95A63 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347edac5f10af9064170e3ac07b1ed0ca7148fb7c7b36bc01240051287c309f3
Instruction ID: 0c1fdbc9fab610df686effec826101944e0f6e0c53aa7afedc5defe79e9e906c
Opcode Fuzzy Hash: 347edac5f10af9064170e3ac07b1ed0ca7148fb7c7b36bc01240051287c309f3
Instruction Fuzzy Hash: D511E935B016119FDB1A5E29C8A463E7BA6FF88795B584178EA06DB350DF30DC06CBC4

Function 02F9D60F Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1efdfa2cf1405c948b095ae07c002a7a21c77747eaed1a6020253f11724c5ad
Instruction ID: d7f89802a3239450cf09154a637a0378e5077a9395d75dda70f03dc3f2232de6
Opcode Fuzzy Hash: b1efdfa2cf1405c948b095ae07c002a7a21c77747eaed1a6020253f11724c5ad
Instruction Fuzzy Hash: D9113A75E002498BEF08DFAAD8446EEBBB6ABC9345F24C025D618B72A5D77448068E54

Function 02F91F08 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14678f0e1f159d657e6a3c831b87a58758de4849271a80d725e5320bd2054cb2
Instruction ID: bdfcd5fae5d4a007229bf14503cc2b8aab699f88972d47bdecbae3774f05945d
Opcode Fuzzy Hash: 14678f0e1f159d657e6a3c831b87a58758de4849271a80d725e5320bd2054cb2
Instruction Fuzzy Hash: 5B213874C0420A8FDF11EFA8C8545EEBFF0BF49314F0451AAD945B7258EB301A4ADBA2

Function 02F95B50 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d46c145f2a9fcb144e980ad03da1191465d0f2095a37edfb883b8d1858b44bd
Instruction ID: 8d953d842a74a19c95947415e57427b38dccf83ce4f30c6d15bb65ec2e70d3de
Opcode Fuzzy Hash: 6d46c145f2a9fcb144e980ad03da1191465d0f2095a37edfb883b8d1858b44bd
Instruction Fuzzy Hash: 9011ACB07012058FD740AF7AC090A2AB7E5FF89B80794447DD60ACB361DB75DC048B64

Function 02F91F61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd09329c2d5910402329406508d6d480e807a4c766a978a1d681ee8e6c7ed995
Instruction ID: 7fe5201c249890ac42c62f94a05c70eec57eb6cf0f5c2309495c8018a95c68f6
Opcode Fuzzy Hash: cd09329c2d5910402329406508d6d480e807a4c766a978a1d681ee8e6c7ed995
Instruction Fuzzy Hash: 0A21F2B4C0420A8FCB04EFA8D8455EEBFF0FB09300F04816AD919B3224EB301A45CBA2

Function 02F9F008 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1991d7a535a0a58d6c2a8774ad5486326ec21b3f9ad12bd2e7878f5f0565cec
Instruction ID: 4bbfe8a625a332a551e362b0e5cd06a6b9e97d1e2c601e80bbe5556c592274df
Opcode Fuzzy Hash: a1991d7a535a0a58d6c2a8774ad5486326ec21b3f9ad12bd2e7878f5f0565cec
Instruction Fuzzy Hash: 1A01F5317143049BEB040A3A585837BBEEFAFC9250B14857BE506C33A5CD348C018265

Function 02F9EFF9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a41670a42f7aaa31cd81a399ff2271a1afc2db322e9301e047201970d1b2a4
Instruction ID: 356a7e40154d4eb22870eae2082628023da7373f70bcdf56fc7e44575ae0ae3f
Opcode Fuzzy Hash: 65a41670a42f7aaa31cd81a399ff2271a1afc2db322e9301e047201970d1b2a4
Instruction Fuzzy Hash: 720122307082845FEB150B3A5C183BBBFEAABCA650B1884B6E14AC33A2CD348C019775

Function 0143D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164298338.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_143d000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0032d31c21eee98164703ed9ecbad4511e5bcd2f12e312fdd1ff5dc5c24f5f
Instruction ID: cc34f36876e79327ada30077f634d4a63db242e5a1654877c24efc43c10cae64
Opcode Fuzzy Hash: af0032d31c21eee98164703ed9ecbad4511e5bcd2f12e312fdd1ff5dc5c24f5f
Instruction Fuzzy Hash: 9F11AC759042448FCB16CF54C5C4B16FB71FB88218F24C6AAD8494B362C33AD44ACB51

Function 02F95607 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb8216dbbaae28013059887678797da823b34b6d9ffe62319c40ce92888756f
Instruction ID: bd6b70e03beef1fedda3e14990655ce26d017dd52a53a14bc955aae487991c25
Opcode Fuzzy Hash: 7bb8216dbbaae28013059887678797da823b34b6d9ffe62319c40ce92888756f
Instruction Fuzzy Hash: 4E01A772A04255AFDF138E559810AEF3FA6DFD9390B188066FA14D7191CA71C812DBA1

Function 02F95BF8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad20a943c8f76cccc671ec8d6a149bbd0fe237d2e4953435c255efb45d0e08f
Instruction ID: a5c170dcfbba71d9df83d9246a2b7768b2e560f0b3eebd0148da74679c04e87f
Opcode Fuzzy Hash: 3ad20a943c8f76cccc671ec8d6a149bbd0fe237d2e4953435c255efb45d0e08f
Instruction Fuzzy Hash: 0BF0A2727012405FDF135B39E440626BBA4FF852E4B5040BBC219CB202DB32D405C7A1

Function 02F95618 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 856c095605cd010b9d160ed968f60d766429b238e0b0b29ef96a369414ed0a0e
Instruction ID: 304cb4a63089cca9034e0776a8cfc2fe4916343daaa898dae782aba55a3e0472
Opcode Fuzzy Hash: 856c095605cd010b9d160ed968f60d766429b238e0b0b29ef96a369414ed0a0e
Instruction Fuzzy Hash: 5201DB72B001156F9F069E599810AAF3BABDBDC791B54802AFA05D7244CE75CC119BA4

Function 02F9DF08 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f07d1451c9e13d2d334c07f98e4b4906a3a51e1429b9cbd28ee81cfb8a5324
Instruction ID: bcddabff2b6046023f6864e9506af63cf30051cbdfe0a34d4fc63b1a472f77c2
Opcode Fuzzy Hash: 70f07d1451c9e13d2d334c07f98e4b4906a3a51e1429b9cbd28ee81cfb8a5324
Instruction Fuzzy Hash: 2CF02735E042448FEF21AEA4F8163FDB379E78A398F100435C604F32A2D770941A8A90

Function 02F9D449 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5de68abe37ff3e8f2bb4afc2f4ef5a354826e92a798c1c81d65e85d952b15ba
Instruction ID: b00397ff56543c48d6e8e631979058937d7e6fdc11b5e8bfbf086761b3a9ecc9
Opcode Fuzzy Hash: e5de68abe37ff3e8f2bb4afc2f4ef5a354826e92a798c1c81d65e85d952b15ba
Instruction Fuzzy Hash: E4F0E531E402499BEF19BE68E9087FAB3B89787351F206434CB08F71A6D7717416DA50

Function 02F9DEB0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a51d9562951a52a2edac7b01bdad7befe5e61b63ea2903aae368b074eedf3be
Instruction ID: eb53cfd2da88cfe2a50fa85d2a836d2e40e87867e21c2d511626078e6e944546
Opcode Fuzzy Hash: 4a51d9562951a52a2edac7b01bdad7befe5e61b63ea2903aae368b074eedf3be
Instruction Fuzzy Hash: 18F03A71B11228CFCB94EF7CC54465E77F4AF0825072144A9D509DB320EB30DD008BD0

Function 02F92010 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5be0fef1c63cc58b1495f84056a9bec2e3565ae52340928ae08ff5466875a1
Instruction ID: e98c1fc06cda64bb3b7bba79292a2e99764b6e583ffa159d096bf8d0a374e231
Opcode Fuzzy Hash: 2e5be0fef1c63cc58b1495f84056a9bec2e3565ae52340928ae08ff5466875a1
Instruction Fuzzy Hash: A1E06831C103696BCF129BA08C044DEFF38FD97BA0B440197C92037013E7A02509C3B0

Function 02F9D4B4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a83e8954308bdb23c53a1727cc17d3d4d6159473cb361cec3803d7753104856
Instruction ID: 9eb6e4bcb0afcb941445ae1f24b794143a6ea2ee85fd017017dc56a3d4aa5a08
Opcode Fuzzy Hash: 4a83e8954308bdb23c53a1727cc17d3d4d6159473cb361cec3803d7753104856
Instruction Fuzzy Hash: 82E026F3D08190CBFB24AFAA6516078BF34CEE3281B9460C7C289EB165D318E206DB15

Function 02F9FF93 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c2efdba2db21ce987a946f60508d72ec50f61769ce208895902a4c458e9372
Instruction ID: adb55e89ea4bda4ffa2a26ff4a568488c3480e4caa5591296ce6f9feb045d3ad
Opcode Fuzzy Hash: d8c2efdba2db21ce987a946f60508d72ec50f61769ce208895902a4c458e9372
Instruction Fuzzy Hash: BFF0063600000EBFCF429F80CE45E897FAAFF09358F4A9091FA189A131D632D564EB44

Function 02F9FFA0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fac0cb2d0dbd6f7678d7a3b3520e3fb86f3fbfd9c60dde2596fc3020e7a15ab
Instruction ID: 6f8a70d4bd77d134e82393acddb6c79b540ab4dc5d09f6c91dffdb9869f4d2ae
Opcode Fuzzy Hash: 4fac0cb2d0dbd6f7678d7a3b3520e3fb86f3fbfd9c60dde2596fc3020e7a15ab
Instruction Fuzzy Hash: BFE0B33600000EBFCF42AF90DA44CC97FAABB09258B4A9191FA189A131D632D5A5EB50

Function 02F92020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3bda61b20d2ad4899e349c55bcda0414247c1c01911b2af6b4155930b16d114
Instruction ID: 7575c555999c5751dd42c298764ec0471084e92922679b7c8193e70e1e0ea7b7
Opcode Fuzzy Hash: b3bda61b20d2ad4899e349c55bcda0414247c1c01911b2af6b4155930b16d114
Instruction Fuzzy Hash: B8D01231D6022A978B01AAA5DC044DEBB39FE95721B914666D51437140EB70265986E1

Function 02F98258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: c0f85f59a69529bedaaab7d069670391f497c876dd9389e5447ec7e525d0119b
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: F8C0123360C1282AAA24108E7C40EA3AB8CC2C22F4A250137FA1CA3200A842AC8041A8

Function 02F9A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 398ced4ec8cfc0c9e97cdd1db32ad2774d53e2947ab951939f6c141f4798103d
Instruction ID: 61b4b387f3d95a13727898fed246a0b726cedc32363981a90fd58168f4fbfbc2
Opcode Fuzzy Hash: 398ced4ec8cfc0c9e97cdd1db32ad2774d53e2947ab951939f6c141f4798103d
Instruction Fuzzy Hash: 7AD0677AB11108DFCB049F98E8409DDBBB6FB9C222B448116F915A3260C6319961DB94

Function 02F95EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3164994690.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f90000_fpIGwanLZi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81cefa9076810b2ab0c3c967e9d0a5035c962275550db2d08cd92d3e0ff91676
Instruction ID: 32a81f614411b033bdf1db727b57399f1a91e1963fd24f456a886813c7262fdf
Opcode Fuzzy Hash: 81cefa9076810b2ab0c3c967e9d0a5035c962275550db2d08cd92d3e0ff91676
Instruction Fuzzy Hash: B4C0123011030F47E501E776ED45715372AB6E4504F84C550F01915565DEFC1CC58F96

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fpIGwanLZi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fpIGwanLZi.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
fpIGwanLZi.exe

Function 0148D5B9 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Function 0148D5C8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0713E094 Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Function 0713E0A0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0148AF19 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Function 0148590C Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Function 01485A84 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Function 0148449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 07115D50 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Function 0713DE10 Relevance: 1.6, APIs: 1, Instructions: 75
injectionCOMMON

Function 0148D808 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Function 07115D58 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 0713DE18 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 0713D871 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Function 0713DF00 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON